As I was doing my deep dive into an IoT camera, a question came up: why does it matter? Sure, any given device might not be secure, but how does that affect employees or our business?
I’m glad you asked!
1. Consumer Routers Are Mostly Garbage
Every home internet connection needs a router and some sort of WiFi network. Otherwise, you’re stuck connecting a single device directly to a cable or DSL modem. Unfortunately, most routers have poor security. The CIA has used home router exploits for at least the past 10 years, and odds are good that non-state actors have been too.
- In general, router security is not a selling point, and the lowest-cost routers are the bulk of the market.
- In order to reduce costs, routers usually use older hardware, WiFi chipsets, and ship with Linux. Since the WiFi drivers are often proprietary and out of the kernel tree, even new devices often ship with an ancient version of Linux. That means that your shiny new router (like the recently released Netgear Nighthawk X10) might ship with a kernel from half a decade ago (according to their GPL code release), missing security improvements since then [1].
- Very few routers offer automatic updates, so even if manufacturers provided comprehensive security updates they would be ignored by the majority of users.
Sometimes, ISPs give or require home users to use routers provided by them, but they have a poor security track record too. In one instance, a router’s DNS settings could be changed, which would let an attacker redirect traffic to servers of their choice.
Why does this matter? In the end, every single bit of internet traffic goes through your router. If an attacker wants to sniff unencrypted traffic, or attempt to downgrade an encrypted connection, this is the place to do it. Your router should be the most secure device on your network, and instead it’s likely the least secure.
Our security team recommends to our employees that their overall security starts with their router.
Try to find devices that offer some sort of automatic update and vendors with a good security record. Consider running an open-source router distribution like pfSense, OPNSense, or OpenWRT that makes it easier to keep up to date. Don’t trust your ISP’s equipment unless they’ve shown they are security conscious.
2. Home Networks Have Untrusted Devices
If you have a family at home, odds are you’ve given out your WiFi password. After all, you want kids or guests to be able to access WiFi when they need it. But, have you checked those devices to make sure they’re secure? What are the odds that the laptop your kid’s friend brought over to do homework on has some sort of virus on it? Or, that your babysitter’s old unpatched Galaxy phone is infected with a rootkit? You wouldn’t want these devices plugged in at work, and they shouldn’t be on the same network as your work devices either.
The easiest way to handle untrusted devices is to use the “guest network” functionality in your WiFi access point.
Usually, these networks limit traffic between devices, and only allow them to communicate out to the internet. Many access points allow multiple guest networks, so you could separate “mostly trusted” devices from “patient zero infection vector” devices [2].
3. Security Includes Privacy Too
Imagine that after reading the previous point, you go out and setup a perfectly secure and segmented network. Then, a grandparent gives your kids internet connected teddy bears. Great! You put them on the kid’s WiFi network, and rest knowing that your work data is secure.
Until you realize that they left the toy in your office, and you had conference calls with enterprise clients talking about unannounced products, and that the teddy bear was uploading all recorded audio to an unprotected database.
One of the best parts of working from home is being able to create your own space, or multiple spaces to work in. But, in sharing that home, you open yourself up to potential leaks and vulnerabilities. Of course, in the above hypothetical, the odds of an attacker combing through those voice recordings and finding something useful is small. Then again, what if your contracts require client notification in the case of a suspected breach? Even if the real risk is small, the impact on your reputation could be huge.
Treat your client data like your personal photo collection, your home budget, or your medical records.
Think not just about ways you can be directly hacked, but about ways data can be intercepted, and how you can limit those vulnerabilities.
4. IoT Devices Punch Holes By Design
What is it that every IoT device markets as being the most important feature? Usually, it’s some combination of “cloud,” “app,” and “integration.” If it’s a security camera, the marketing will almost always show some picture of a person out travelling, viewing their kids at home. Door locks alerting you when they are unlocked. A thermostat detecting you driving home, and starting to warm up the house.
In other words, these devices need to have a two-way connection to the Internet—they need to send statuses out to the cloud, and receive commands from your phone or the cloud. That means they’ve opened a hole through your router.
It might be a surprise, but while your home router is probably the most important security device on your network, they all include methods for devices and applications to open up your network to the Internet—without any sort of authorization or controls. uPNP and NAT-PMP are the most common protocols for this. STUN is also used as it works even if uPNP and NAT-PMP are disabled on the router.
No matter how they do it, IoT devices for the home place accessibility over security almost universally. That is a fundamental conflict with many agency (and customer!) priorities, making every single IoT device employees own a potential threat to your operations.
Prefer “smart” devices that work without an internet connection, or use a separate network entirely such as Zigbee.
As well, disable uPNP and NAT-PMP on your routers, and use a stateful firewall instead of relying on NAT to protect your home network.
5. Hacked Devices Put Private Networks At Risk
I’m sure many are thinking, “it’s OK, we require the use of a VPN for all of our work.” That’s fine, and certainly a good practice. It stops direct attacks on your private services from the broader Internet, and ensures employee’s connections can’t be sniffed by malicious devices at home.
Or… does it?
Ask yourself: how many VPNs do you have for client work that use self-signed SSL certificates? How many intranet sites require you to click through and ignore HTTPS warnings in your browser? How many of your critical domains use DNSSEC? How many client devices are validating DNSSEC signatures?
What prevents a hacked “smart” electrical plug from hacking a router in turn, and then redirecting traffic from there? How likely are you to notice that the self-signed VPN certificate has changed?
VPNs are great, but they’re only a start. The connection process is still vulnerable to attack by other devices on the network. Ignore best practices in but one layer of the system, and the whole thing becomes vulnerable. All because that WiFi thermostat was on sale for $29.99.
Don’t rely on VPNs as the sole method to protect your company.
Make sure all employees are aware of the risks that come with using work resources and VPNs at home, and that they understand the trust that comes with VPN access.
6. Agencies Are Great Targets
How many different clients do you work with today? How many have you worked with in the last year? How many access credentials do you have “on ice,” that are active, but not in daily use?
Imagine a hacker is trying to gain access to an enterprise’s network or data. What’s easier: hacking their well monitored and well-staffed corporate networks, or hacking a remote employee or agency protected by a mere consumer-grade router? And, if the target is not a specific company, but simply a company in a given vertical, agencies are perfect victims. At least, if the agency doesn’t consider security in a holistic and comprehensive manner.
Don’t fall into the “we’re too small to hack” trap.
Just as smart devices might be used as a vector to hack your laptop, your small agency might be used as a vector to hack a client.
7. Enterprises are Great Targets, Too
Ok, so agencies are great targets for hacks, and we should all just give up.
Well, enterprises don’t always have great security either. I’ve worked with companies with hundreds of thousands of employees, who don’t have SSL on a single intranet site. I’ve also seen companies with APIs that have zero authentication, allowing unauthenticated POST requests to modify business critical data. Or, AWS root keys left in cleartext on company wikis or source code.
As agencies, we’re often hired to set the standard for our client’s teams. That means, when we see an SSL certificate fail, we click cancel and call support instead of forcing it through. We use best practices for APIs like request signing instead of plaintext passwords. We change passwords we see posted in Slack, and remind the team to use something like LastPass or GnuPG instead.
But, to do this effectively, we need to have our own security house in order. We need to not just communicate the best practices, but live them ourselves, so we can know we aren’t leading clients towards an unusable and burdensome set of restrictions.
Bake good security practices into how you work with clients.
Follow the same security practices with your own teams, so when you make suggestions to clients you come from a place of experience.
8. The Internet Is A Community
In the Drupal world, we’re always telling our clients how being a part of the community is the best way to build sites efficiently. A hacked web server doesn’t just affect our client’s and their users—it affects other, innocent users online. A server taking part in a DDoS might not be noticeable at all to the server admins—but the other end of the attack is having a very bad day.
For digital agencies, our livelihoods depend on a functional and reliable internet. If we ignore security in the name of hitting our next deadline, we hurt the commons we all need to thrive.
Think about the downstream effects of a security breach.
Remember that the bulk of hacks these days aren’t about data exfiltration, but computing resources for DDoS attacks or spam. Be aware of the common resources your company has (hosting, email, domains, websites) that may be valuable to attackers in their own right simply because they can be used in other attacks.
Technical Notes
[1] I compared their source to the upstream LTS 3.10.105 release, which showed that CVE-2016-3070 was patched in August in commit af110cc4b24250faafd4f3b9879cf51e350d7799
. It doesn’t appear that fix is shipped with the Netgear router. It’s possible the fix isn’t required for this hardware, but do we really trust that they’ve done their due diligence for every single patch? It’s a much better practice to apply all security patches, instead of selectively deploying them. Even if they’ve backported security patches, the Linux kernel itself has added significant security features since then, such as Live patching, write-only protection to data, and merges from the grsecurity project.
[2] Another solution is to implement multiple “virtual networks” or VLANs with firewall rules to control traffic. Combined with a managed switch and appropriate access points, you can “tag” traffic to different networks. For example, let’s say you have a Chromecast you want to be able to use from both your work laptop and from phones guests have. A VLAN would let you create three networks (devices, work, and guest), and add rules that allow traffic from “work” and “guest to send traffic to “devices”, but not the other way around. Likewise, “work” could open a connection to a “guest” device, but “guests” wouldn’t initiate a connection to a “work” device. Obviously this requires some learning to set up, but is great for flexibility if you have more than just the simple “guest” scenario.
Header image is Broken Rusty Lock: Security (grunge) by Nick Carter.