IoT DANGERS: BYOD’s trashier cousin becoming a right tearaway Bring Your Own Device is problematic enough, but now staff are increasingly bringing inherently insecure, internet-connected smart devices into work, making a mockery of established security policies in the process. Staff and bosses bringing their own smartphones and laptops into enterprises can be managed using mobile device …
o.k. having IOT equipment on your home network is big security risk. Why not operate two separate networks in a house with an IOT network and another for your computers etc were the more sensitive data is.
The IOT network not being able to access the 'Computer' network but the 'Computer' network being able to access the IOT network for control/monitoring etc.
Setting up and operating two networks would have to be made child's play to get it widely adopted.
Aye carumba. Your saying if my mum buys an IoT kettle I'm going to have to pop in and setup a separate network? Because one things for sure, she ain't going to do it.
Actually, having said that I have already taken the precaution of setting up an allowed MAC address list on her router.
As for at work, this is already an uncontrollable nightmare with smartphones & tablets wandering into the building and gobbling up IP addresses like Smarties. Hopefully no-one buys a new kettle.
OK, it should not be that simple for an IoT device to join a network. Presumably, you've got WPA2-PSK set up as a minimum for your Mum's network.
So, a new device entering the house cannot even join the network.
So, nothing to do.
Of course, if you've got WPS enabled, then every time you press that button on the router, all your IoT devices that have been denied access to the network so far have an opportunity to jump on to it, but you don't use WPS and have support turned off, haven't you.
Wait. What! you haven't........... And you're allowing uPNP as well!!!!!
Excuse me, I've somewhere else to be.
Goodbye.
Maybe there should be a tongue-in-cheek icon as well as a joke icon.
I meant this in a very light-hearted way, and it was actually addressed at other people than you. You had already demonstrated with your comments about another network that you were far from the average person who just plugs in a router and leaves it with it's default settings.
If I had actually addressed it at you, I would have done it in the same way as I have here, by actually referencing your handle.
I meant no offence.
Funnily enough, I was at Infosec yesterday and watched a demo involving an internet enabled kettle. The demonstrators setup a rogue Wireless network with same SSID as the one the kettle's connected to, but at a much higher gain. They sent a spoof packet to force the kettle to disassociate itself from the good network, it then reconnected to the rogue network with the higher broadcast power (which is unencrypted). Telnet to kettle, issue some Hayes modem style AT commands and voila! WPA2 key available, stored on kettle in plain text...
" Why not operate two separate networks in a house with an IOT network and another for your computers etc were the more sensitive data is."
Some routers (e.g. the newer Linksys ones) already offer something that could be used for this. They offer a guest network on the WiFi, which is blocked from accessing resources on the main network.
This does have a couple of problems though. One being that not all devices have WiFi, and it can be quite an expensive add on.
The other problem is that some devices (such as Smart TVs and smart thermostats) need access to the main network. Lets be honest, a lot of people don't buy a Smart TV because they can look at facebook on it, or to watch Youtube. They will probably use the On Demand services (such as iPlayer, Netflix etc), but they are likely to be using it a lot to view the collection of dodgy copies of TV shows they have stored on their computer. The problem for Smart Thermostats (and other smart devices, such as smart plugs) is that they are often controlled by an app, which would obviously need a way to both find the devices, and connect to them. Neither of which is going to happen if one network is separated from the other, unless the device and the app both connect to an external webservice, in which case you lose the advantage given by separation..
But..but... remote control _must_ be better. Instead of walking in to the kitchen, filling the kettle and pressing a switch then washing up while it boils I just ...err...Walk in to the kitchen to fill the kettle, back to the living room to my smartphone, watch the ads on TV that I would have previously have avoided, walk back in to the kitchen to make the tea, start washing up while it brews, miss the start of the programme.
Or I could completely fill the kettle at the start of the evening so it takes ages to boil and wastes electricity, but only means one trip?
Oh, I see now - The IoT isn't for my benefit, is it?
Now, now.... thou shalt not disparage the illustrious, time-honoured tradition of on-line coffee pots! The Hypertext Coffee Pot Control Protocol (HTCPCP a.k.a. RFC2324) also come to mind...
A firewall and proxy wont help too much if you don't plan ahead - they'll still be plugged in. OK they won't get to t'interwebs but you can bet the Boss will soon fix that. You are better off putting them where you can see them and using VLANs and extra WiFi SSIDs to segregate the things from your real LANs. Get your IDS and whatever else sniffing and poking around to watch what they are up to. Investigate NAC as well while you are at it (mmm Packet Fence)
At the rate I'm creating VLANs I'm going to be looking into QinQ fairly soon .... and that's just at home.
Oh, I see now - The IoT isn't for my benefit, is it?
No, nor mine. I don't know much at all about this IoT stuff (or is that 'IoS thing'?) having, until now, paid about as much attention to it as a molecule of Hydrogen in deep space to a brass monkey. Having read the comments I still don't 'get' why a kettle would be internet enabled. To let you know it's boiled? Really?? Anyone who wants that has to be ready for the funny farm. Is this a meme that started April 1st, and I'm in effect a mug in molasses?
I can just see me starting a job where one of the bosses had an internet-enabled kettle and me getting sacked for repeatedly laughing so hard the whole site hears me. Even though I know if I can't stop I will be fired.
We have very few devices that phone home.. TV, DVD player/recorder and there's a couple of odds and ends that were gifts. None are plugged into an network cable and the router rejects them connecting to it if they try wifi.
The crap will surely hit the rotating air movement device when the devices won't work with unless connect to a network with internet access. Meantime, I'll continue to play Luddite with IoS/T and try to ignore it.
Unfortunately the world is moving to a model where "it only works while you have a net connection".
Office365, Photoshop, the many Clouds, nearly everything on your smartphone.
Other devices demand that they periodically "phone home" or stop working. That's just like the "tags" that they fit offenders with rather than holding them in prison.
It's only a matter of time before it becomes a crime NOT to be online.
"Unfortunately the world is moving to a model where "it only works while you have a net connection"......Office365....."
Aahhh, yes. The ghastly abomination that is Office 365. Always f***ing deciding to uninstall itself without a buy your leave, regardless of the actual licence status.
All involved in Office 365's concept, development and specifications should be given free one way tickets to Syria.
Right on AC, and everyone knows, hopefully about "Greeks bearing gifts". No IoT devices in the work space. No BYOD in the workspace. The whole idea is a travesty of security. It violates even a basic OpSec environment. At home, if you have IoT devices, No connecting to the company VPN, even if you have separate networks, allowable MAC lists, WPA2 whatever. The idea of an IoT kettle is ludicrous, right up there with the IoT toilet, sex toys and beer/gin dispensers. atlatl
Toasters and kettles I'm not too worried about, if it gets to the point that you cannot buy the first three without IOT, you can do without, back to the grill and saucepan on the hob.
Cars are likely to be tracking by government mandate, and I don't trust them with IT.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
