[HN Gopher] Hacked from a lightbulb
___________________________________________________________________
Hacked from a lightbulb
Author : bjoko
Score : 50 points
Date : 2020-02-07 13:14 UTC (1 days ago)
(HTM) web link (blog.checkpoint.com)
(TXT) w3m dump (blog.checkpoint.com)
| mirimir wrote:
| I guess that many don't isolate IoT stuff in at least a vLAN. And
| I guess that's because "consumer" routers don't have such
| features.
|
| It's pitiful.
| tzs wrote:
| Also consumers often just use the router their ISP provided.
|
| Suppose your router does not have VLAN support, and you do not
| wish to replace it. Can you add sufficient VLAN support to your
| network by adding switches with VLAN support?
|
| TP-Link has a couple of switches (TL-SG105E and TL-SG108E) [1]
| that are not full managed switches but do more than common
| unmanaged switches. They are priced about the same as unmanaged
| switches. I got the 8 port model for $30.
|
| These switches have some VLAN capability, although I haven't
| looked into what it can do. (I got it for its port mirroring
| ability, not its VLAN ability).
|
| If you are using your ISP's router/WiFi access point, and your
| IoT devices use WiFi then I'd guess there is not much you could
| do with switch-based VLANs. The Hue bulbs, though, talk to a
| Zigbee hub that you plug into your ethernet, so you can make
| all the Hue traffic go through a switch.
|
| Another problem is that nearly all the documentation I've found
| on using VLANs gets real "enterprisey" real fast. For even
| fairly sophisticated home users it is probably really
| confusing, and so even if they have a router with good VLAN
| support they might not be able to figure out how to use it.
|
| [1] https://www.tp-link.com/us/home-networking/5-port-
| switch/tl-... (SG108E is essentially the same, just with 8
| ports instead of 5).
| mirimir wrote:
| Those switches only work with a router that actually creates
| the vLANs. I use one with pfSense, running on a small box
| with a used Intel server NIC. So I have a mix of LANs and
| vLANs to keep stuff more or less isolated. If I want WiFi, I
| just stick an Alfa AP on one.
|
| In any case, you're counting on the router to keep one
| LAN/vLAN isolated from the others.
| swiley wrote:
| Industrial equipment has this idea of a "fieldbus" that you put
| the manufacturer's devices on and then have some kind of hub or
| controller that you completely own between it and the internet
| (if you decide to connect it.) I spent 4 years working for a
| company that makes these and it's (IMO) the correct way to do
| this.
|
| X10 had this sort of architecture, maybe if everyone started
| using Bluetooth or USB you could do something similar.
|
| I've shopped a few times for consumer computer controlled
| lighting and it's all _crap_ (just like any consumer
| electronics niche) that needs to be put on a WiFi network and
| use the manufacture's app (and often network services.)
|
| If you want IOT either do it yourself or get industrial stuff.
| mindslight wrote:
| Some of the consumer stuff can be controlled with reverse
| engineered protocols. I've got some TP-LINK bulbs, configured
| and controlled entirely with Free software. They're on an
| isolated network with no Internet access, of course.
|
| DIY seems eminently possible with ESP32 etc, but mains power
| means I'd rather buy something off the shelf from a
| longstanding brand.
|
| I doubt this will move the needle for consumer manufactures
| to embrace it, but it works right now (and is more responsive
| than X10). We're all cyber-gleaners until (hopefully) the
| market demands open standards.
| dboreham wrote:
| There's no reason consumer routers couldn't have this feature.
| They didn't have guest vlans and child vlans in the past
| either.
| anilakar wrote:
| Sorry - AP manufacturers are already too busy adding RGB
| leds, GPU vendor branding, Gaming Acceleration and other
| bullshit "value" adding features that can justify a three-
| digit price tag instead of coming up with something useful.
| Jonnax wrote:
| What are you talking about?
|
| A high end router with those features will definitely come
| with VLAN support.
|
| Asus certainly does
| alasdair_ wrote:
| I use unifi switches, access points etc. they may be a bit
| higher end than the cheapest consumer gear but they are still
| marketed towards home use (as well as businesses).
|
| I have four vlans - adults, kids, IOT and guests. Only the
| adults vlan has unfiltered access, the others are pretty
| heavily locked down.
| mook wrote:
| The IoT stuff also needs to communicate with other trusted
| machines (so that they can be controlled, e.g. turning on/off
| the lights or watching the videos from the cameras); putting
| them all on a vLAN would prevent that from working, too.
| mirimir wrote:
| You setup port forwarding in your router to allow that.
| mopsi wrote:
| Consumer routers do have this feature, but usually it's
| software-limited to single additional VLAN and called "guest
| network". It would be trivial to add an option for dedicated
| "IOT network".
|
| Even the cheapest $20 routers are actually quite capable in
| terms of hardware, supporting at least 16 VLANs.
| mirimir wrote:
| Oh. Well, then, just put all the IoT stuff on the guest
| network.
|
| Maybe hard on your guests, though :(
| jimsmart wrote:
| As the old adage goes: the S in IOT stands for security. ;)
| kurthr wrote:
| What strikes me about these IOT devices is that their value
| doesn't just go down as they get old/outdated/unsupported, but
| they can easily become a negative value that far exceeds the
| original price paid.
|
| That is fairly unique (almost unknown in any simple physical
| device) and requires a very different purchasing/disposal/return
| policy.
| tehlike wrote:
| Same for most networking equipment, i suppose.
| StreamBright wrote:
| Some of my friends do not understand why I buy deadwood books,
| dumb TV, traditional dumb lightbulbs and do not use any home
| automation or IoT at all.
| leeoniya wrote:
| there's no need to stick to dumb devices, especially when new
| devices have much better hardware. just dont connect them to a
| network unless they're VLANed, pi-holed, or even MITM'd with
| filtering.
| heavyset_go wrote:
| On the other hand, a zero-day could make your life
| _interesting_ if you live in a high density city.
| yborg wrote:
| https://www.forbes.com/sites/leemathews/2017/07/27/criminals...
|
| You can be hacked from your doorbell, thermostat, or refrigerator
| now. Soon, hacks to vehicles will be able to propagate into home
| networks to install malware. It's an exciting time to be a
| cybercriminal...
| tines wrote:
| > Their research brought up an interesting question: Could
| attackers somehow bridge the gap between the physical IoT network
| (the lightbulbs) and attack even more appealing targets, such as
| the computer network in our homes, offices or even our smart
| city?
|
| > And the answer is: Yes.
|
| Does this surprise anyone? Was this really a question brought up
| by their research? A computer with a network connection is a
| computer with a network connection, no matter how small.
| achillean wrote:
| That issue has been raised for nearly a decade now in the
| security community so definitely not a new question. And there
| have been stories like this:
| https://www.bbc.com/news/technology-25780908
___________________________________________________________________
(page generated 2020-02-08 23:00 UTC)