[HN Gopher] Hacked from a lightbulb ___________________________________________________________________ Hacked from a lightbulb Author : bjoko Score : 50 points Date : 2020-02-07 13:14 UTC (1 days ago) (HTM) web link (blog.checkpoint.com) (TXT) w3m dump (blog.checkpoint.com) | mirimir wrote: | I guess that many don't isolate IoT stuff in at least a vLAN. And | I guess that's because "consumer" routers don't have such | features. | | It's pitiful. | tzs wrote: | Also consumers often just use the router their ISP provided. | | Suppose your router does not have VLAN support, and you do not | wish to replace it. Can you add sufficient VLAN support to your | network by adding switches with VLAN support? | | TP-Link has a couple of switches (TL-SG105E and TL-SG108E) [1] | that are not full managed switches but do more than common | unmanaged switches. They are priced about the same as unmanaged | switches. I got the 8 port model for $30. | | These switches have some VLAN capability, although I haven't | looked into what it can do. (I got it for its port mirroring | ability, not its VLAN ability). | | If you are using your ISP's router/WiFi access point, and your | IoT devices use WiFi then I'd guess there is not much you could | do with switch-based VLANs. The Hue bulbs, though, talk to a | Zigbee hub that you plug into your ethernet, so you can make | all the Hue traffic go through a switch. | | Another problem is that nearly all the documentation I've found | on using VLANs gets real "enterprisey" real fast. For even | fairly sophisticated home users it is probably really | confusing, and so even if they have a router with good VLAN | support they might not be able to figure out how to use it. | | [1] https://www.tp-link.com/us/home-networking/5-port- | switch/tl-... (SG108E is essentially the same, just with 8 | ports instead of 5). | mirimir wrote: | Those switches only work with a router that actually creates | the vLANs. I use one with pfSense, running on a small box | with a used Intel server NIC. So I have a mix of LANs and | vLANs to keep stuff more or less isolated. If I want WiFi, I | just stick an Alfa AP on one. | | In any case, you're counting on the router to keep one | LAN/vLAN isolated from the others. | swiley wrote: | Industrial equipment has this idea of a "fieldbus" that you put | the manufacturer's devices on and then have some kind of hub or | controller that you completely own between it and the internet | (if you decide to connect it.) I spent 4 years working for a | company that makes these and it's (IMO) the correct way to do | this. | | X10 had this sort of architecture, maybe if everyone started | using Bluetooth or USB you could do something similar. | | I've shopped a few times for consumer computer controlled | lighting and it's all _crap_ (just like any consumer | electronics niche) that needs to be put on a WiFi network and | use the manufacture's app (and often network services.) | | If you want IOT either do it yourself or get industrial stuff. | mindslight wrote: | Some of the consumer stuff can be controlled with reverse | engineered protocols. I've got some TP-LINK bulbs, configured | and controlled entirely with Free software. They're on an | isolated network with no Internet access, of course. | | DIY seems eminently possible with ESP32 etc, but mains power | means I'd rather buy something off the shelf from a | longstanding brand. | | I doubt this will move the needle for consumer manufactures | to embrace it, but it works right now (and is more responsive | than X10). We're all cyber-gleaners until (hopefully) the | market demands open standards. | dboreham wrote: | There's no reason consumer routers couldn't have this feature. | They didn't have guest vlans and child vlans in the past | either. | anilakar wrote: | Sorry - AP manufacturers are already too busy adding RGB | leds, GPU vendor branding, Gaming Acceleration and other | bullshit "value" adding features that can justify a three- | digit price tag instead of coming up with something useful. | Jonnax wrote: | What are you talking about? | | A high end router with those features will definitely come | with VLAN support. | | Asus certainly does | alasdair_ wrote: | I use unifi switches, access points etc. they may be a bit | higher end than the cheapest consumer gear but they are still | marketed towards home use (as well as businesses). | | I have four vlans - adults, kids, IOT and guests. Only the | adults vlan has unfiltered access, the others are pretty | heavily locked down. | mook wrote: | The IoT stuff also needs to communicate with other trusted | machines (so that they can be controlled, e.g. turning on/off | the lights or watching the videos from the cameras); putting | them all on a vLAN would prevent that from working, too. | mirimir wrote: | You setup port forwarding in your router to allow that. | mopsi wrote: | Consumer routers do have this feature, but usually it's | software-limited to single additional VLAN and called "guest | network". It would be trivial to add an option for dedicated | "IOT network". | | Even the cheapest $20 routers are actually quite capable in | terms of hardware, supporting at least 16 VLANs. | mirimir wrote: | Oh. Well, then, just put all the IoT stuff on the guest | network. | | Maybe hard on your guests, though :( | jimsmart wrote: | As the old adage goes: the S in IOT stands for security. ;) | kurthr wrote: | What strikes me about these IOT devices is that their value | doesn't just go down as they get old/outdated/unsupported, but | they can easily become a negative value that far exceeds the | original price paid. | | That is fairly unique (almost unknown in any simple physical | device) and requires a very different purchasing/disposal/return | policy. | tehlike wrote: | Same for most networking equipment, i suppose. | StreamBright wrote: | Some of my friends do not understand why I buy deadwood books, | dumb TV, traditional dumb lightbulbs and do not use any home | automation or IoT at all. | leeoniya wrote: | there's no need to stick to dumb devices, especially when new | devices have much better hardware. just dont connect them to a | network unless they're VLANed, pi-holed, or even MITM'd with | filtering. | heavyset_go wrote: | On the other hand, a zero-day could make your life | _interesting_ if you live in a high density city. | yborg wrote: | https://www.forbes.com/sites/leemathews/2017/07/27/criminals... | | You can be hacked from your doorbell, thermostat, or refrigerator | now. Soon, hacks to vehicles will be able to propagate into home | networks to install malware. It's an exciting time to be a | cybercriminal... | tines wrote: | > Their research brought up an interesting question: Could | attackers somehow bridge the gap between the physical IoT network | (the lightbulbs) and attack even more appealing targets, such as | the computer network in our homes, offices or even our smart | city? | | > And the answer is: Yes. | | Does this surprise anyone? Was this really a question brought up | by their research? A computer with a network connection is a | computer with a network connection, no matter how small. | achillean wrote: | That issue has been raised for nearly a decade now in the | security community so definitely not a new question. And there | have been stories like this: | https://www.bbc.com/news/technology-25780908 ___________________________________________________________________ (page generated 2020-02-08 23:00 UTC)