Most IoT devices are built by engineers with functionality in mind using chipsets that are cheap and were never designed to be secure. As we know, functionality and cost savings generally come at the expense of security, and this is particularly the case for the emerging IoT market.
But what if you think you have nothing to lose, who cares if someone reads your email - you have nothing to hide? You may be right, hackers generally don’t care about your private life. While hacking was previously an annoyance it’s now big money. And it’s not just ransomware, in fact ransomware is no longer the latest and greatest. Thanks to crypto-currency most hacks are now going after your CPU cycles Feel like giving away free electricity? Not so much I imagine.
Based on the above alone (and there’s so much more to it), if you do not have your IoT devices on a separate, isolated network/vlan to your more trusted devices (ie those which get regular patches and security updates like PCs and modern phones), you are putting yourself at risk.
I haven’t seen a topic about this, so what I’d like to do is start a list of the supported IoT devices, and what they need vs what they want in terms of network access, to be able to function, so that we can build a list of how to properly secure ourselves from these devices. In future, pressure will no doubt go back onto the manufacturers to provide this information, but for now this is what we have.
I’ll start it off by saying yesterday I tried to isolate my Xiaomi Roborock (v2) vacuum from the internet. It stopped responding to the Mi Home app. Did some research and it appears the vacuum not only sends basic telemetry but pretty much everything it knows including the maps it creates back ‘home’
What I’ve been able to discover by firewall logging is the following which I need to investigate further:
Device:
Xiaomi 2nd Generation Roborock S50.
Notes:
Seems to have discovered I’m in NZ and is using local time servers. Uses HTTPS (encryption) for all other traffic which is unexpected but very good in terms of what I’ve come to expect for IoT comms.
Destination IP | Destination URL/Location | Protocol | Port | Service | Required for Native App? | Required for HASS? |
---|---|---|---|---|---|---|
18.194.236.76 | ec2-18-194-236-76.eu-central-1.compute.amazonaws.com | TCP | 443 | HTTPS | ??? | ??? |
52.29.158.79 | ec2-52-29-158-79.eu-central-1.compute.amazonaws.com | TCP | 443 | HTTPS | ??? | ??? |
130.217.226.51 | timeball3.its.waikato.ac.nz | UDP | 123 | NTP | ??? | ??? |
202.118.1.81 | news.neu.edu.cn | UDP | 123 | NTP | ??? | ??? |
202.6.116.123 | time.unleash.net.nz | UDP | 123 | NTP | ??? | ??? |
202.78.240.38 | cat-prod-time1.catalyst.net.nz | UDP | 123 | NTP | ??? | ??? |
61.161.155.29 | China | UDP | 123 | NTP | ??? | ??? |