IoT device network security vs functionality

Hardware
1

Most IoT devices are built by engineers with functionality in mind using chipsets that are cheap and were never designed to be secure. As we know, functionality and cost savings generally come at the expense of security, and this is particularly the case for the emerging IoT market.

But what if you think you have nothing to lose, who cares if someone reads your email - you have nothing to hide? You may be right, hackers generally don’t care about your private life. While hacking was previously an annoyance it’s now big money. And it’s not just ransomware, in fact ransomware is no longer the latest and greatest. Thanks to crypto-currency most hacks are now going after your CPU cycles Feel like giving away free electricity? Not so much I imagine.

Based on the above alone (and there’s so much more to it), if you do not have your IoT devices on a separate, isolated network/vlan to your more trusted devices (ie those which get regular patches and security updates like PCs and modern phones), you are putting yourself at risk.

I haven’t seen a topic about this, so what I’d like to do is start a list of the supported IoT devices, and what they need vs what they want in terms of network access, to be able to function, so that we can build a list of how to properly secure ourselves from these devices. In future, pressure will no doubt go back onto the manufacturers to provide this information, but for now this is what we have.

I’ll start it off by saying yesterday I tried to isolate my Xiaomi Roborock (v2) vacuum from the internet. It stopped responding to the Mi Home app. Did some research and it appears the vacuum not only sends basic telemetry but pretty much everything it knows including the maps it creates back ‘home’

What I’ve been able to discover by firewall logging is the following which I need to investigate further:

Device:
Xiaomi 2nd Generation Roborock S50.
Notes:
Seems to have discovered I’m in NZ and is using local time servers. Uses HTTPS (encryption) for all other traffic which is unexpected but very good in terms of what I’ve come to expect for IoT comms.

Destination IP Destination URL/Location Protocol Port Service Required for Native App? Required for HASS?
18.194.236.76 ec2-18-194-236-76.eu-central-1.compute.amazonaws.com TCP 443 HTTPS ??? ???
52.29.158.79 ec2-52-29-158-79.eu-central-1.compute.amazonaws.com TCP 443 HTTPS ??? ???
130.217.226.51 timeball3.its.waikato.ac.nz UDP 123 NTP ??? ???
202.118.1.81 news.neu.edu.cn UDP 123 NTP ??? ???
202.6.116.123 time.unleash.net.nz UDP 123 NTP ??? ???
202.78.240.38 cat-prod-time1.catalyst.net.nz UDP 123 NTP ??? ???
61.161.155.29 China UDP 123 NTP ??? ???
1 Like
2

My rule is cut access to the outside world unless it needs it. Or better yet, buy devices that don’t need an internet connection to work.

If it has to have access, restrict it as much as possible.

1 Like
3

This is going a little bit in the same direction as the idea of a Product database. We have “IoT class” which could give you a hint already.

If you start to isolate a device which is integrated via a cloud service into Home Assistant then you will probably end-up with a non-working device. If the cloud is involved you have to live with the possible leaking of private information.

1 Like
4

There have been a few, but they never really gain traction. This one for example: Iptables and home assistant

5

I think it doesn’t gain traction because very few people are aware of what goes on within their network. I am still dealing with multiple different countries hitting my Home Assistant port on a daily basis. Unable to determine which ones are legitimate is driving me nuts. Although, as time goes on, I am guessing a majority of them are illegitimate. Problem is, I don’t see signs of issues around my network (failed login attempts of HA, Logwatch summaries reporting ill attempts, etc), only through snort sniffing and rules.

Also, I love help in any form or fashion but when your response is, this is not possible, it stops the dialog.