I just discovered that the wifi smart plugs I have have a security vulnerability. Apparently other than stop using them altogether about the only way to protect myself is to put them on a seperate network.
So, just to see what that 2nd choice means, and keeping in mind that a) I really don’t understand much outside the basics of network configuration, and b) I don’t even have a HA system yet (HA Yellow ordered, but not received yet), what options do I have with HA with regards to using a seperate network? I’m just trying to understand my basic choices here, if any.
If they are on a separate network, then HA needs to be on that same separate network, and any device (phone/tablet/laptop) I wish to locally connect to my HA setup also has to be on that network, is this correct? I’m trying to figure what my day-to-day experience will be like for normal interactions with my smart home if I go this route. Would it make connecting my smart speakers (Google, Amazon) to HA more difficult (I use voice commands daily to turn stuff off/on)? Anything else (basic, just trying to get the gist of it) I’m missing here?
Actually, I don’t even want to say. I did a little research today after hearing about it today on a 4 month old smart home podcast. The issue is still there, and the manufacturer says they are not fixing it (product end of life). Does it make a difference for general advice?
There are many ways to handle it, all depending on your level of skills.
The easiest solution is going to be get something else that doesn’t have vulnerabilities.
Harder solutions are network segregation.
I’d recommend network segregation just as a general practice, but it’s not typically easy for the general consumer. This needs to be done at your router / switch, and many won’t support it, or will support it at a very basic level. If you want VLANs over Wifi, you’ll need Wireless access points that support this.
All-in-all, this is a pretty big rabbit hole to jump down. Worthwhile, but not easy. If you’re interested, take classes that would prepare you for the CCNA and consider something like pfsense / Netgate. If you care at all about home network security, this is a pretty big place to start.
Alright, so here’s the deal after reviewing the actual exploit and a general approach.
As a netsec guy, the things that scare me more than a known attack are the unknown ones. This thought is pertinent to set the stage here.
A good general approach for any IoT devices are to, at a minimum, put them into their own VLAN with firewall rules limiting access between that VLAN and the rest of the network. Few people do this. Many stick them into a separate VLAN with wide open firewall rules which effectively buys you very little security over having everything on the same network.
I would be more concerned about the devices with data exfil capabilities written right into the terms of service (e.g. Google, Apple, Amazon).
Vulnerabilities like these highlight the need for solid WiFi security and that really starts with a good, long password. Longer is better than complex (e.g. “ivegottalovelybunchacoconuts” is a better password than “c0mpl3x!ty”) but long and complex is the way to go.
At the end of the day, the people with the wherewithall and know how to execute more complex exploits like this are typically not concerned with Joe Blow and are looking to leverage them somewhere with more bang for the buck. Think like Fortune 500 companies. If I wanted your information, I’d call your parents and social engineer it out of them. Case in point here, I had a couple email me their son’s tax return (you know, full name, address, dob, SSN) not once but TWICE after I responded to the first email letting them know the error and that I would delete it.
Unless you’re a big deal, in 99% of cases you aren’t worth the resources to do the recon to identify what exploits I could leverage against you, much less the resources needed to actually carry out those exploits in a meaningful way. For Joe Blow, I’d carry it out the old fashion way…grab a password dump from some random forum board and see what creds also work with CashApp.
I’ve seen the same IOT “security issues” articles, and they are mostly bunk. Click bait.
If your device requires the cloud to operate, then your risk is high. An intruder to your LAN is unlikely but hacking cloud protocols is a common exploit. There is no reason to have cloud-based devices with so many alternatives available.
On your LAN, strong passwords are your friend. A good password manager helps here. You only have to remember one password. Some offer 2-layer verification.
Now, my challenge. Can anyone point to a verified case of a hacker accessing a home LAN or devices on the home’s LAN? You can’t. You simply aren’t worthy of the hackers time.
I agree that the likelihood of someone targeting your Lan is near zero. That being said, it’s different with smart devices. If a smart bulb manufacturer put a back door in their device, then they have inside access to your Lan whenever they want. Not that big if a deal for one house, but multiply that out and it’s a big deal.
All they’d had to do is periodically watch network traffic, and setup a system to alert them to certain sites or behaviors to tell them you’re a good target. Then they spend some extra work on your system and maybe grab some saved credentials, or saved bank account info.
Is it likely? No. Is it easy to protect against with VLANs and traffic separation, Yes.
Well, not exactly point to. But I seem to recall headlines (click bait?) about hackers accessing baby monitors and cameras in people’s homes. So there are theoretical vulnerabilities, depending on what your IoT devices actually do. But overall I agree with your point. Light switches and temperature sensors are just not a very juicy target.
Those are mostly people that never changed the default username/password of their devices, add to that upnp and there you have it…
And that doesn’t mean the ‘hacker’ has full access to your LAN
Were these targeted hacks or the server on the cloud screwing up. A couple of years ago some Wyze customers were looking into strangers’ homes. They weren’t hacked, but the Wyze servers screwed up royally. Something similar happened when the original Ring doorbells were installed. The installers weren’t changing the default passwords and never told the customer how to change them.
As someone who has gone down this rabbit hole, I can tell you it was very enlightening. I do have a home network based on pfSense, Unifi, etc. and have it configured for my security needs. Some of the things I learned:
Many devices “phone home” and report information that you don’t know about. I have personally seen (via pcap) wifi devices that are local control, and no cloud service, establishing a connection to a server somewhere in another country and sending encrypted data. I don’t like this so I block devices that do this (via firewall rules). Note: it’s not just IoT devices that do this.
I am less worried about my devices being hacked than I am about my devices snooping on my activities. Roku, Google, Amazon, Windows, Ad trackers, etc. are notorious for this but I was surprised about the devices I never considered (light switches?!?!) . There are ways I block that activity but it’s a constant battle to keep up with companies harvesting your info.
Staying informed about this security space is a huge time sink but it teaches you how to think about threats, risks, mitigation, remediation, and recovery (when stuff does go wrong).
I know I’m a Joe Blow but I also know how easy it is for a consumer grade network to be hacked and/or exploited for nefarious purposes (think recent DDoS attacks using CCTV devices). Paraphrasing what @FriedCheese said, it’s the stuff I don’t know that scares me more than the stuff I do know; so, I try to educate myself and do something about it.
Thanks all to the many responses. First up, I might as well list the product here, hopefully you can’t hack my network through a reply message once you know the secret :-).
“Wemo Mini Smart Plug V2 (model F7C063)”.
Now, to reply to or comment on some of the many ideas and comments:
I do use a long and complex Wifi password but, of course, it can’t protect you from everything.
Other network security measures. Well, I have tried to learn more about networking in the past but really feel I ran into a wall. So I am not at all confident I can implement extra measures to protect myself from this, or any other security risk.
I agree that I myself do not make much of a target. But this is an old argument and I have also found myself agreeing with the idea that it is pretty weak protection. Not that I don’t rely on that some times, but I try to not over do it.
I’m not sure the relative risk of wifi vs. non-wifi smart home devices, and then compared to every other type of wifi devices I have in my house. An (relatively) expensive device may not come with security worth a nickel, but I would take it as an axiom than an inexpensive almost certainly won’t. If I get rid of these particular devices at least then none of my switches, sensors, lights, etc, will be anything but zigbee or z-wave.
Any chance the plugs I mentioned above have replaceable firmware?
As to ‘the rest of it’, this one issue is, I know, just one tiny little worm at the bottom of a giant can (bucket, dumpster?) of worms. I guess I won’t sweat this too much until I get rid of them. I try and follow all the general suggestions and pay attention as much as I can, but there is no such thing as a fully protected anything. Thanks for everyone’s reply. I may try and read up on my network security, maybe I can at least see just what is really going on on my network, then go from there.
That’s why I recommended taking CCNA focused courses. CCNA is step 1 to being a Cisco Network Architect and assumes very little knowledge of networking. Most of the topics learned in CCNA relate to the kind of networks you’ll have in your house. When it comes to your router and beyond, that’s where the CCNA knowledge expires, which is fine unless you plan on working for your ISP.
Certainly worth taking some YouTube classes if you’re interested.
Anything WiFi can talk to the internet. If you aren’t doing anything network security related, just assume it is talking to the internet. Anything WiFi can talk / see all the devices on your home network. If you aren’t doing anything network security related, assume it is.
This works great for plug and play. Get a new device, add it to your WiFi, your PC / server sees the new device, calls out to the cloud, connects to your account, registers the device, and boom, done. Not so great if this whole process is happening to servers in China or Russia without your knowledge.
Zigbee / Z-wave are wireless protocols, but they can’t connect to the internet directly. Only each other. The hub or dongle can. So you end up with one point of intrusion / risk instead of countless points of risk. If I buy a cheap Asian Zigbee device, it really can’t see much except for other Zigbee devices, and the hub. If I’ve secured the Hub, then I really don’t have to worry about it calling home to China.
Now since it’s Ad-hoc I’m sure there are ways to see / connect to your neighbors Zigbee devices, but you’ve got some serious problems if hackers are getting in that way.