As someone who likes to work in security, I get incredibly frustrated with poor security practices. While most users have nothing to worry about in general, there are still common attack vectors out there that attackers can and will exploit when given the chance. It’s essentially a path of least resistance; where there’s a possible attack vector in your network and there isn’t on another, it’s easier to go for the one that’s possible, rather than looking for one that might be possible. That’s why I plead with you to stop exposing your Internet of Things (IoT) devices to the internet.
I understand that not everyone can get around exposing their IoT devices to the internet. Web-enabled CCTV cameras, smart lights, and a whole bunch of other pieces of tech require an internet connection to either be useful or simply be controlled. While some may feel that installing updates as they come out is enough to protect you, that often isn’t the case. A fantastic study from New York University, titled “Software Update Practices on Smart Home IoT Devices”, analyzed public data relating to IoT devices, and the information derived from it was nothing short of worrying.
IoT devices are ripe for exploitation
Your smart light might betray you
IoT devices are incredibly useful, and they enable us to build smart homes that are truly smart. I’ve been spending a lot of time in Home Assistant, integrating my older smart lights, setting up Zigbee sensors, and deploying new software to control all of it. That includes setting up LocalTuya, software that can be used to control Tuya devices on your local network instead of controlling them through the cloud.
The data collected by those researchers was obtained through IoT Inspector, a tool that allows you to visualize the network activities of your IoT devices at home. The tool, also developed at New York University, has a dataset of real-world devices, their software versions, and their user agents. While users should update their devices when updates come out, that may not be good enough to protect them. As the researchers state:
[W]e find that vendor deploy updates in rolling fashion, and oftentimes rolled out updates are not the latest. In other words, when vendors deploy updates, they do not always update the software component to the latest versions, which means oftentimes devices are left in vulnerable state even after end user[s] install the update.
So what can you do? As we’ve seen in the past, there are very real threats that leverage IoT devices across the globe, and that’s because they’re renowned for their vulnerabilities. One of the most famous examples of this was the Mirai botnet, a botnet that leveraged vulnerabilities in IoT devices to build its network. This software was used to conduct some of the largest Distributed Denial of Service attacks (DDoS) ever seen. It was first used to take down Minecraft servers, before being used to take heavy hitters like Netflix, GitHub, and Reddit offline, too.
These problems are mostly caused by the companies that make these devices, as the slow release (or even total lack) of updates makes them an appealing target. The attack vectors will differ from device to device as well, depending on how your devices interact with the internet, and it may change how they’re exposed. Some may utilize UPnP to open ports for cloud-based connections, such as in the case of CCTV cameras.
However, there can be significantly more damaging vulnerabilities discovered, too. In one particularly infamous case, a peer-to-peer relay stack known as iLinkP2P saw itself at the center of an IoT-related exploitation controversy. Under CVE-2019-11219 and CVE-2019-11220, security researcher Paul Marrapese discovered two million IoT devices connected to the wider internet that were vulnerable to remote exploitation, and it’s highly likely that there were more, too.
There’s only one way to completely protect yourself
And it doesn’t have to be inconvenient
The only way to truly protect yourself is to prevent your IoT devices from accessing the internet. I’ve seen some suggest placing them on a VLAN that has internet access for updating and cloud controls, so that they’re at least separated from the rest of your network, but that only solves half of the problem. In the case of CCTV cameras, for example, theoretical future attacks like in the iLinkP2P case could still expose a CCTV camera in your home to the wider internet. It protects you from an attacker using those devices to discover other devices on the same network, but your camera’s video feed might now be visible online. Plus, in the case of Mirai, where IoT devices were used to form a botnet, how does a VLAN protect against that? You can limit bandwidth usage, but you’re still not dealing with the actual problem of the devices being compromised in the first place. The only way to deal with the problem, frankly, is to take them offline entirely.
This obviously raises its own challenges, but there are workarounds for those who are serious about ensuring their network’s security. ESPHome from the Open Home Foundation (the same group that owns Home Assistant) allows you to flash your own IoT devices with custom software to take them completely offline and manage them locally. ESPHome obviously doesn’t support every device, but it supports quite a lot, and chances are, most of your devices can be converted. There are even a few that can be converted to ESPHome over a network, though most require a physical modification. It might still be worth it in your case, or could even be a fun engineering project.
The other way to protect yourself, and the way that I personally do it, is to block their internet access entirely. All of my smart lights are Tuya-based smart lights, and tools like LocalTuya allow you to control them locally. It’s very easy to get the connection keys required to control them from a local network, and there’s no hardware modification required. Once you’ve collected those keys (through the Tuya Cloud Developer platform), you can then control them from LocalTuya, removing their cloud dependence and enabling them to still be controlled even if they can’t call home anymore.
In my case, I use my OPNsense firewall to block all traffic to those lights, except to my Home Assistant box, as all of my smart lights are controlled through it as a central point of contact. Then, LocalTuya (which runs as a custom integration installed via HACS) can control them. LocalTuya runs on my local network, there’s no risk of my lights being exploited, and I don’t need to worry about them being exploited through the internet.
If you’re serious about network security, I can’t stress enough how important it is that you take your IoT devices offline if possible. They’re often open to exploitation, get very few updates (if any), and can be a detriment to your security. While no solution is perfect, the only way to ensure you’re protected is to prevent their access to the wider internet. It may seem nuclear, but unfortunately, it’s the only way. These devices rarely see updates, and when there are alternatives to cloud controls that you can deploy yourself, there are very few arguments left for actually keeping them connected to the internet.
