Ask Slashdot: Could A 'Smart Firewall' Protect IoT Devices? 230
To protect our home networks from IoT cracking, Ceaus wants to see a smart firewall:
It's a small box (the size of a Raspberry Pi) with two ethernet ports you put in front of your ISP router. This firewall is capable of detecting your IoT devices and blocking their access to the internet, only and exclusively allowing traffic for the associated mobile app (if there is one). All other outgoing IoT traffic is blocked... Once you've plugged in your new IoT toaster, you press the "Scan" button on the firewall and it does the rest for you.
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?
Ideally a manifest/profile from IoT makers... (Score:5, Informative)
Ideally, there should be a profile/manifest IoT makers have as standard with their devices. This shows what incoming/outgoing ports and hosts the IoT device communicates with. Everything else should be blocked as default from the router. This should be in some central registry or a standardized URL system, so a home firewall could, once it recognizes a certain IoT device, grab a profile and run with it.
Of course, a lot of IoT makers would just put in that the device takes incoming/outgoing traffic from anything and everything, but hopefully there might be come makers who give a shit enough about security to put in limits of what their devices can and do not try communicating with.
This way, a firewall, once it registers a device can automatically apply a profile and call it done. Of course, there are security issues, but this is a giant step forward, compared to letting the device have unfettered access in and out.
Re:Ideally a manifest/profile from IoT makers... (Score:5, Insightful)
I love that idea! It's like FDA labeling laws, but for electronics. It would be totally cheap for the manufacturer to do, and it would make it totally transparent as to which devices are total crap. And if they lie, they could be liable for it at LEAST under false advertising laws. Now that you say this -- why the heck haven't we done this before? It seems so simple and obvious.
This device communicates on the following protocols:
IP address | Protocol | Destination
.
.
.
Re:Ideally a manifest/profile from IoT makers... (Score:4, Interesting)
But how would that work for devices that aren't tied to a specific service? I have some neat little wifi devices that show up in spotify and let me stream to various speakers around the house. If i cut them off from the internet then they simply don't work. I'd have to manually identify every IP that spotify uses and there seem to be a lot of them. In the end I watched them, identified two chinese IPs that they do reach out to and simply blocked those two. In theory that should stop them pulling in new firmware which seems like the most likely way they'd be infected. (However I haven't been able to determine if it uses an DNS lookup to find them and if so then that means someone hacking the chinese manufacturer could easily route the dns to another server).
The other thing that's really missing here is that this isn't really limited to iot devices. I'm sure in a year or two they'll be as secure as a typical windows machine and then the exploits will swing back that direction. Consumers that care about keeping their devices safe will do so, and those that don't give a fuck will see a slight improvement as time goes by.
Re: (Score:2)
As long as Spotify configured its DNS servers correctly it shouldn't be a problem for the firewall to identify all the IP addresses that the devices need to communicate with.
Ideally some kind of identity information for each domain would be included in the manifest, so that the firewall can automatically check that it hasn't changed before allowing access. 5, 10 and 15 years down the line a lot of these domains that provide firmware updates or control services will be long gone so there must be a way to rev
Re: (Score:3)
I do not understand the questions. I will try to answer.
But how would that work for devices that aren't tied to a specific service?
Any labeling system has standard lingo. When labeling food for example, vitamin content is listed as a % of the estimated daily value required for an average adult. Protein however is listed in grams. Terms such as "Yellow #5" are standardized. The same would happen when labeling your speakers. When a device is listening, we would need to have a term for "I listen on all IPV4 addresses" and "I listen on the local IP multicast address." If you've
Re: (Score:2)
This wouldn't work. As soon as malware infiltrates the device, it could make the manifest say whatever it wants.
Re:Ideally a manifest/profile from IoT makers... (Score:4, Insightful)
The IoT device is installed in a home, and writes the 'manifest' to the firewall device at installation. If it ever changes, the firewall would immediately know.
Re: (Score:2)
Re:Ideally a manifest/profile from IoT makers... (Score:4, Insightful)
At which point the consumer would see "Hey, your lightswitch wants permission to send a whole bunch of traffic to a random server" and they'd approve the change like they always do.
Re: (Score:2)
Just don't allow it to ever be changed. There is no good reason why it ever would need to change - if the manufacturer can't manage their domains properly, it's not up to us to support that.
Think of it like car safety. In many jurisdictions the car will not allow you to drive it if certain safety features are not working, mandated by law. Some of the features are to protect other people, pedestrians in particular.
Re:Ideally a manifest/profile from IoT makers... (Score:4, Insightful)
So your solution to securing incredibly insecure IoT devices is to allow those incredibly insecure IoT devices privileged access to the security device that polices access to your network.
This is why you don't let novices come up with security solutions.
Re: (Score:2)
Then the device gets compromised, tells the firewall to do allow everything as the manifest, and the fun begins. It might be that the device presents a signed (and a CA system is a solved problem similar to signed executables) manifest, allowing the device access, but if the signature chain isn't valid, it would be ignored.
Of course, this causes the issue of who controls the CA chain to rear its ugly head, because who becomes the root CA now has the keys to the kingdom that all the IoT makers must defer to
Re: (Score:2)
Is there really a need to allow the manifest to be updated? It's not as if IoT device makers are in the habit of giving customers free software updates that enable new features, you're supposed to throw it out and buy the next device for that.
Re: (Score:2)
Actually, It could be like antivirus or an adblocker where you subscribe to a service of your choice to provide you your device profiles from a database of devices... seeded by manufacturers, by volunteers, etc, etc... and not just IoT -- i think a system like this could work for mobile phone permissions and even desktop application firewalls.
Re: (Score:2)
This will mitigate scenarios where the device has an open Telnet port for "factory testing" that is not turned off once it goes out in the field.
However, a lot of exploits are in the semi-custom protocols these IoT makers are hacking up themselves. Those vulnerabilities are not mitigated by firewall protection in any way.
Re: (Score:2)
Those vulnerabilities are not mitigated by firewall protection in any way.
How? It isn't like manufactures of these dumb little devices are implementing things at ore below layer 4 of the OSI model so why wouldn't a standard firewall be able to block their crap. At worst it would be some custom protocol running on some random port using TCP. If they did go and create their own custom layer 3 or 4 protocol it would likely be blocked anyway as what networking device would understand bullshit protocol 862 from ChinaTrashCo. If you are referring to running some BS over HTTP that these
Re: (Score:2)
Sorry, I meant you can block the functionality completely, but once you want to make use of those features you'll need to allow firewall access and by that point a lot of the vulnerabilities rest with the protocol.
Re: (Score:2)
But won't do anything for protocol issues.
A lot of the IoT devices use port 80 and run some kind of HTTP client or server protocol. *Nothing* you do at the router is going to protect you from anything related to these kinds of crap-fest devices.
Re:Ideally a manifest/profile from IoT makers... (Score:4, Insightful)
Re: (Score:3)
Re: (Score:3)
If the maker puts in an IP address or DNS host, they are responsible for it, so it would be about the same risk as a company ninja-flashing an Android phone to double as a USB zapper. A manifest would make it at least known that the maker did vouch for the IP address.
There are many issues with this manifest system, be it who validates signatures, how do the firewalls grab devices, how are manifests updated and how is a firewall admin presented with updates. However, this is far better than nothing, as as
some rules (Score:5, Insightful)
All you really need is... some rules.
If you have an openwrt, dd-wrt or similar router, you can definitely block whatever traffic you want without new hardware.
You can whitelist devices by IP or MAC and not permit anything else to generate egress traffic, which won't prevent against devices smart enough to spoof your IP and MAC sending data but which will defeat the casual attacks.
Re:some rules (Score:5, Insightful)
I've corralled mine into a dhcp space, but it might be safer just to set up a whole separate wifi network for them, would make it easier to monitor.
Still it's trickier for things like the chromecast or airplay-type devices, because they both interact with phones and laptops on the local network and need to connect directly to streaming sources on the internet.
Re:some rules (Score:4, Interesting)
That's the actual answer. Get them their own SLOW connection, their own firewall/router, and let them talk to anyone they want. Keep them the hell away from your in-house goodness. And FFS, secure your actual wifi network. Also, put the channels at opposite ends of the band (or in different bands, better yet.)
Re: (Score:3)
Re: (Score:2)
Then run the IOT on the child network.
Re: (Score:2)
If you have an openwrt, dd-wrt or similar router, you can definitely block whatever traffic you want without new hardware.
Not even need some specific open-sourced firmware. Just any home router / NAT / firewall can do that. Don't need smart devices, just smart people to configure it properly...
Re: (Score:2)
Not even need some specific open-sourced firmware. Just any home router / NAT / firewall can do that. Don't need smart devices, just smart people to configure it properly...
Hi. Welcome to the internet. You must be new here.
Re: (Score:3)
Don't need smart devices, just smart people to configure it properly
Smart devices are easier to make than smart people.
Re:some rules (Score:5, Interesting)
ALL you need are some CONVENTIONS. Every firewall that isn't utterly worthless already blocks ALL outgoing traffic. IoT devices should, by convention, expose their API on a specific and otherwise not typical port. This port can simply always be blocked, ALWAYS ALWAYS blocked on the firewall. Now, when you need to have some specific access from somewhere, then the firewall could act as an authenticating proxy, removing the need for IoT vendors to actually grok security (which is literally a hopeless hope, they never will). Assuming your wireless network is adequately secured, so that nothing gets on it that you don't want there, you should be pretty set. Further conventions could relegate all IoT devices to a separate specific VLAN, etc. The key point is, all the devices need to do is adhere to some VERY simple conventions that even half-assed software vendors can adhere to.
Won't stop all problems, but it would make a damned good start.
Re: (Score:3)
I have no problems getting all my IoT devices to work just fine when they have in general no internet access. In my case it's a seperate vlan with firewall rules.
The problem is the cloud push to do very little onsite and send a lot of data into the clod while accepting C&C from it. Look around and plenty of devices that work locally.
Re: (Score:2)
Yeah, that's true of course. The problem is most devices envisage remote operation, and for many it CAN make sense. Quite a lot of them also expect to be able to push data up into the cloud for whatever reasons. Many also perform remote updates. It would of course be perfectly reasonable to allow devices to designate a single external point of contact which they can initiate, and obviously your firewall/LAN setup can easily deal with that. That will still leave some potential vectors for attack, but they wo
Re: (Score:2)
Sure lots of things want to connect to the internet, take my garage door interface. They sell their own services to let you via the cloud open/close the door and get alerts if it's left open etc etc. It has a local API, it connects to my IoT vlan and can not get out the door. Yet that means it never gets any possible firmware updates (would have to check if there is a way to upgrade via the api/local interface) but for a wired device on an isolated vlan at worst it's a way to get into that vlan via RF or
Re: (Score:2)
Hells most of them should not be on wifi, zwave etc etc is plenty fast and a better network. A dimmer needs a IP stack like a whole in the head. If you need that much speed it better be running artnet or similar not https connections to the cloud. The vast majority of this stuff has data use measured in bytes per day maybe KB if it's gathering power usage data.
Re: (Score:2)
You're very quickly falling into a trap of making assumptions about the devices and the applications.
Every firewall that isn't utterly worthless already blocks ALL outgoing traffic.
So every firewall on every home network then.
IoT devices should, by convention, expose their API on a specific and otherwise not typical port.
The same could be said about a computer. IoT devices like computers are equally multi-purpose. You expose the API on a port. Great now you have an open port. That port requires two-way communication for configuration, now you have an entry point. In that entry point you just need a bit of poor input checking with some remote code execution vulnerability and now yo
Re: (Score:2)
That's an overgeneralization. It also doesn't take into account that there are a LOT of possibilities that are short of 'you can just access the whole internet'. Any Firewall can restrict outgoing traffic to specific destinations. It can restrict incoming connections equally. It can force a login through a proxy, which can thwart any backdoor. More sophisticated devices can recognize malicious behavior and put a stop to it. There's plenty that can be done.
Re: (Score:2)
Rules - that is the key. I have a DVD player that is networked so we can access Netflix. The question is, what access does this device need? When we want to watch something, we request access through the device, so it needs to tell Netflix what to stream, and it needs access to receive our movie. I think the hardest part of setting up a firewall is going to be figuring that out. The DVD player is old, but it can access at least a half-dozen services. The same information would be needed for every serv
Re: (Score:2)
Re:some rules - but you have to know how! (Score:2)
There are several ways to use existing router features to do this. A few steps, a few minutes work.
Sadly, most are too ignorant to implement them.
Basically, how to get the unwashed massed to learn to implement them.
Re: (Score:2)
Re: (Score:2)
You have a really, really crappy firewall if it can only block ports without considering the specific IP(s) the traffic is from/to.
Re: (Score:2)
Allow established connections
Shitty_IoT_Device1 is allowed to send data on port 80 only to Shitty_IoT_Manufacturer1
Shitty_IoT_Manufacturer1 is allowed contact Shitty_IoT_Device1 on port WhatEverListeningPort
Shitty_IoT_Device2 is allowed to send data on port 80 only to Shitty_IoT_Manufacturer1
Shitty_IoT_Manufacturer1 is allowed contact Shitty_IoT_Device2 on port WhatEverListeningPort
Shitty_IoT_Device3 is allowed to send data on port 80 only to Shitty_IoT_Man
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
True, and anomaly detection gets most of the way (Score:2)
As Drinkypoo said, no need for new hardware, this is all about configuration. If you have a great many devices, configuration could be difficult, but there is a short cut. It's called "anomaly detection". The firewall learns what's normal, and when unusual traffic starts it takes one of three different actions, depending on the level of risk it estimated. Snort os open source software that can do this.
Along with anomaly detection covering 90%, you might also add some manual rules.
Re: (Score:2)
As someone suggested in an earlier post: have IoT devices carry a manifest (both printed on the box and in software) of the addresses / ports it needs to access. If we'd have a protocol for this, it could ask the router for that access automatically and prompt
A strong firewall (Score:2)
https://en.wikipedia.org/wiki/... [wikipedia.org]
How is this different from any firewall (Score:5, Insightful)
I'm pretty sure that this "smart firewall" is more commonly known as a "firewall". Any firewall that can't block traffic can't legitimately be called a firewall at all.
Re: (Score:3)
exactly its just a firewall with IDS...
scary...
Smart part is auto-config (Score:2)
Yes it's just a firewall.
The smart part would be it only acts as a firewall for IoT devices (welbcams, toasters, receivers) - basically anything with embedded networking in the user would not think to monitor. And it would know what app traffic to allow to connect to the device externally...
Someone like you or me can easily just configure a firewall to do whatever. But such a device would be great to be able to point non-technical (or even technical but uninteresting in networking) friends and family at.
I
Re: (Score:2)
That ramp up of packets out is hard to stop if its left wide open for CCTV been recorded on an internal network but it then becomes part of a swarm flooding an ip in another nation.
Users with click on anything in a GUI to finally get something networked but then feel safe they have hardware securing their network.
AV is really the better step. Try a
Re: (Score:2)
The dime-a-dozen solutions are not up to this task. It would require a subscription to an actively maintained (by the manufacturer or a third party security shop) set of behavioral profiles and updates for when the cloud/app vendors switch things around unannounced. What we're talking about here is the ability to differentiate between typical behavior and aberrant behavior. Such exists in the professional NGFW space, mostly. Note that IoT devices generally do not take direct inbound connections through
Re: (Score:2)
Plus at that point wouldn't a good heuristic firewall be nearly as helpful. Something that could say "yo, this sprinkler controller is trying to send out lots more data than it normally does" would probably work almost as well but not need the ongoing configuration.
Re: (Score:2)
To some extent that might work, until the IoT vendor updates the firmware or cloud service to legitimately send more traffic than it normally used to.
mssp (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
If we create a standard via RfC for it, and routers start to implement it, then in a few years it will become prevalent like WPS and UPnP did. You don't need 100% coverage for it to be useful. Manufacturers can sell it as a feature, "IoT Security(TM)" or whatever.
ISPs will soon upgrade the free routers that they gave to their customers if it prevents their networks becoming massive botnets and cuts down on support costs.
Social problem, not technical (Score:2)
As is so frequently the case, you're trying to solve a social problem with a purely technical solution. Would such a device work? Of course. Would many of the dozens of existing router products work, if properly configured? Yes. Does any of this matter? No. People don't care what devices on their network are doing as long as they appear to mostly be doing what they want. If they're doing other things, people are completely oblivious, and get petulant if you point out their ignorance.
The only market-
Why yes! There is. It's called (Score:4, Insightful)
I think this would be a major challenge (Score:2)
One of the things I do for a living is write firewall policy. We use Palo Alto gear, which seems to be some of the best available at automatically identifying what stuff is.
Even with a company like that behind the gear spending a lot of time and money keeping things up to date, it doesn't know about every little thing it sees.
Another challenge is that this device would need to be able to do SSL forward proxy for everything, or all it will know is there's an ssl connection to somewhere (although you can use
Re: (Score:2)
https://www.wired.com/2012/03/... [wired.com]
and the UK having its Investigatory Powers Act 2016https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016 with equipment interference.
With so many mil and gov groups now interested in the IoT what can any firewall be ready for?
Be able to look for alterations, strange pushed updates not from the user, developer?
Re 'That means somehow getting a signing cert onto the device that all of the IoT things trust.
VPN only (Score:2)
Such a device could turn IoT device connectivity into an on-demand VPN only setup.
Of course, having to fire a VPN client before interacting with the IoT device would be a hassle, but perhaps that could be made automatic. Another problem is that some IoT devices are useless if not connected to the cloud.
Re: (Score:3)
In the minds of the vendors, it is "necessary" because a) their software only barely works at ship-time and is still under active development for the first few years of product support, so the more of it that is server side, the better and b) their business model involves selling the below actual cost and making up the difference by selling to big-data consumers.
Re: (Score:2)
Not to sure on that selling under cost. A single nest costs more than the vera and the 4 zwave thermostats I needed. And a Vera works fine with no internet access.
Really though a smart local controller and dumb devices is a good model. I dont want to replace ever dimmer in my house every few years thats something that should last decades. On the other hand the controller needs security updates new features etc etc. That also gives you a very defined exposure point the be hardened. While the M&M se
Endian UTM (Score:2)
The answer is no, this is pointless (Score:4, Interesting)
Something about these recent DDoS attacks originating from IoT has always bothered me. And I think it's that many of these vulnerable IoT devices are already behind firewalls from the open internet. I'd wager that most people's thermostats, smart lights, sprinkerly systems, etc are all attached to their local WiFi, not the open Internet. So the question is, how were these devices compromised? I've not read anything on the internet that explains this, other then lists of default usernames and passwords. So I'm left with the conclusion that most IoT devices are hacked probably by malware on the local LAN from existing desktop computers. And the compromise occurs over services that are purposely exposed to the LAN, like a web interface. Of course compromised IoT devices then seek out and attack other IoT devices.
But the point I'm getting at is that a firewall just isn't going to stop this from happening, since the exploited services are open to incoming connections (from the LAN) by design. Obviously a device on the open internet is stupid and needs to be firewalled. But on your LAN a custom little smart firewall is not going to do squat.
The only vendors take security seriously and stop using default passwords and actively try to stamp out security flaws in the software itself such as buffer overruns, cross-site scripting flaws, or database injection, will IoT devices cease to become vulnerable. But I have my doubts these devices will ever be secured.
Re:The answer is no, this is pointless (Score:4, Informative)
I understand there is also some sillyness involving UPNP in some devices, so you can connect to the device "from your phone", as in, from the wider Internet. This probably includes the initial connection brokered through a central service, but much of the bulk data via direct connection.
Re: (Score:2)
Okay that makes a lot of sense. I hadn't thought about the implications of things like UDP NAT traversal (and apparently neither did any of the companies involved in compromised IoT devices). It makes sense that devices that use unencrypted traffic, after using a third party to establish the connection, are vulnerable to third parties messing with those packets and executing an exploit.
This makes the answer to the Ask Slashdot question even more of a solid NO! A smart firewall just isn't going to help us
Re: (Score:2)
Yup, this. Virtually all commercially available IOT crap is spyware. It opens a port on your firewall with UPNP, then phones home to the device's owner (aka not you). The device's owner also gives you an app for your phone that snoops on you and connects to their device that you've installed in your home.
Building a botnet can be as easy as port-scanning the UPNP-assignable ranges of a few popular home routers on a few big ISPs and exploiting any vulnerable devices that respond.
Oh, and if you already have
Re: (Score:2)
Virtually all of mine is zwave. It connects through a bridge to the internet and so while you could compromise the bridge you'd never really compromise the device. The light switch lacks wifi, lacks any concept of an IP address and I struggle to see any viable exploit against that.
The idea of buying a mismatch of nonstandard wifi bulbs from different suppliers just sounds like a nightmare.
Re: (Score:2)
I have upnp turned off on every router that I can. It is basically the biggest heap of junk there has ever been.
Re: (Score:2)
Many IOT devices have some kind of incoming data stream from the internet so that you can control them from your phone. This might be is via some company run cloud service, with questionable security.
For example [dreamwidth.org],
it's a device that infringes my copyright, gives you root access in response to trivial credentials, has access control that depends entirely on nobody ever looking at the packets, is sufficiently poorly implemented that you can crash both it and the bulbs, has a cloud access protocol that has no security whatsoever and also acts as an easy mechanism for people to circumvent your network security
Re: (Score:2)
Too much think about and too much to deal with (Score:2)
I have exactly four items that connect to the internet, my laptop, roku, wii and iPhone. I'm not connecting my lightbulbs, outlets, fridge, thermostat or any other ridiculous crap.
For this to really work (Score:2)
the manufacturers would have to provide, in some form, what their devices are supposed to be able to connect to, so that the firewall can block it from connecting to everything else.
In other words, manufacturers would have to admit how extensively their devices spy on you, and phone home with it, and open themselves up to easy consumer monitoring of what their devices send back.
I'm not holding my breath.
Re: (Score:2)
>> This is the sort of malware signature/whitelist-pattern database that can be easily generated and maintained
No. If it was easy, it would already have been done.
Put them on a different service. (Score:2)
My IoT switches are Z-wave. My thermostat is RS485. My individual temp feedback sensors are passive 433 MHz.
It's another layer of abstraction and less holes to plug than just letting everything have unfettered access to the outside world.
There may be a probem here... (Score:3, Insightful)
Yes. With a single acronym change. (Score:3)
Yes. With a single acronym change.
IoT "Internet of Things" --> IoT "Intranet of Things"
Connect them to a local Intranet server, instead of trying to connect them to a server in China, or at Google, or to everyone in the world, and they are no longer a problem.
A Fire (Score:2)
>> Could A 'Smart Firewall' Protect IoT Devices?
No. A big fire would be more adequate.
IOT is BS.
Not the right audience (Score:2)
You don't need to be worried about people who might think about hooking up a special router or even RPi to their network to deal with IoT devices, but rather with people that don't. And that's going to be pretty difficult to solve before all consumer routers come with decent default firewall rules or such additional functionality you're describing.
Already exists. (Score:2)
It's called a ... wait for it... a network firewall!
You would then whitelist the routes you want to allow.
And whatever you do, you would not let your IoT device update the firewall's ruleset!
Could A 'Smart Firewall' Protect IoT Devices? (Score:2)
It Could Work (Score:2)
sure (Score:2)
Isn't the problem more to do with default username (Score:2)
What About The Router Designers? (Score:2)
Couldn't a halfway decent modern router be designed to do something like this?
Naw .. never mind .. that's just crazy talk.
I've got the answer (Score:2)
Re: (Score:2)
No, I think people of all ethnic persuasions could have this issue. Bravo for bringing race into it, do you have any particular list of people you want to express outrage for on their behalf? Because no, they can't speak for themselves. This white devil here forgot to check his privilege on the way in, I am so sorry about that.
Re: (Score:2)
Re: (Score:2)
No
Or just as accurately: yes.
Re: (Score:2)
Re: Plenty of examples to go by (Score:2)
Re: Plenty of examples to go by (Score:2)
This does not need a special product. Any firewall will do, even a random consumer wifi router that has customizable firewall rules.
a) assign iot devices certain ip addresses
b) block all outgoing traffic from these
I have it done in a bit of more advanced way (VLANs), but thats not strictly necessary.
Re: (Score:3)
The problem is that most IoT devices rely on a centralised server for their operation, so your (b) will prevent them from working. Their smartphone app talks to the vendor's server and won't work without it. You need to allow it to talk to the vendor's server, but not to anything else.
That's also why the example in TFA won't work: you can't do this sort of filtering based on IP, because a lot of the vendors use multiple servers or even cloud hosting for the server component, so you'll end up having to al
Re: (Score:2)
Yes, true. My iot things talk with my own OpenHAB installation and therefore I do not have that issue. But a generic out of the box behaviour on most of the iot stuff is to phone home as it simply cannot be connected by an app in your phone without forwarding ports etc (which is beyond a normal user's abilities).
TFA is a a question by a person who has no idea how ip networks and client/server/app communication works.
My only point was that we do not need a special IOT isolating appliance, this can all be don
Why pay? (Score:2)
Re: (Score:2)
I think there are other exploits. Some of my cheap audio devices hit chinese IPs looking for firmware upgrades. If you could hack those IPs then you could deliver a malicious firmware while the network didn't see anything but a web request.
Re: (Score:2)
...There are very few IoT devices that couldn't provide near 100% of their functionality without ever having to talk outside your local network.
Develop some IoT devices that can do that and that can gracefully handle it when it loses all communication (e.g., your thermostat should still work)...
Great idea, but who's going to do it? The makers of such gear are much more interested in the big bucks they can make from data mining than they are in the chump change they make by selling you an IoT widget. The only reason big companies make IoT gear is data collection; the customers' needs are incidental to that endeavour, and the customers' connection to servers in the cloud is the whole point of the exercise.
"There are a lot of technically savvy people out there looking for smart devices that don't wor