|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
As a geek I use Alexa enabled devices to turn on and control turning on and off the Christmas Tree and other lights in the house. “Hey Alexa, turn on
[See the full post at: Patch lady – Alexa should be on her own network]
Susan Bradley Patch Lady/Prudent patcher
The Portland FBI security discussion on Smart TVs was originally posted by Woody a few days ago:
It does read somewhat as “weekly newsletter content”, rather than a PSA.
It does not appear to have been written by a cyber-security expert… I would have expected references, if it was. (Or maybe its content has just been specifically written for a general newsletter audience?)
“Own network” may not be that easy depending on what router you have. Some have a “guest” wifi network that allows internet but no local access, but almost none have an ethernet equivalent. To achieve this you need another router to use as your local network and the original router then becomes the “guest” network.
cheers, Paul
Sounds like a good idea… I may be paranoid about IoT now, but I think when I get my own place, I’ll avoid all connections with Alexa/Amazon echo/fire & Google Nest/Assistant. Sometimes I just sigh or say something meaningless… & Google Assistant thinks I want something. Which means she/he’s been listening on my Android phone. I can pause listening, but not turn it off. Oh, well… as the saying goes (sometimes attributed to Batman), “Just because you’re paranoid, doesn’t mean they’re not out to get you.”
As for the Portland FIB, great ideas from them for IoT & holiday scams… but a bit paranoid themselves about Smart TVs, IMHO. Yes, Consumer Reports proved Samsung Smart TVs & the Roku platform can be hacked at the lowest level for minor pranks. “Cyberstalking” with your TV’s camera & microphone? Not proven to be possible… yet. “Dumb” TVs (no Internet connectivity) are still available at Best Buy & other retailers… but they’re getting harder & harder to find.
Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...
What’s being suggested is simply to isolate IoT devices and IoT hubs like Amazon Echo or Google Home Hub from your main network, and to restrict their exposure to incoming network traffic. This can be done by setting up a sub-net for the IoT devices, or you can spend some money and buy a hardware firewall with a subscription for security and firmware updates.
I agree totally that the FBI is blowing the Smart TV hacking threats and their listening issues way out of proportion.
Still, Alexa and Google Assistant (and Cortana in Windows 10) do seem to collect and retain some recordings. Whether this amounts to spying is highly debatable, but we each have our own threshold of suspicion.
“Just because you’re paranoid doesn’t mean they aren’t after you.” — Joseph Heller, Catch 22 .
-- rc primak
By default, usually, those ports all connect to each other.
Sometimes there is an “AP Isolation” function on the router that could prevent traffic from flowing from one device to another, but then you would loose connectivity to your printer if it is networked because turning it on would isolate every device form each other. Maybe you could activate the guest network (a form of isolation between one part of the network and another) on one port, but I think that most of the time it operates on the wifi network only and you can’t select a port as part of it (maybe some routers permit that, I don’t know).
Using another router, you could hide your private network behind the router (laptop, printer, desktop) and you would plug this outside router port to one of the ports of your main router. This would in effect prevents the IoT device from reaching your internal network directly as your second router would act as a firewall to the outside network made on the first.
What is more dangerous is to have an IoT device that can punch holes in your router’s firewall using UPnP if you didn’t disable it on the router. Then, the device becomes open to the web and could potentially create a door to your internal network, using a vulnerability on the unmaintained IoT device or if the device is so not smart that it allows external connections with default passwords you didn’t change.
I use a single Ethernet line from my ISP to a router with 4 output Ethernet ports
All of your ethernet ports can see all devices on your local network. IoT devices should not be on these ports.
Adding a router to one of these ports moves your local network to the new router – connect your PC and printer to the new router and the IoT device to the original router.
cheers, Paul
All of your ethernet ports can see all devices on your local network. IoT devices should not be on these ports. Adding a router to one of these ports moves your local network to the new router – connect your PC and printer to the new router and the IoT device to the original router.
Well actually, neither of those details are a given…
Do check the router and switch configuration. Many of the home / small-business models default to having everything in the same network, which is what you specifically don’t want in this case. Others may already have isolation between Ethernet ports at least as an optional function that can be turned on.
Also VLAN technology can be found in some surprisingly affordable devices now. Extra complexity, but enables having multiple isolated networks through shared routers and switches once you know how to use it correctly…
Anything on the guest network is isolated from your “normal” devices.
cheers, Paul
T
Anything on the guest network is isolated from your “normal” devices.
cheers, Paul
Thanks, Paul.
Another way of isolating that I realized I have is my living room tv is connected to a wi-fi extender that creates a “my-network-EXT” wifi network that is isolated.
Another way of isolating that I realized I have is my living room tv is connected to a wi-fi extender that creates a “my-network-EXT” wifi network that is isolated.
I’d double-check that one – it may appear isolated, but a network extender has to connect to an existing wireless network and pass traffic across it. If you connected it to your router’s guest network, it’d maintain that isolation. If you connected it to your “inside” network, it’s isolated in name only.
Ok, up front I’m no networking guru, not even close. However, and I’m just guessing, Susan is talking from a business perspective. It was my understanding that the IP’s 192.168….. & 10.10…. ,used for most home networks, are NON-Routeable addresses? Doesn’t this mean that they can’t be reached by incoming traffic unless you open a port to do so and then doesn’t your router need make them talk through that port? I’m sure one or more of the Loungers can enlighten us networking noobs. LOL! 😎
It was my understanding that the IP’s 192.168….. & 10.10…. ,used for most home networks, are NON-Routeable addresses?
Oh, they can be routed just fine. It’s just 169.254.x.x that is unroutable. 10.x.x.x, 172.{16-31}.x.x and 192.168.x.x are merely private.
Private IP ranges are not “known” so any standards-conforming router in the public Internet doesn’t know a route to them. That doesn’t mean such packets wouldn’t appear in the public ‘net, it just means they can’t come from very far and are probably from either crooks or honest configuration mistakes.
So if you have a public IP on your router/firewall, it’s a good idea to make a rule to drop any package purporting to be from one of the private ranges that comes in from the public side.
And if you’re in a local 10.x block (some residential buildings and student housing organizations at least are known to have had those, also business parks), well, the other residents can route to you. As can anyone who has hacked into their systems. Network management might give you a subnet that you can firewall off, though.
(Say the network manager gives you a /28 subnet… that’s 14 normal local addresses. Could be for example 10.200.100.192 / 28; that’d mean netmask 255.255.255.240, broadcast 10.200.100.207, and you could use 10.200.100.193 – 10.200.100.206 for your devices.)
Small business networks, well, if you have branch offices or something, if you’re not all cloud-based already it makes a lot of sense to do routing between sites using site-to-site VPN links between the offices’ firewall/router boxes, and then you could have 192.168.1.x in one town’s offices, then 192.168.2.x in another and 192.168.3.x in third, and have those be able to talk to each other through the private routing.
MN,
So if you have a public IP on your router/firewall, it’s a good idea to make a rule to drop any package purporting to be from one of the private ranges that comes in from the public side.
And being the Network Noob I am just how would I go about doing that?
I’m using 192.168.1.xxx with a subnet mask of : 255.255.255.0
Default Gateway: 192.168.1.1
DHCP Server: 192.168.1.1
Is this where I’d make the changes in my router?
Thanks for your assistance! 😎
You don’t have to do anything. Your home router blocks incoming by default – see the GRC test page.
cheers, Paul
You don’t have to do anything. Your home router blocks incoming by default – see the GRC test page.
cheers, Paul
Most home firewalls also allow unhindered inbound traffic for devices/programs that first send outbound traffic.
Only from devices you first sent a packet to. Not from random IPs.
cheers, Paul
Paul, that’s what I thought as, I’m familiar with GRC Shields Up, but I wanted to make sure as I have an Echo and three Dots.
Thanks.
CORRECTING THE RECORD
Much of the information here and in the original story is sub-optimal. Let me correct things.
The idea of separating IoT devices from important computers on a LAN is a good one.
That said, it is only half the story. The next half is blocking IoT devices from seeing each other. The idea being that a malicious/hacked IoT device can not spread badness anywhere.
And, not to pick on IoT, any device that does not need shared network resources should be in a network that gives it Internet access – period. No such device should be able to scan its subnet and see any other device. Even an iPad just used for YouTube should be isolated so that it can not see any other devices in your home.
A second router does not fully isolate the devices that only need Internet access. It still allows one IoT device to interact with another one in your home.
A guest network may or may not isolate the devices on the Guest network from each other. You would have to test each router to see. Some have a configuration option for this, most do not.
A second router is also not the only way to make a new network for un-trusted devices, a VLAN is another option. Read about VLANs here
That said, consumer routers do not support VLANs. My favorite router, the $200 Pepwave Surf SOHO is not a consumer router and it does support VLANs. So too do routers from Ubiquiti.
You also want to prevent untrusted devices from being able to logon to the web interface of the router from the LAN side. A Guest network probably does this, but test it. The Surf SOHO supports this.
My home has two SSIDs from the Surf SOHO. One is assigned the main network which is where shared devices (a network printer, a NAS) exist. The other is assigned to an isolated VLAN that allows Internet access and nothing else. Devices on this network can not see anything but the Internet. Any time I use a tablet, I connect it to the isolated VLAN.
The comment about UPnP was spot on. It is a huge security issue. See more about it at RouterSecurity.org.
As for firewalls, any router purchased at retail can be expected to block all unsolicited incoming traffic from an IP address, public or private. No need for firewall rules. In fact, consumer routers generally do not support firewall rules. A router/gateway provided by an ISP is likely to have holes punched in the firewall. You can test the firewall using assorted online tests listed here routersecurity.org/testrouter.php That said, this is best tested offline with nmap.
As for Alexa spying on you, see the Voice Assistant topic at defensivecomputingchecklist.com
Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com
That said, consumer routers do not support VLANs.
You can cheat by purchasing something like a TP-Link C7 and loading DD-WRT on it. Then you can do VLANS, multiple SSIDs, etc.
cheers, Paul
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
