SmartThings Community

Network Security: A guide to securing your IoT home

security

(Tim Slagle) #1

Hello everyone!

I wanted to put together a post that I think will help educate people on how to secure their home network in the IoT world. Some of you may ask why I think this post may be necessary. Here’s the deal, most of the big IoT companies take security very seriously, and SmartThings recently came out on top as far as security goes with smart home devices (Congrats STs!!)

Your network security is only secure as the weakest point of entry. So although SmartThings, and others, take the security of their product seriously, if you do not take the security of your own network as seriously your network can be vulnerable.

Keeping your network secure from 99% of the world is relatively easy with a few simple steps. I will go over some of the things you can do to secure your home network and provide some insight into why and what each step does to secure your network.


  1. Never use the “stock” username and password for ANYTHING. You don’t want to do this for a few reasons.
  2. For all routers in the world there is generally a stock admin username/password that a quick google search will reveal. Most of them are something like Username = admin password = password.
  3. If you have an IP camera and use the stock Username/Password you run into the same problem. Most of them are exactly the same. Change those bad boys!
  4. Stock Wi-Fi WAN passwords are "OK" but in theory they are relatively weak.
    1. The access point name tends to be very similar for many router brands. People will zero in on these because they assume they are left relatively unsecure.
    2. The passwords are generally devoid of all the good characters. Your passwords should always contain At least one of the following categories and be at least 10+ characters long
      1. Uppercase letters
      2. Lowercase letters
      3. Special Characters
      4. Numbers
  5. Your password should not have any personal tie to you or your family.
  6. Turn on your firewall
    1. Your firewall is probably already turned on but it’s worth checking.
    2. Your firewall will keep anyone from scanning your network from across the world looking for open ports.
    3. An open port can be a gateway for someone to be able to look into your network.
  7. Turn on Mac Filtering
  8. This is one that a lot of people don’t turn on. Mostly because it then requires active management of your network.
  9. Every device that can connect to a Wi-Fi network has a unique ID called the “physical address” or “MAC” (Media Access Control) address. Wireless routers can screen the MAC addresses of all devices that connect to them, and users can set their wireless network to accept connections only from devices with MAC addresses that the router is set to recognize. In order to create another obstacle to unauthorized access, change your router’s settings to activate its MAC address filter to include only your devices.
  10. Turn wireless broadcasting off
  11. While this may be a little bit of an inconvenience when adding a new device it can add some major security benefits.
  12. Wireless routers may broadcast the name of the network (the “SSID”) to the general public. This feature is often useful for businesses, libraries, hotels and restaurants that want to offer wireless Internet access to customers, but it is usually unnecessary for a private wireless network. It is recommended that owners of home Wi-Fi networks turn this feature off.
  13. Disable ping (ICMP) reply on router’s/firewall’s outside interface
    1. Typically port scans aren’t run against nodes that appear to be down

These few things, although seemingly simple, are not done by most people. Keeping these things in mind can make a world of difference in your network security and allow you to have more peace of mind as you build your IoT network at home.


Resources

Here are some articles that can give you some insight into the importance of the points above.

SmartThings comes out on top in respect to IoT security

The guide to password security (and why you should care)

If your router is still using the default password, change it now!

Changing Router Admin Password:
Netgear
Linksys

Change Wireless Name/Password:
Negear
Linksys
AirPort Extreme
D-Link

Turning off SSID Broadcast:
Netgear
Linksys
Airport Extreme
D-Link


I hope this helps! Most people here may already know this stuff but, for those that don’t please feel free to ask me questions here or through a PM.


Disclaimer: I am not responsible for any damage done to your equipment through external or internal means.


Security of SmartThings ecosystem
VPN connection for Smart Home?
Internet Security for IoT? Anyone using Bitdefender or something similar?
SmartThings Security
My Home Automation Addiction
Dedicated router for home automation?
New to Forum - Worried about Remote Access security
Question about Smartthings platform security (2018)
(Ron) #2

I agree with 1 and 2.

3 makes things a little harder for the non-hacker but then again isn’t it the hacker we are trying to protect ourselves from.

4 does nothing. Even a non-hacker can see the SSID even if broadcasting is off. iOS,Android and pc apps can be easily downloaded that show you all the traffic in your area.

More about some of these security myths…


(Tim Slagle) #3

Yeah I thought about not including them… But it’s not gonna hurt so why not:)

It also just makes it a tiny bit more difficult… So what the heck, I say do it:)

The dead bolt on my door is really the only thing keeping it from being kicked in yet I lock my door knob too.


(Ron) #4

Understood, I don’t bother with SSID non-broadcast when I discovered how easy to see all the SSID’s that are not broadcasting with standard apps. Mac filtering is OK but not hard to beat.

Just didn’t want folks to think these are anything that would really help them in lieu of any other feature. Most important is securing with non-standard passwords. After that everything else is just extra.

Too many people still use the default passwords because they are afraid of forgetting.


(Tim Slagle) #5

all valid points!

super cool of you to add your input. Thanks!


(Mike Swanson) #6

Excellent post. Well done, sir.


#7

No metter. @tslagle13 Your points are valid. Why make it easier for someone to get in. Turn the SSID broadcast off…Use a Hell of a password…Increase the Level of your Firewall filtering (both Computer and Router)…Enable MAC filtering…I do all of the above. And I also have a Hardware Firewall to boot. If it helps, Do It!.


(Tim Slagle) #8

This is always my theory with anything security related. Whether that be physical or non-physical.

In my opinion most people are lazy, so the harder i make it, even if just by a fraction, the more likely they are to think it might not be worth the time.


(Jovan) #9

how 'bout the opposite effect? if you’re trying THAT hard to make it difficult to get in, you must be hiding something REALLY valuable :wink:


#10

Yeah…My Private life from the Big Brother.


#11

If your stuff is that valuable, you’re not relying on SmartThings and a WiFi router for your security system. :wink:


(Tim Slagle) #12

haha! Maybe if you’re living large and living in Palo Alto… but where i am now no ones stuff is that valuable :wink:


#13

Or Hamptons for that matter. Al the rest of us just keep photos of our families on our NAS.


(Keith Croshaw) #14

Nice post. Glad I did most of that a while ago. My fios router has a log that reports warnings when failed login attempts occur, good to keep an eye on.

Also making sure Telnet is disabled if you’re not using it would be another good idea.


(Jovan) #15

disable ping (ICMP) reply on router’s/firewall’s outside interface - typically port scans aren’t run against nodes that appear to be down…


(Tim Slagle) #16

Good idea, added this to the OP


(Kevin Shuk) #17

Not specifically ST related, but while passwords are still the primary security mechanism for various and sundry sites and services (with or without 2FA), I’d recommend using long, generated passwords that are different on EVERY site and service. Of course, that’s horribly inconvenient… unless you use a good, ubiquitous password manager.

I’m a huge fan of 1Password, but there are others - LastPass, Dashlane, etc. I’m not doing a review or sales pitch, just saying what I use. I have my Mac client, and iOS clients that sync. I’m all Mac, so I use the iCloud sync, but 1P can use Dropbox as well, which is important as 1P has Windows and Android clients, too.

These managers aren’t just digital black books where you look up the site, and type/copy the password from it to type/paste into the site. They integrate with browsers to automatically fill out the login forms where possible, detect when you up for a new account and offer to record those credentials, and detect when you change credentials at a site and offer to update the stored credentials. For sites that offer 2 factor auth, 1P has recently added support for TOTP which is what Google Authenticator implements, so it can store/sync your 2FA as well.

The point being, there are prominent attacks and security breaches with high-profile internet systems all the time with thousands to millions of accounts being compromised. Of those, attackers then gain access to the actual password of some of those accounts (most likely, they used ‘bad’ passwords) Or a more localized attack that compromises passwords on one machine, or just machines infected with malware, or on a particular network.

Attackers aren’t often after access to the accounts at the site they hacked - they want to see where else those keys will get them. Like your email account. And I’ll bet your email has pointers to other sites that you belong to where they’d like to try those same credentials. Like your bank. Or your home automation’s online management console.

Using a password manager feels a little clumsy at first as you get everything into it, and keep it current which can be done mostly by just using it as you log in/sign up at sites.

OK, that was longer than I’d intended. Be safe - diversify your strong passwords!

Bonus tip: treat security questions like passwords as well. In 1P, I can add custom lines to a site’s record where I type the question, and then make the answer field a password-type, so I can generate it and keep it obscured. Just ask my mom, who’s last name before she married was dri-uD-tEsp-al-E-op. She always said I was foolish for naming my first dog ‘u9g.VjB9]ehB6NE.’ Who’s laughing now?

Double-bonus tip: The password manager record is a great place to store your recovery codes for your 2FA accounts as well, of which hopefully ST joins the ranks soon…


((Possibly not the Matt you're looking for)) #18

I’ve been thinking about this for a few days now:

The difference between people saying there are security “myths” and those saying these are reasonable precautions arise from different assumptions about the intruder.

If an intruder wants to hack your network, minor security improvements won’t matter.

If an intruder wants to attack a network, minor improvements may make your network less attractive than, e.g., your neighbors’ network. Minor improvements may not make your home network impregnable, but it makes them less of a target of opportunity when compared to other nearby targets. And, frankly, unless you are running the Secretary of State’s mail server out of your house, odds are your home’s real security risk is just as a target of opportunity.*

As the saying goes, when the bear attacks your hiking group, you don’t have to run faster than the bear. You just have to run faster than the guy next to you.

  • YMMV.

(Tim Slagle) #19

My thoughts exactly.


((Possibly not the Matt you're looking for)) #20

Also, screw iPhone Autocorrect! :stuck_out_tongue: