TWIG 576: Stardenburdenhardenbart

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

I just started the podcast, but Leo’s lament about the lack of excitement regarding new phones is shared with me, & I’m sure many others. I miss the days of new functions with each release. The things that all those in tech are reporting about these days are a real stretch. To get excited about Apple Tags, a no doubt overpriced Tile seems, well, silly. To get giddy over a new color, oy! The shine has worn off new phones for the average person.

part of this seemed to be very related to the SN episode. Just think about it, Leo… if your IOT device works from ‘out there’ and doesn’t rely on any hub etc. in your home, isolation won’t break any features.
one thing you can add to your isolation toolkit - ubiquity UNIFI access points let you put each SSID on its own VLAN. some people go so far as to put each device on its own VLAN, not just one VLAN for all IOT! talk about isolation!
Running everything (all the various subnets and vlans) thru something like pfsense lets you have full control and do much snooping/investigation as to what each IOT device does. My govee water leak sensor hub, for example, makes a http (not https) connection to some server out there every so many seconds and sends sensor status in cleartext. no real danger there, but at least you can see how things work.

Just at the start of the podcast, but re: bubbles security

@Leo’s claim is actually false. The old way apps did Bubbles was indeed a huge security flaw, they required “draw over other apps” permission, which was highly abused. This is actually the reason why Android baked Bubbles into the OS, so now apps can have bubbles without that API. The bubbles API is its own thing and is handled at the OS level, not the App level. So it is now secure and uniform across all apps.

Regarding the idea of avoiding panic - I could envision a president avoiding panic for the people yet working quietly in the background to deal with it effectively. but totally ignoring it and doing a bunch of rallies is just plain criminal. he could have worked to replenish inventories, not send PPE to China, and work on the action items from the last pandemic simulation.

in addition, I think the panic he was REALLY worried about was panic of the stock market!

2 Likes

One thousand percent.

1 Like

@Leo, Stardenburdenhardenbart is not German!! It is an English word constructed to sound German…

1 Like

curiously it made its way into the urban dictionary but the entry looks shaky to me

No idea where it came from. But it certainly isn’t German. I asked my colleagues at work and my wife and none have ever heard of it ( I lune and work in Germany).

Among the many topics that made their way into this week’s show, the question about whether IOT devices need full LAN access seems intriguing to me. At first blush, if an IOT device is standalone and functions when the associated App is away from home, it seems like there ought to be no impact from isolating the device. For more complex architectures, I’d love to hear more on an appropriate 'cast. For example, what can be done to minimize the delay between when someone approaches a doorbell cam and when the owner can see video, with best solutions possibly different depending on whether you are at home or not. Or maybe stuff like this is already in the IOT podcast?

Well this implies all communication between your control device and the device being controlled is happening over the public Internet, and that a hole got punched into your firewall to allow said traffic.

If you want a WiFi only device to control devices locally, without involving the public Internet, then you need to punch the same holes into your isolation.

@gigastacey I would still block all IoT devices from my main network and put them all in a separate VLAN - I have one set aside, even if I don’t actually have any IoT devices yet.

The kit is generally “cheap”, not good for security. The kit is generally underpowered, to keep costs down, not good for security. A lot of it isn’t even designed with security in mind and doesn’t come with regular security updates. That all makes me very reluctant to use the kit, let alone put it on my main network.

I have come to the conclusion that buying “dumb” devices and putting cheap “smarts” in, where it makes sense, is the best method. I mean, if you buy a dishwasher, you hope it is going to last between 10 - 20 years. How long is the “smart” side going to be supported? How often will it get security updates?

In the end, I still have to manually load the thing and unload it. A little door opens when it needs more salt or rinse fluid and I check that regularly, when I go shopping, as to whether I need to buy more. Making it smart doesn’t add anything and makes it an additional security risk over the long term.

My Android TV? Support dropped after 18 months. It is now disconnected from the network and I won’t be looking for a smartTV when I replace it - or at least the “smart” side will be totally irrelevant to the buying decision.

Just been listening to the discussion brought on by the additions to his network, that Steve Gibson made. I’ve also heard the latest Security Now podcast where Steve describes what he did.

I’d like to point out that you are comparing oranges, bananas with this IoT discussion.

My network is the 3 dumb router setup using a Ubiquiti EdgeRouter X, Ubiquiti access points. I used a PDF document that Steve has on his “Link Farm” that came from Mike Potts, describing how he did it.

– Some devices IE Kasa, which has an app, and WiFi connected devices. NO matter what network they are on, an external server is used to handle the commands. I just double checked. All my Kasa devices are on a separate WiFi ssid, and network segment via VLAN. A Nest thermostat, Hello doorbell, and Nest security camera, are on the IoT ssid, as well.

I have a Nest thermostat version 1 that refuses to connect to my IoT ssid, so it is on my regular WiFi network segment.

– Some devices are controlled by a hub. I have a SmartThings hub v2, that is connected to a wired NIC on the EdgeRouter, and is configured to be a separate network segment.

– The rest of my IoT devices, some Google Home minis, and a Nest Hub Max are on my normal Wifi network segment. They have to be, in order for the Google app to talk to them.

If you are using an app, that require you to connect to an external site, to control an IoT device, then it will likely work fine on a separate WiFi network segment. I do not have a Hue hub, but unless it has software that allows it to operate normally, if the internet is out, it likely would also work fine on a separate network segment.

And that is the real test, will your app talk to a device, if the internet is down? If yes, then the device has to be on the same network as your phone or tablet.

Not a very high bar.

You just confirmed our speculation - some IoT devices need to be on the same LAN segment if you want to communicate with them.

San Diego, California Burning 1971 taken from the barracks at Naval Training Center

1 Like

It would be interesting and maybe entertaining to have Stacey and Steve on a episode together to debate/discuss IOT security. I really like to listen to Security Now but sometimes I get the sense that some of this stuff has past Steve up. Its not a criticism. Not everyone can know everything about everything.

2 Likes

It is a matter of differing philosophies and priorities.

Do you trust the equipment on your network?

Are the security patches up to date and does the manufacturer support the kit properly and have they really understood the security implications?

A lot of manufacturers only pay lip service to security, and price isn’t always a guarantee of quality or length of support, as Sony has shown, many of their smart TVs get less than 6 months of support, before security updates stop and apps cease to work.

These devices are easy to breech and from there take over the rest of the network. It is a difficult decision, is there anything on your network worth protecting?

1 Like