TWIG 576: Stardenburdenhardenbart

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

1 Like

I just started the podcast, but Leo’s lament about the lack of excitement regarding new phones is shared with me, & I’m sure many others. I miss the days of new functions with each release. The things that all those in tech are reporting about these days are a real stretch. To get excited about Apple Tags, a no doubt overpriced Tile seems, well, silly. To get giddy over a new color, oy! The shine has worn off new phones for the average person.

Just at the start of the podcast, but re: bubbles security

@Leo’s claim is actually false. The old way apps did Bubbles was indeed a huge security flaw, they required “draw over other apps” permission, which was highly abused. This is actually the reason why Android baked Bubbles into the OS, so now apps can have bubbles without that API. The bubbles API is its own thing and is handled at the OS level, not the App level. So it is now secure and uniform across all apps.

One thousand percent.

1 Like

@Leo, Stardenburdenhardenbart is not German!! It is an English word constructed to sound German…

1 Like

No idea where it came from. But it certainly isn’t German. I asked my colleagues at work and my wife and none have ever heard of it ( I lune and work in Germany).

Well this implies all communication between your control device and the device being controlled is happening over the public Internet, and that a hole got punched into your firewall to allow said traffic.

If you want a WiFi only device to control devices locally, without involving the public Internet, then you need to punch the same holes into your isolation.

@gigastacey I would still block all IoT devices from my main network and put them all in a separate VLAN - I have one set aside, even if I don’t actually have any IoT devices yet.

The kit is generally “cheap”, not good for security. The kit is generally underpowered, to keep costs down, not good for security. A lot of it isn’t even designed with security in mind and doesn’t come with regular security updates. That all makes me very reluctant to use the kit, let alone put it on my main network.

I have come to the conclusion that buying “dumb” devices and putting cheap “smarts” in, where it makes sense, is the best method. I mean, if you buy a dishwasher, you hope it is going to last between 10 - 20 years. How long is the “smart” side going to be supported? How often will it get security updates?

In the end, I still have to manually load the thing and unload it. A little door opens when it needs more salt or rinse fluid and I check that regularly, when I go shopping, as to whether I need to buy more. Making it smart doesn’t add anything and makes it an additional security risk over the long term.

My Android TV? Support dropped after 18 months. It is now disconnected from the network and I won’t be looking for a smartTV when I replace it - or at least the “smart” side will be totally irrelevant to the buying decision.

1 Like

Just been listening to the discussion brought on by the additions to his network, that Steve Gibson made. I’ve also heard the latest Security Now podcast where Steve describes what he did.

I’d like to point out that you are comparing oranges, bananas with this IoT discussion.

My network is the 3 dumb router setup using a Ubiquiti EdgeRouter X, Ubiquiti access points. I used a PDF document that Steve has on his “Link Farm” that came from Mike Potts, describing how he did it.

– Some devices IE Kasa, which has an app, and WiFi connected devices. NO matter what network they are on, an external server is used to handle the commands. I just double checked. All my Kasa devices are on a separate WiFi ssid, and network segment via VLAN. A Nest thermostat, Hello doorbell, and Nest security camera, are on the IoT ssid, as well.

I have a Nest thermostat version 1 that refuses to connect to my IoT ssid, so it is on my regular WiFi network segment.

– Some devices are controlled by a hub. I have a SmartThings hub v2, that is connected to a wired NIC on the EdgeRouter, and is configured to be a separate network segment.

– The rest of my IoT devices, some Google Home minis, and a Nest Hub Max are on my normal Wifi network segment. They have to be, in order for the Google app to talk to them.

If you are using an app, that require you to connect to an external site, to control an IoT device, then it will likely work fine on a separate WiFi network segment. I do not have a Hue hub, but unless it has software that allows it to operate normally, if the internet is out, it likely would also work fine on a separate network segment.

And that is the real test, will your app talk to a device, if the internet is down? If yes, then the device has to be on the same network as your phone or tablet.

Not a very high bar.

1 Like

You just confirmed our speculation - some IoT devices need to be on the same LAN segment if you want to communicate with them.

San Diego, California Burning 1971 taken from the barracks at Naval Training Center

1 Like

It would be interesting and maybe entertaining to have Stacey and Steve on a episode together to debate/discuss IOT security. I really like to listen to Security Now but sometimes I get the sense that some of this stuff has past Steve up. Its not a criticism. Not everyone can know everything about everything.

4 Likes

It is a matter of differing philosophies and priorities.

Do you trust the equipment on your network?

Are the security patches up to date and does the manufacturer support the kit properly and have they really understood the security implications?

A lot of manufacturers only pay lip service to security, and price isn’t always a guarantee of quality or length of support, as Sony has shown, many of their smart TVs get less than 6 months of support, before security updates stop and apps cease to work.

These devices are easy to breech and from there take over the rest of the network. It is a difficult decision, is there anything on your network worth protecting?

2 Likes

FYI, my 1st Gen Nest thermostat is connected to my IOT network just fine. Did you join the IOT Wifi when setting up the Nest?

Also, just curious: what are your “3 dumb routers”? You only list one: the ER-X. And that’s a rather “smart” one! :wink:

Hue has the best implementations of any IOT I’ve used. It works in Local-Only mode and you can add “Out-Of-Home” access if you want. Most devices do not seem to have a local-only mode, I suspect because they want to always be collecting analytics!

You quoted me talking about two LOCAL devices interacting, and then mention a device that is not local because it is using the public Internet. This is apples, and oranges.

My point was simple, if the word “isolation” means anything, then the device stands alone, it doesn’t matter how it’s designed, if your firewall won’t let it talk to anyone, then you will not be able to control it, locally or otherwise. If you’d like it to be controlled by some other means, then you’re then left deciding which interactions you wish to allow through your firewall (aka your isolation.)

1 Like