When Friendly Thermostats & Toasters Join The IoT Dark Side

By Joe Gray

We are now in the wake of two of the biggest and most catastrophic Distributed Denial of Service (DDoS) attacks that we have seen yet. Brian Krebs' Krebs on Security was subjected to a 620 Gbps DDoS. Days later, a second, and more catastrophic attack was levied against DNS provider, Dyn, resulting in Twitter, Amazon, and other Dyn clients (without redundancy) websites and resources being inaccessible to viewers and consumers on the US East Coast.

Read the statement from Dyn here.

The issue here lies in the fact that devices inside businesses and homes are being used as a weapon. To date, little is being done to prevent this from getting worse. I feel that it must get worse in order to get better.

Rob Joyce, Chief of NSA's Tailored Access Operations (TAO; basically the offensive arm of NSA) said that he projects Internet of Things (IoT) to be the single greatest security issue by the year 2020 during a keynote at Security BSides Augusta, GA.


My Analysis

As things become "smart," the threats they pose become more advanced. I never thought of hackers having the ability to attack things from a cell phone, yet the PwnPhone (like we saw on Mr. Robot) exists.

Now that our phones are near intelligent in the sense of AI (artificial intelligence), that smart (insert device here) movement is upon us: thermostats, doorbells, grills/barbecues, refrigerators, televisions, and more. As more of these devices connect online, the number of assets to compromise and use in a botnet increase as they're almost always Internet-connected to interface with your smartphone apps.

Because the market is so competitive, IoT producers are becoming increasingly focused on getting their product to market and completely foregoing security.

The battle of security versus usability (make it work) is non-existent. The minimal viable product is there without minimum viable security.



The question becomes, "How do I secure my IoT systems?" At this point in time, there are no true viable options. You can avoid using IoT or use it, it really is that binary. To add another angle to this, you may also implement your own security architecture inside your network. Below, I discuss this for home and for business.



IoT in the sense of home use refers to internet connected devices for convenience and miscellaneous use. Among others, these are refrigerators, thermostats, light bulbs, fitness trackers, Digital Video Recording (DVR) units, televisions, baby monitors, and home security systems.

I am assuming that you have a home wireless router either given to you by your ISP or one that you purchased and configured yourself. For this, there is an elephant in the room: UPnP (Universal Plug and Play). This feature allows devices to discover each other more easily, and additionally forward firewall ports, thus effectively opening them. I have heard some cases of these opening up Telnet, which is an unencrypted terminal emulator that is capable of easily being sniffed.

How do I secure this? Simply, there is no absolute solution yet.

In the meantime, follow these steps:

  • Put a firewall appliance between your home router and all devices. I recommend pfSense. It is free and open source. Alternatively, you can purchase an appliance on the pfSense website for between $150 and $300, depending on your needs.
  • Connect a second home wi-fi router to the pfSense. You can add Wi-Fi onto the $299 pfSense as an alternative solution for an additional fee.
  • Create a separate network on the second router (of pfSense) for your IoT devices.
  • On the firewall, create a rule that explicitly prohibits the devices from connecting to the internet.
  • You can modify this rule periodically to run updates on the devices (assuming there are updates available for them).
  • On the firewall, create a second rule to deny all connections via UPnP and connections to the non-IoT devices.
  • Create a rule that allows the non-IoT device subnet to connect to the IoT devices (you can make this as granular as you'd like).
  • Create the rest of your firewall rules (do not forget your implicit deny).
  • Establish a  VPN and have it terminate on the non-IoT device subnet to allow you to view your IoT devices (i.e. refrigerator or baby monitor) from anywhere securely.



IoT in the sense of business use refers to Internet-connected devices for limited business use, R&D, convenience, and miscellaneous use. Among others, these are Closed Circuit TV (CCTV) and camera systems, thermostats, (by some measures) printers, and other devices that should either not be on the network or on a segmented network.

While I am not sure exactly why there is IoT in a corporate environment, it does exist. This poses more serious threats to the business than the home in terms of data exfiltration, the possible inability to properly inventory network devices, skewed vulnerability scan data, and of course, consuming business bandwidth.

Businesses must take a proactive stance in not only inventorying their assets (part of the CIS Critical Security Controls), but to actively monitor and protect their enterprise. To this end, and similar to that of home users, businesses should put the following controls in place to properly apply protection:

  • Create a users network entirely segregated from production, test, and development environments.
  • Mandate all users desiring to connect devices to the user network adhere to an Acceptable Use Policy. If you don't have one, get one. SANS has one here.
  • Ensure that traffic is still monitored, filtered, and within the confines of the business' Acceptable Use Policy.
  • Lock down the other networks so that they are denied from connecting to/from the user network.
  • Implement 802.1x (Port-Based Network Access Control or PNAC; also called Port Security), egress filtering, monitoring, asset discovery, and general information security best practices.
  • Finally, train your users and explain the risk the devices pose to the business and their livelihood; do so without being punitive or threatening.


IoT seems to be here to stay

We cannot change or delay its arrival, but we can take proactive steps to try and improve the security posture in our own organizations to not only protect our assets, but to be good stewards to others in cyberspace that may be impacted by our IoT devices, should they become compromised.

I am excited to see the upcoming research and breakthroughs in IoT from the information security community. It is time to stop complaining about the problem and time to find a proper solution. Kudos to Larry Pesce and Inguardians for developing an assessment solution in IoTA (Internet of Things Attack) methodology as a way to help organizations understand the risk that these devices pose without making the news.

About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN.

More About Joe