7 April 2021
Protect the LAN
This post is a brainchild of two big topics: forced digital transformation and an increase of “smart” things in an average household. Unfortunately, both of these topics have significant security-related issues.
Isolation has played the main role in moving a huge part of the population to work from home, a lot of PCs moved out of a controlled company network to a home network. Are home networks any good? They are usually much safer than public networks. It means working from home is more secure than working from, let’s say, Starbucks, right? It’s definitely harder for a bad actor to get to your home network, but it’s not impossible. And usually, it’s much easier to get and stay undetected than in a corporate network.
Here comes the second topic, “smart” devices. Nowadays it’s almost obligatory for tech to be “smart” and I don’t have a problem with it. I’m a huge fan of Home Assistant, an open-source home automation system. Opening curtains, heating the floor in a bathroom, vacuuming are all good tasks to be automated. It’s not as impressive on its own, but when there is a central system which can perform complex scenarios with a variety of automated task, it feels like living in the future. Sounds good! Not at all! Many of these “smart” devices are not just incompatible with Home Assistant but incapable of being “smart” without an internet connection. They just absolutely have to call home and dump a whole lot of data.
There are some benefits for communicating with a server somewhere there, on the internet. Easy over-the-air updates. It also allows you to access this device from anywhere as long as you have internet. This is a cool feature, but not every device needs it and it’s totally should not be the only way to programmatically access a device. Besides those devices becoming suddenly “dumb” with servers going down (and they eventually will due to the end of a support cycle or just a company ceasing to exist) there are poor implementations. We should not expect a company known for producing good washing machines to become an all-knowing IT corporation. Somehow plenty of companies from small startups to ancient giants decide to DIY some unnecessary server-based solution. Usually, it’s bad and opens doors to bad actors who managed to get access to a “smart” device server or intercepted communications in-between. Regular firewall and NAT are barely anything for these attack vectors.
What can we do?
The market of smart home appliances is rapidly growing so it’s a perfect time to vote with your wallet. Do your research and choose products that don’t invade your privacy and demand internet access. I have to give Apple some credit here because HomeKit looks decent in terms of security requirements you have to meet to become part of this ecosystem. This is while they send back every application start event you generate on MacOS. The last thing I have to mention about HomeKit topic is Homebridge - a way to connect many devices that don’t support HomeKit.
Ok, choosing a product is fine, but it’s about the future, what can we do with ones we own already? Divide and conquer! It’s going to be the answer till the end of this article.
Untrusted IoT devices? throw them into a separate VLAN. Our goal here is to separate your precious workstation from compromised cattle. You should be able to open a connection to an IoT network, but devices in it should not be able to initiate connections to you. If there is no VLAN and firewall configuration in your router there is still a chance your router support guest WiFi. It’s also a viable option for this type of devices.
A separate WiFi network is also good when any of your smart devices use the SmartConfig protocol by Texas Instruments to connect to your WiFi. It broadcasts your SSID and Pass Phrase on your exact channel through a side-channel leak. And it’s in plain text or with questionable encryption practices. If someone is listening nearby, your network is compromised just by the act of connecting your brand new smart device.
Users? You might not be living alone, so there are other machines on the network. Probably other users are not security experts, so there is a chance their machines are going to be compromised. It’s possible to give them a separate VLAN, but might be inconvenient. So local firewall on your workstation is a must-have.
Now when we are protected from other users, time to protect ourselves from the most dangerous user - ourselves. Separate work and personal machines are the most obvious way to protect your workplace. Dualboot with full disk encryption is another good option (encryption stops one system from stealing from another, but does nothing to protect from corruption). Qubes OS is an awesome way to use one PC and avoid all the reboot into another OS hustle.
It’s more of a rant than a structured article and I’m sorry for that. The point is please try not to be an entry point for an attacker into your company and your life. Thanks!