From 50428ea53d6ac4d2039b36a60759130caac8794a Mon Sep 17 00:00:00 2001 From: stefanbode Date: Fri, 4 Aug 2017 11:26:26 +0200 Subject: [PATCH] Updated Securing your IoT from hacking (markdown => org) --- ...m-hacking.md => Securing-your-IoT-from-hacking.org | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) rename Securing-your-IoT-from-hacking.md => Securing-your-IoT-from-hacking.org (57%) diff --git a/Securing-your-IoT-from-hacking.md b/Securing-your-IoT-from-hacking.org similarity index 57% rename from Securing-your-IoT-from-hacking.md rename to Securing-your-IoT-from-hacking.org index 0db085d0..dc78a8b8 100644 --- a/Securing-your-IoT-from-hacking.md +++ b/Securing-your-IoT-from-hacking.org @@ -26,11 +26,18 @@ I hope these four typical scenarios ( the list is not complete) give you some id That you should have a long WLAN key and use WPA2 for encryption is a "no brainer". This is a minimum requirement. Now think about someone can extract the password from the device. E.g. because the device is in the garden and someone with a Laptop and some USB stuff can connect and extract information. The hacker will get the key. The ONLY possible preventive action to mitigate worst case scenario is to have a second WLAN, like the "FritzBox Guest WLAN". Many other routers offer similar things. This guest WLAN has no access to your private WLAN. Additionally, there are some interesting switched you can configure for the WLAN. -At the FritzRouter you can configure "network separation" +At the FritzRouter you can configure "/////////network separation/////////". At Fritz this is done by DISABLE "/////////The wireless devices connected with the guest access can communicate with each other/////////". This does mean, that a device in the network can not interact with any other device in the WLAN. It can only communicate with the Internet. This simple configuration prevents any attacker to do nasty stuff on YOUR network. Now we have to take care, that the attacker is not creating a Bot-Net and sending e.g. Spam-Mails. +Normally a device in the "guest WLAN" can use any internet service. For our IoT devices and for any new device we can create a Router rule, that ONLY MQTT is allowed and any other traffic is blocked. This is a great configuration because it limits the options what a hacker can do. In this case, he can only attack other MQTT servers; not really interesting. And if you change the port of your MQTT server to something unused like Port:12345, you're done. +Now you will probaly ask two questions: +1.) How can I communicate with my MQTT Server in my personal WLAN, if only traffic into the internet is allowed? +2.) How can I access the WebConsole of my devices to upload new Firmware and/or make investigations? + +The first topic will be solved by exposing your MQTT server to the Internet (no worries, can be done secure). +The second topic has only a workaround. If you want access to your devices you need to change the configuration temporary on your router and ENABLE "/////////The wireless devices connected with the guest access can communicate with each other/////////". Secondly, you must login with your Laptop into the GuestWLAN to be able to communicate. If the Webserver is running you should be able to connect and upload e.g. a new firmware ## Securing your communication for IoT -TBD +In the world of IoT devices and more and more devices in a network it is essential to use encryption ALL the time. The TASMOTO project is able to enable encryption for MQTT. This is great. But it cannot enable encryption on the WebServer. This is bad. As a conclusion, the Webserver must be switched OFF all the time and only be switched ON for administrative purpose. This also disable the feature to change the Relay Status with a HTTP REST call. But this ## Prevent to become part of a botnet TBD