In defense of the IoT: First-hand experience

The day I turned home network defender and stopped making fun of IoT developers.

Have you ever noticed how often the phrase “I’ve got a bad feeling about this,” has been muttered in the Star Wars universe? The running gag brings some continuity and a bit of humor and anticipation to the experience as you wait for the Easter egg/meme to pop up in each installment. My problem is, it doesn’t pop up much in everyday life.

Well, that changed at #TheSAS2018. This year, the planning team led a series of workshops on the second day. As Denis Makrushin, the leader of the Internet of Things workshop, noted, its purpose was to provide hands-on work rather than the traditional presentation. The workshops were also geared to the varied audience that the conference had and not just the hard-core security researchers.

To me, this sounded like a good addition to the conference. But I’m in communications and marketing; if I attended the workshop, my role would be driving awareness of the sessions at the conference or to our extended audience on social networks. I walked into the room, thinking about how to get Makrushin to agree to speak with me on a podcast, only to find he had something else in mind: “OK, Jeff, I will do the podcast, but you are participating in this workshop.”

I’ve got a bad feeling about this.

According to the conference handbook’s summary of the session, the event was hands-on learning for the Internet of Things and, more specifically, inspecting the security of these devices. We’d be looking at how we could improve the security of connected devices.

Now, this seemed way out of my technological comfort zone. Sure, I once built a Retropi system on a Raspberry Pi, but that was just dragging and dropping games into emulators.

The challenge

David Jacoby beckoned me to sit behind a keyboard on the Raspberry Pi that he was setting up for the workshop, and my feeling of dread increased. I was the first attendee in the room, so he filled me in: For the next hour-plus, I would be on a team, competing against another team to build a home security device that met the following criteria:

  1. Must be built on open-source tech;
  2. Must use network segmentation;
  3. Must be accessible over a VPN;
  4. Must battle default passwords;
  5. Must be usable by absolutely anyone.

Simple, right? I’ve got a bad feeling about this.

As we got closer to the start of the session, more people rolled in, and Jacoby and Marco Preuss split the room into two teams. The other team had guys who worked on various areas of security. Mine was a PR colleague at Kaspersky Lab, a reporter, and me. Great.

Just before the session kicked off, we were joined by a guy who could code and a software developer, so things were looking up a bit. Then Jacoby told us that because of time constraints — we were running up against the event’s closing ceremonies — we would need to look at something theoretical, not actually build a working device. We all breathed a sigh of relief.

Planning a perfect connected device

And…off we went, pen to paper and talking through how we would secure a smart home using open-source technology. Our first decision was whether to use the Raspberry Pi as a router or the firewall. Both sides had merits, but we decided to look into using OpenDNS along with data tables to create an allowlist. From a VPN standpoint, we planned on running OpenVPN and PiVPN. We would also assign our own certificates to devices on the network and have a guest network for visitors of our theoretical home.

We were pretty pleased with ourselves. This security stuff wasn’t so hard. After about an hour of debating and talking through ideas, it was time to present our work to Jacoby and Preuss.

As the pair proceeded to tear apart the first team’s theoretical product, we were feeling confident. After hearing 10 ways that the first solution would not meet all of the criteria, it was our turn. Our guys presented very well on the idea that we were sure was going to be the next million-dollar idea — Shark Tank, here we come. However, the judges felt otherwise and poked hole after hole in our solution.

Not so easy

That was the purpose of the workshop, after all. We end every story about IoT disasters and security failures with a flippant call to IoT developers to put security first, but in the workshop, we learned firsthand how much easier it was to come up with a concept than to make it both secure and usable.

Securing a smart home is harder than one might think, and there was no way a bunch of people playing “security analyst” in a workshop were going to come up with the magical unicorn product to protect all the things.

The workshop forced our team to leave our comfort zones and think about a very real and growing problem that we face as more and more devices are connected to the Internet. Despite everyone’s “failure,” the session truly stood out for me during #TheSAS2018 because it was an active challenge as opposed to sitting and listening to some research — even if it is badass research.

If you have connected devices in your home and wonder how secure they are, try out our IoT scanner. You should also do what you can to make the devices more secure, from changing default passwords to making sure the firmware is up to date.