Echo: What's it doing?

[paulbates]

There have been discussions here about how much traffic the Echo/Dot transmits. I've watched mine in the past and it didn't seem like much. I started monitoring it again.. the results aren't alarming, but curious

• We do very little with it. Lights, TV, Thermostat commands occasionally, questions here and there. No music.
• Its consistently about 2.5MB a day uploaded, and about 1.5MB download.
• The use is bursty (see the graphs). It doesn't always map to people being in the room or noise/conversation.
• It is interesting that its reverse client server... a little more up than down
• The amount of data transferred in the peaks is minimal, and hard to believe decent audio was sent:
  • 111K in an hour (the biggest peak) is 1800 bytes a minute. Maybe that's too simplistic though
  • Some of the peaks are times that no-one was home or in the middle of the night and no-one was in the room

Traffic sent over 24 hours

 

 

Traffic received over 24 hours

 

Not sure what to do with this, wondering if anyone else has monitored their's. Maybe I'll try and muffle it and see if anything changes

 

Paul

 

 

 

 

[oberkc]

I would be more curious what affect the mute button has on data transfer.

[paulbates]

Hey, great idea... and I just muted it. I'll see what happens

 

Paul

[paulbates]

Interesting results. The upload peaks are all exactly 8 hours apart. It doesn't seem like its recording voice without prompting, since I turned the mic off, but it is sending something 3 times a day. Makes me wonder if its info on the locally connected skill devices, or is it observing lan traffic and profiling? Not sure... Also, there is a slight end-of-day traffic hump.

 

These are the graphs from the last 24 hours where the mic button was pressed, no use of the dot for the last 24 hours

 

Upload

 

 

Download

 

It is making me wonder about the other iot things on my LAN. What are they watching and sending back?

 

 

Paul

[mwester]

I have all my IoT devices on specific IP address ranges, and have my pfsense firewall configured very carefully.  To oversimplify, basically the ISY is the ONLY IoT device that is allowed to make unlimited outbound connections.

 

The Amazon Echo isn't in that address range -- I considered it an "audio/video" device when I installed it originally, so it's in that address range instead.  I should probably reconsider that, and start watching/logging exactly what it's sending to whom...

 

Thanks for the heads-up on this.

[Scottmichaelj]

I have all my IoT devices on specific IP address ranges, and have my pfsense firewall configured very carefully. To oversimplify, basically the ISY is the ONLY IoT device that is allowed to make unlimited outbound connections.

 

I also do this with my pfsense however I do not have any Amazon devices (anymore). I installed ntop on my Pfsense that allows me to see and stop traffic to certain countries. I noticed my LED controllers had outgoing connections (not nearly as much as the Echo) and stopped it all. I did notice when I had my DOTs they had a lot of traffic like what your seeing and I stopped using all of them.

 

Ntop: http://pfsensesetup.com/ntop-an-introduction/

[paulbates]

Thanks mwester and Scott for sharing those ideas.

 

I've let a lot of these iot things inside my lan. Time to investigate and step up security. 2 of the devices, including the echo, are full Android OS. Risk/potential wise that's scary to me, in that there's no evidence that they're getting regular patches/upgrades. No evidence of harm either, but I simple don't know.

 

I'm using an asus router with merlinwrt that has TrendMircro's 2-way IPS. It caught a few things from my kids iphones when they were home for Christmas. Since phones/tablets are on the guestnet, it posed no real threat.

 

I'm thinking about firewall rules within the house and a whitelist style connection rules for things going out. 

 

Paul

[Scottmichaelj]

Thanks mwester and Scott for sharing those ideas.

 

In no way am I a networking guru, so maybe MWareman or mwestern can jump in here, but I *think* that putting them on a different subnet or on their own network (like the guest) might help if they are collecting LAN data that you don’t want them to have because they are separated from you main network. This wouldn’t be a full solution but might be a good step. That said they wouldn’t be able to control other devices on the network either so if the ISY is on a different subnet you would need the portal for the Echos to go out to the internet and then come back in to the ISY. Which could be good or bad depending on your needs.

 

For 2017 my goal was privacy and find a mix between what I used and what I need. It ended up being a slow process and I am still working towards it. I don’t think it will ever be 100% complete but everything I do now, “Privacy” is my first concern.

[mwester]

My current network uses a single flat subnet -- so everything on the LAN can talk directly to each other, without involving any firewall or anything that can monitor that traffic.  I was only interested in monitoring and controlling what various devices did with inbound/outbound internet traffic.

 

That was 2017 -- my resolution for 2018, based on the increasing volume of IoT-based security vulnerabilities, is to actually segment my LAN into different spaces that cannot communicate except through firewall rules (as suggested by Scottmichaelj, above).  This will certainly complicate my experimentation, but I too am worried that someone may gain access to more critical and valuable data on my LAN by using a compromised IoT device.  (And I guess, as I think about this, that I should lump all my audio/video devices into that same controlled/restricted category -- I suspect that the FireTV stick, the Sonos units, etc, are also likely to be hacked...)

 

(Thinking about this even more, it almost seems as if I need to do the opposite: segment the few devices that hold truly valuable data into a secured subnet, rather than try to lock out the IoT, Audio/Video, and guest access...  but with Windows 10 calling back to Microsoft every few hours with all your personal information, is there really a device in your own home that you can trust???)

[paulbates]

Agreed mwester. Its a new year're resolution for me too. The ISY and echo relationship make it more complicated and its not as simple as segmentation alone: 

• I want the ISY to talk to nodelink (pi) and the venstars and rainmachine.  
• Having the echo command the ISY for lighting, etc, does get used a lot. 
• But I don't want the echo to have any chance of affecting the venstars or the rainmachine (or most of anything else on my network)
• Need to find a way to separate it but make it work without creating a configuration nightmare. I'm going to start by removing the echo skills for the venstars and rainmachine. Their functions are fully automated and alexa has not been used

I like the idea of fencing off key things like NAS and PCs. Lots to think about

 

Paul

[MWareman]

I invested in a managed switch, and have a separate IOT vlan (and SSID). I can apply firewall ACLs to each port... So, my Foscams, Weatherflow Hub, CAO Hubs, Google Homes, FireTVs, Chamberlain controller and Ring cameras are all on a separate network firewalled from my NAS - and firewalled from each other if possible. The IOT ssid is also configured to prevent devices from talking directly to each other (they have to hairpin thru the switch, where ACLs are applied). Combined, if any are ever compromised the attacker cannot get to my data or to other IOT devices.

 

My guest network is completely separate from my IOT and internal network. Simple NAT outbound. I use a coupon system for guest access - each coupon grants two hours access.

 

Added to that, I strictly filter egress for all networks.

 

I use split zone DNS - my internal DNS zone is not accessible from the IOT or Guest networks.

 

For outbound DNS (all networks) - I’m using 9.9.9.9. This is backed by IBMs threat intel database to block most malware callbacks. I can not recommend this enough!

 

It takes time to maintain it though. Worth it to me, since I’m in IT Security professionally and it sure would be embarrassing if my home got compromised.

 

One thing that surprised me, Google Homes ignore the dns DHCP option and forcibly use Google DNS. They didn’t work originally because I was blocking outbound. I try to be surgical with what I allow out, which usually means devices don’t work until I figure out their outbound comm needs and configure my network to allow it - or implement hacks to allow it to work.

[TrojanHorse]

Thanks for this thread guys. So much for us to think about. The average user will pay it no mind but I feel this is really important stuff. Reading this reminds me how little most users know / are able to configure and maintain. It’s so easy to plug new decides in these days without thinking what they are really doing. I’ve forbidden any internet-connected “hot mics” here until I better understand... Cameras have always given me pause. Here I keep them outside where I don’t expect privacy.

 

Thanks All and Happy New Year!!

 

 

Sent from my iPhone using Tapatalk

[stusviews]

CCTV cameras provide privacy,

[paulbates]

My Security setup / changes::

• iot
  • SSL from Nodelink/Pi to the ISY (2018 change) 
  • Configuring the Venstar Colortouches for SSL only local API access (2018 change)
  • SSL from Nodelink/Pi to Venstars (2018 change)
  • SSL is the default from Nodelink to rainmachine
  • zero ports open on the router. Devices accessed remotely via proxies: ISY Portal, Rainmachine redirect, or venstar skyport. 
  • No remote access to the Rpis.
• Router
  • No open ports
  • LAN side only management access. SSL/SSH only access (2018 change)
  • TrendMirco's Malicious Site Blocking / 2 way IPS (2018 change) / Infected device blocking
  • Alientvault and Speedguide dynamic malicious host/port blocking (2018 change)
    • Amazing number of blocks on our main HP all-in-one
  • Norton connect safe DNS and OpenDNS secondary DNS
  • SMB 2 LAN shared drive access. Signing / credentials required to access, but not encrypted 
  • PCs and key iot only on the main lan. Tablets,phones, work laptop anything else is routed through guest net
  • No ISP device security dependence, I plug into a dumb docsis 3 Arris 822 CM
  • PureVPN through comcast. Some web proxy, some openvp. Some devices like 

I have guest and main lan for PCs and printers. I'd like to segment iot, but that may be beyond the asus and thorny as I do want to manage the iot segment from the main lan. More to think about

 

Paul

[Scottmichaelj]

My Security setup / changes::

• iot
  • SSL from Nodelink/Pi to the ISY (2018 change)
  • Configuring the Venstar Colortouches for SSL only local API access (2018 change)
  • SSL from Nodelink/Pi to Venstars (2018 change)
  • SSL is the default from Nodelink to rainmachine
  • zero ports open on the router. Devices accessed remotely via proxies: ISY Portal, Rainmachine redirect, or venstar skyport.
  • No remote access to the Rpis.
• Router
  • No open ports
  • LAN side only management access. SSL/SSH only access (2018 change)
  • TrendMirco's Malicious Site Blocking / 2 way IPS (2018 change) / Infected device blocking
  • Alientvault and Speedguide dynamic malicious host/port blocking (2018 change)
  • Amazing number of blocks on our main HP all-in-one
• Norton connect safe DNS and OpenDNS secondary DNS
• SMB 2 LAN shared drive access. Signing / credentials required to access, but not encrypted
• PCs and key iot only on the main lan. Tablets,phones, work laptop anything else is routed through guest net
• No ISP device security dependence, I plug into a dumb docsis 3 Arris 822 CM
• PureVPN through comcast. Some web proxy, some openvp. Some devices like

I have guest and main lan for PCs and printers. I'd like to segment iot, but that may be beyond the asus and thorny as I do want to manage the iot segment from the main lan. More to think about

 

Paul

Your on a roll! Something to think about is a VPN server on your router (OpenVPN). Then you can connect to your home via the VPN and access local LAN IPs if you miss port forwarding and outside access to your devices. Also secondary use, if your using a random WiFi network, say a hotel you can connect to your home and secure all traffic. Just a thought.

 

One more thing if you want to get CRaZY - check out PiHole.

[paulbates]

Your on a roll! Something to think about is a VPN server on your router (OpenVPN). Then you can connect to your home via the VPN and access local LAN IPs if you miss port forwarding and outside access to your devices. Also secondary use, if your using a random WiFi network, say a hotel you can connect to your home and secure all traffic. Just a thought.

 

One more thing if you want to get CRaZY - check out PiHole.

 

Yeh making some progress. 

 

The asus (on merlin) can host ovpn clients and servers. I configured access to PureVPN over the asus merlin OVPN client, a number of house clients and all guests go through that. I used to have an asus inbound OVPN server setup, but I'm at the point where I don't need to remote in to the lan, really nothing to do... and therefore a liability.  If I do need to get to the ISY, I've been able to use the AC through the ISY portal and also get to my HAD pages which I moved back to the ISY for that reason. I look at the HAD pages from time to time remotely via the portal, but I've not used the AC remotely in over a year. I now follow a "policy" about not making changes when I'm going to be on the road.

 

Venstar and rainmachine dial out to their respective service proxies and I can connect through them via mobile app or web if I need to. Again most of this is automation is on "auto pilot" these days. I have pushover "confidence" to show things are working,which they have been doing.. Now that i've said that its time for my PLM to die 

 

Paul