MarioLanning Posted July 27, 2018 Posted July 27, 2018 (edited) Curious, I saw today Samsung's IoT hub was hit. Does UD have it in their plan to perhaps offer 2 factor authentication sometime soon. A google report about google and their Titan key and how employees switched to 2 factor and the new key have resulted in no known phishing attack getting in. I know with all the IoT drama going on it would be something i'd feel better about. I know if someone got into my account they could destroy my house. https://www.cyberscoop.com/google-titan-security-key-2fa-anti-phishing/ Edited July 27, 2018 by MarioLanning Quote
firstone Posted July 27, 2018 Posted July 27, 2018 There are commercial products already available, such as: https://www.yubico.com And prior to that there were RSA authentication devices and other brands. Those are acceptable for user authentication but in this case there is still an attack vector in the device itself. More importantly, I don't think anybody's thinking about. In one case, attacker can get into google's network or some bank or financial institution and cause billions of damage. In another case they can turn off your light or cause your fridge to defrost. I don't know if there's financial incentive here. Unless you have a giant vault full of gold controlled by IoT device. There is nothing that cannot be addressed by some crypto algo with rolling keys or some such. And perhaps it will in the future. But for now it's a pipe dream. IoT devices use commercially available solutions, oauth2, etc. Nobody's going out of the way until something else is widely available. Quote
mwester Posted July 27, 2018 Posted July 27, 2018 (edited) (Edited to clarify) Regarding UDI -- They appear to be reasonably up on the entire security thing, but I've not seen any documentation on what security practices are in place regarding the portal. (I'm not asking for the pen-test results, but I'd sure like to know if the portal code was run through any static-analysis tools, and if it was pen-tested, etc) I too would like two-factor auth for that, if it were available. Commentary on IoT security in general (not specific to UDI or the ISY Portal): Check the commentary on this forum. Some of us (including me) have raised concerns about IoT security in general, but the overwhelming response from forum members is "Why should I I worry, the worst anyone could do is blink my lights." I perceive that the members of this forum are in general far more technically "savvy" than the average population -- and if our demographic doesn't really care, that goes double for the public, and since companies will sell what the public demands, the logical end result is that the market will continue to be flooded with vulnerable devices. There have been many cases that illustrate why vulnerable IoT devices are a problem, including the recent massive Denial-Of-Service attack that was executed by a bot-net of compromised IP Cameras. But, the public continues to buy based on lowest price, ignoring security considerations (heck, they even ignore things like UL and CSA certifications!). The net result: if you are concerned about security (and we ALL should be!), then it's entirely up to you to make it so. Secure subnets, firewall rules, etc are your tools; don't count on the IoT vendors (and don't trust them either -- they may or may not code security, you'll never know since you can't see the source code, so the wisest thing to do is to prepare for the worst (and hope for the best)!). (The above is an opinion, and sadly, one that is not shared by many others.) Edited July 27, 2018 by mwester CLARIFICATION Quote
firstone Posted July 27, 2018 Posted July 27, 2018 11 minutes ago, mwester said: (I perceive that the members of this forum are in general far more technically "savvy" than the average population -- and if our demographic doesn't really care, that goes double for the public, and since companies will sell what the public demands, the logical end result is that the market will continue to be flooded with vulnerable devices. I think that's exactly the point. It's hardly a viable long term business strategy to invest into some custom security (with questionable result) and charge extra $100 for it, for instance. For every person who'll appreciate it, there will be 1000s who'd buy competitors product and save $100. Also, most if not all those exploits aren't because of some weaknesses in existing protocol bot rather dumb stuff like default passwords, simple passwords, buffer overflow from unchecked buffer, etc. In other words, problems with implementation rather than the protocol.And that, in turn, because those companies pay as little as possible and outsource firmware to other firms in offshore markets. And that, of course, goes back to price pressure. You can try to do your best to protect yourself with good firewalls, good passwords, etc. But at the end of the day, you can't loose sleep over it. if you want to loose sleep over something, read Data and Goliath or Weapons of Math Destruction. 1 Quote
MWareman Posted July 27, 2018 Posted July 27, 2018 Curious, I saw today Samsung's IoT hub was hit. Does UD have it in their plan to perhaps offer 2 factor authentication sometime soon. A google report about google and their Titan key and how employees switched to 2 factor and the new key have resulted in no known phishing attack getting in. I know with all the IoT drama going on it would be something i'd feel better about. I know if someone got into my account they could destroy my house. https://www.cyberscoop.com/google-titan-security-key-2fa-anti-phishing/ You are, of course, talking about these vulnerabilities (I wouldn’t really characterize it that they were ‘hit’ though)https://threatpost.com/bugs-in-samsung-iot-hub-leave-smart-home-open-to-attack/134454/Another +1 for 2FA on the Portal. However, rather that doing something vendor locked please implement optional U2F in the logon process... since modern browsers now all support that. Then the user can choose from any U2F compliant solution (which includes YubiKey and many others...) 2 Quote
Michel Kohanim Posted July 29, 2018 Posted July 29, 2018 Hi MWareman, We'll definitely look into it. With kind regards, Michel 1 Quote
larryllix Posted July 29, 2018 Posted July 29, 2018 All sounds like more product sales FUD. (Fear, Uncertainty, Doubt) Anybody ever hear of a system actually being hacked? Link? We heard of one ISY being hacked here, a few years back with grafity written into device names but no foul play of operation on their devices. Of course this probably meant the attacker was also using the admin console to effect it. Quote
Goose66 Posted July 29, 2018 Posted July 29, 2018 I suspect the greatest danger is the same here as everywhere else on the Internet: people using the same or similar credentials for the UDI portal and forums as for other, more easily compromised sites, like your Domino's Pizza account or your online gaming account. We can talk about UDI implementing 2FA for the portal and newer security suites on the ISY, but I would bet 60% of the users will continue to use a single password for all of their vulnerable web accounts. 4 Quote
Scottmichaelj Posted July 29, 2018 Posted July 29, 2018 I suspect the greatest danger is the same here as everywhere else on the Internet: people using the same or similar credentials for the UDI portal and forums as for other, more easily compromised sites, like your Domino's Pizza account or your online gaming account. We can talk about UDI implementing 2FA for the portal and newer security suites on the ISY, but I would bet 60% of the users will continue to use a single password for all of their vulnerable web accounts. I agree 100% with you. However as a company it should be added because this is becoming standard practice. I for one and I am sure most here don’t use the same passwords so for me this feature would be well welcomed. Quote
mwester Posted July 29, 2018 Posted July 29, 2018 5 hours ago, larryllix said: All sounds like more product sales FUD. (Fear, Uncertainty, Doubt) Anybody ever hear of a system actually being hacked? Link? We heard of one ISY being hacked here, a few years back with grafity written into device names but no foul play of operation on their devices. Of course this probably meant the attacker was also using the admin console to effect it. It's like a home builder not putting deadbolts on the exterior doors. I expect that you never deadbolt or perhaps don't even lock your doors at night -- but that doesn't mean that others feel quite so comfortable with the situation. And waiting to install deadbolts until after the first robbery in your nice safe neighborhood is a personal choice -- again, other's aren't quite so comfortable waiting for the first hacking event into the ISY portal before we do anything to secure it. There's an old adage about locking the barn door after the horse has escaped. 2 Quote
paulbates Posted July 29, 2018 Posted July 29, 2018 (edited) another way to look at it is risk management or insurance: The probability of an attack is low, but the impact of it if it happened ranges from annoying to disastrous, depending what is automated and how its exposed on the network You probably won't get into a major car accident. Your house probably won't burn down... yet both are typically insured. Edited July 29, 2018 by paulbates Quote
asbril Posted July 29, 2018 Posted July 29, 2018 28 minutes ago, mwester said: locking the barn door after the horse has escaped. or after the Trojan Horse got in...... Quote
asbril Posted July 29, 2018 Posted July 29, 2018 (edited) 5 minutes ago, paulbates said: another way to look at it is risk management or insurance: The probability of an attack is low, but the impact of it if it happened ranges from annoying to disastrous, depending what is automated and how its exposed on the network You probably won't get into a major car accident. Your house probably won't burn down... yet both are typically insured. It also depends on the nature of your HA network. In my case there are only lights, fans and curtains. I feel comfortable addressing the issue after a hacking event. However if more sensitive devices (cameras, door locks...) are involved pro-activity makes sense. Edited July 29, 2018 by asbril Quote
larryllix Posted July 29, 2018 Posted July 29, 2018 4 hours ago, mwester said: It's like a home builder not putting deadbolts on the exterior doors. I expect that you never deadbolt or perhaps don't even lock your doors at night -- but that doesn't mean that others feel quite so comfortable with the situation. And waiting to install deadbolts until after the first robbery in your nice safe neighborhood is a personal choice -- again, other's aren't quite so comfortable waiting for the first hacking event into the ISY portal before we do anything to secure it. There's an old adage about locking the barn door after the horse has escaped. Oh I agree with the concept as much of a PITA it could be. The ISY Portal "seems to be "out in the open" for an easier hit. "Curious, I saw today Samsung's IoT hub was hit." I was looking for an article link with more detail about the OP opening sentence regarding the case, not expecting more FUD to sell another new google gadget. Quote
MarioLanning Posted July 29, 2018 Author Posted July 29, 2018 My internet is pretty locked down, I have a juniper router (not a home router) but my automation system is only as secure as the UD portal is since my ISY calls to them and they are on the cloud. I'm not at all worried about my local network. I am however worried about the Portal. 1 Quote
Michel Kohanim Posted July 30, 2018 Posted July 30, 2018 Hello everyone, Thanks for all the feedback. Security must be considered first and foremost in this day and age. There are no excuses for doing anything else. Benoit has already looked into 2FA and we should have it working by YE. With kind regards, Michel 2 1 Quote
Scottmichaelj Posted July 30, 2018 Posted July 30, 2018 6 hours ago, Michel Kohanim said: Hello everyone, Thanks for all the feedback. Security must be considered first and foremost in this day and age. There are no excuses for doing anything else. Benoit has already looked into 2FA and we should have it working by YE. With kind regards, Michel @bmercier @Michel Kohanim Maybe take a look at DUO.com for 2FA integration, then let the users signup for a free account to not incur any fees on the UDI side. Quote
MWareman Posted July 31, 2018 Posted July 31, 2018 Duo would cost UDI to use though. It’s not free for the company implementing it and carries use costs as well (if the SMS or push-to-accept options are allowed to be used).Systems like U2F and HMAC-TOTP (the Google Authenticator protocol) are license-free from a developer perspective and free for the consumer, with no use costs. There is also example code for both that has been well vetted.Another option to consider. Since *most* Portal users will also have either a Google or Amazon account (and both of these offer reasonable 2FA options) - the option *could* be provided to allow authenticating to Portal with one of these accounts (via OpenID Connect). However, for some this would be perceived as worse that a portal without 2FA - so if implemented it should definitely be optional! Personally, I secure my Google account more than anything else - so a Google OpenID Connect integration for authenticating to the Portal would certainly be welcomed by me. 4 Quote
Scottmichaelj Posted August 3, 2018 Posted August 3, 2018 Duo would cost UDI to use though. It’s not free for the company implementing it and carries use costs as well (if the SMS or push-to-accept options are allowed to be used).Systems like U2F and HMAC-TOTP (the Google Authenticator protocol) are license-free from a developer perspective and free for the consumer, with no use costs. There is also example code for both that has been well vetted.Another option to consider. Since *most* Portal users will also have either a Google or Amazon account (and both of these offer reasonable 2FA options) - the option *could* be provided to allow authenticating to Portal with one of these accounts (via OpenID Connect). However, for some this would be perceived as worse that a portal without 2FA - so if implemented it should definitely be optional! Personally, I secure my Google account more than anything else - so a Google OpenID Connect integration for authenticating to the Portal would certainly be welcomed by me. Well that was quick anyhow. Heads-up: 2FA provider Duo Security to be acquired by Cisco (ugh) - Ars Technicahttps://apple.news/Ax2IdQ-koTp6yaDV87rcq_QSeems Cisco thinks it’s worth while. I get the licensing fee aspect though. 1 Quote
MWareman Posted August 3, 2018 Posted August 3, 2018 I had my Cisco rep contact me on this one, just before it went public...Not sure it’s going to change much, at least initially. Cisco tends to let acquisitions operate fairly independently, at least for a while... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.