IoT Drama

[MarioLanning]

Curious, I saw today Samsung's IoT hub was hit. Does UD have it in their plan to perhaps offer 2 factor authentication sometime soon. A google report about google and their Titan key and how employees switched to 2 factor and the new key have resulted in no known phishing attack getting in. I know with all the IoT drama going on it would be something i'd feel better about. I know if someone got into my account they could destroy my house.

 

https://www.cyberscoop.com/google-titan-security-key-2fa-anti-phishing/

 

Edited July 27, 2018 by MarioLanning

[firstone]

There are commercial products already available, such as:

https://www.yubico.com

 

And prior to that there were RSA authentication devices and other brands.

Those are acceptable for user authentication but in this case there is still an attack vector in the device itself.

More importantly, I don't think anybody's thinking about. In one case, attacker can get into google's network or some bank or financial institution and cause billions of damage. In another case they can turn off your light or cause your fridge to defrost. I don't know if there's financial incentive here. Unless you have a giant vault full of gold controlled by IoT device.

There is nothing that cannot be addressed by some crypto algo with rolling keys or some such. And perhaps it will in the future. But for now it's a pipe dream. IoT devices use commercially available solutions, oauth2, etc. Nobody's going out of the way until something else is widely available.

[mwester]

(Edited to clarify)

Regarding UDI -- They appear to be reasonably up on the entire security thing, but I've not seen any documentation on what security practices are in place regarding the portal.  (I'm not asking for the pen-test results, but I'd sure like to know if the portal code was run through any static-analysis tools, and if it was pen-tested, etc)  I too would like two-factor auth for that, if it were available.

 

Commentary on IoT security in general (not specific to UDI or the ISY Portal):

Check the commentary on this forum.  Some of us (including me) have raised concerns about IoT security in general, but the overwhelming response from forum members is "Why should I I worry, the worst anyone could do is blink my lights."

I perceive that the members of this forum are in general far more technically "savvy" than the average population -- and if our demographic doesn't really care, that goes double for the public, and since companies will sell what the public demands, the logical end result is that the market will continue to be flooded with vulnerable devices.

There have been many cases that illustrate why vulnerable IoT devices are a problem, including the recent massive Denial-Of-Service attack that was executed by a bot-net of compromised IP Cameras.  But, the public continues to buy based on lowest price, ignoring security considerations (heck, they even ignore things like UL and CSA certifications!).

The net result: if you are concerned about security (and we ALL should be!), then it's entirely up to you to make it so.  Secure subnets, firewall rules, etc are your tools; don't count on the IoT vendors (and don't trust them either -- they may or may not code security, you'll never know since you can't see the source code, so the wisest thing to do is to prepare for the worst (and hope for the best)!).

(The above is an opinion, and sadly, one that is not shared by many others.)

Edited July 27, 2018 by mwester
CLARIFICATION

[firstone]

11 minutes ago, mwester said:

(I perceive that the members of this forum are in general far more technically "savvy" than the average population -- and if our demographic doesn't really care, that goes double for the public, and since companies will sell what the public demands, the logical end result is that the market will continue to be flooded with vulnerable devices.

I think that's exactly the point. It's hardly a viable long term business strategy to invest into some custom security (with questionable result) and charge extra $100 for it, for instance. For every person who'll appreciate it, there will be 1000s who'd buy competitors product and save $100. Also, most if not all those exploits aren't because of some weaknesses in existing protocol bot rather dumb stuff like default passwords, simple passwords, buffer overflow from unchecked buffer, etc. In other words, problems with implementation rather than the protocol.And that, in turn, because those companies pay as little as possible and outsource firmware to other firms in offshore markets. And that, of course, goes back to price pressure.

You can try to do your best to protect yourself with good firewalls, good passwords, etc. But at the end of the day, you can't loose sleep over it. if you want to loose sleep over something, read Data and Goliath or Weapons of Math Destruction. 

[MWareman]

Curious, I saw today Samsung's IoT hub was hit. Does UD have it in their plan to perhaps offer 2 factor authentication sometime soon. A google report about google and their Titan key and how employees switched to 2 factor and the new key have resulted in no known phishing attack getting in. I know with all the IoT drama going on it would be something i'd feel better about. I know if someone got into my account they could destroy my house.
 
https://www.cyberscoop.com/google-titan-security-key-2fa-anti-phishing/
 

You are, of course, talking about these vulnerabilities (I wouldn’t really characterize it that they were ‘hit’ though)

https://threatpost.com/bugs-in-samsung-iot-hub-leave-smart-home-open-to-attack/134454/

Another +1 for 2FA on the Portal. However, rather that doing something vendor locked please implement optional U2F in the logon process... since modern browsers now all support that. Then the user can choose from any U2F compliant solution (which includes YubiKey and many others...)

[Michel Kohanim]

Hi MWareman,

We'll definitely look into it.

With kind regards,
Michel

[larryllix]

All sounds like more product sales FUD. (Fear, Uncertainty, Doubt)
Anybody ever hear of a system actually  being hacked? Link?

We heard of one ISY being hacked here, a few years back with grafity written into device names but no foul play of operation on their devices. Of course this probably meant the attacker was also using the admin console to effect it.

[Goose66]

I suspect the greatest danger is the same here as everywhere else on the Internet: people using the same or similar credentials for the UDI portal and forums as for other, more easily compromised sites, like your Domino's Pizza account or your online gaming account. We can talk about UDI implementing 2FA for the portal and newer security suites on the ISY, but I would bet 60% of the users will continue to use a single password for all of their vulnerable web accounts.

[Scottmichaelj]

I suspect the greatest danger is the same here as everywhere else on the Internet: people using the same or similar credentials for the UDI portal and forums as for other, more easily compromised sites, like your Domino's Pizza account or your online gaming account. We can talk about UDI implementing 2FA for the portal and newer security suites on the ISY, but I would bet 60% of the users will continue to use a single password for all of their vulnerable web accounts.

I agree 100% with you. However as a company it should be added because this is becoming standard practice. I for one and I am sure most here don’t use the same passwords so for me this feature would be well welcomed.

[mwester]

5 hours ago, larryllix said:

All sounds like more product sales FUD. (Fear, Uncertainty, Doubt)
Anybody ever hear of a system actually  being hacked? Link?

We heard of one ISY being hacked here, a few years back with grafity written into device names but no foul play of operation on their devices. Of course this probably meant the attacker was also using the admin console to effect it.

 

It's like a home builder not putting deadbolts on the exterior doors.  I expect that you never deadbolt or perhaps don't even lock your doors at night -- but that doesn't mean that others feel quite so comfortable with the situation.  And waiting to install deadbolts until after the first robbery in your nice safe neighborhood is a personal choice -- again, other's aren't quite so comfortable waiting for the first hacking event into the ISY portal before we do anything to secure it.  There's an old adage about locking the barn door after the horse has escaped.

[paulbates]

another way to look at it is risk management or insurance: The probability of an attack is low, but the impact of it if it happened ranges from annoying to disastrous, depending what is automated and how its exposed on the network

You probably won't get into a major car accident. Your house probably won't burn down... yet both are typically insured.

Edited July 29, 2018 by paulbates

[asbril]

28 minutes ago, mwester said:

locking the barn door after the horse has escaped.

or after the Trojan Horse got in......

[asbril]

5 minutes ago, paulbates said:

another way to look at it is risk management or insurance: The probability of an attack is low, but the impact of it if it happened ranges from annoying to disastrous, depending what is automated and how its exposed on the network

You probably won't get into a major car accident. Your house probably won't burn down... yet both are typically insured.

It also depends on the nature of your HA network. In my  case there are only lights, fans and curtains. I feel comfortable addressing the issue after a hacking event. However if more sensitive devices (cameras, door locks...) are involved pro-activity makes sense.

Edited July 29, 2018 by asbril

[larryllix]

4 hours ago, mwester said:

 

It's like a home builder not putting deadbolts on the exterior doors.  I expect that you never deadbolt or perhaps don't even lock your doors at night -- but that doesn't mean that others feel quite so comfortable with the situation.  And waiting to install deadbolts until after the first robbery in your nice safe neighborhood is a personal choice -- again, other's aren't quite so comfortable waiting for the first hacking event into the ISY portal before we do anything to secure it.  There's an old adage about locking the barn door after the horse has escaped.

Oh I agree with the concept  as much of a PITA it could be. The ISY Portal "seems to be "out in the open" for an easier  hit.

"Curious, I saw today Samsung's IoT hub was hit." 
I was looking for an article link with more detail about the OP opening sentence regarding the case, not expecting more FUD to sell another  new google gadget.

[MarioLanning]

My internet is pretty locked down, I have a juniper router (not a home router) but my automation system is only as secure as the UD portal is since my ISY calls to them and they are on the cloud. I'm not at all worried about my local network. I am however worried about the Portal.

[Michel Kohanim]

Hello everyone,

Thanks for all the feedback. Security must be considered first and foremost in this day and age. There are no excuses for doing anything else. Benoit has already looked into 2FA and we should have it working by YE.

With kind regards,
Michel

[Scottmichaelj]

6 hours ago, Michel Kohanim said:

Hello everyone,

Thanks for all the feedback. Security must be considered first and foremost in this day and age. There are no excuses for doing anything else. Benoit has already looked into 2FA and we should have it working by YE.

With kind regards,
Michel

@bmercier @Michel Kohanim  Maybe take a look at DUO.com for 2FA integration, then let the users signup for a free account to not incur any fees on the UDI side.

[MWareman]

Duo would cost UDI to use though. It’s not free for the company implementing it and carries use costs as well (if the SMS or push-to-accept options are allowed to be used).

Systems like U2F and HMAC-TOTP (the Google Authenticator protocol) are license-free from a developer perspective and free for the consumer, with no use costs. There is also example code for both that has been well vetted.

Another option to consider. Since *most* Portal users will also have either a Google or Amazon account (and both of these offer reasonable 2FA options) - the option *could* be provided to allow authenticating to Portal with one of these accounts (via OpenID Connect). However, for some this would be perceived as worse that a portal without 2FA - so if implemented it should definitely be optional!

Personally, I secure my Google account more than anything else - so a Google OpenID Connect integration for authenticating to the Portal would certainly be welcomed by me.

[Scottmichaelj]

Duo would cost UDI to use though. It’s not free for the company implementing it and carries use costs as well (if the SMS or push-to-accept options are allowed to be used).

Systems like U2F and HMAC-TOTP (the Google Authenticator protocol) are license-free from a developer perspective and free for the consumer, with no use costs. There is also example code for both that has been well vetted.

Another option to consider. Since *most* Portal users will also have either a Google or Amazon account (and both of these offer reasonable 2FA options) - the option *could* be provided to allow authenticating to Portal with one of these accounts (via OpenID Connect). However, for some this would be perceived as worse that a portal without 2FA - so if implemented it should definitely be optional!

Personally, I secure my Google account more than anything else - so a Google OpenID Connect integration for authenticating to the Portal would certainly be welcomed by me.

Well that was quick anyhow.

Heads-up: 2FA provider Duo Security to be acquired by Cisco (ugh) - Ars Technicahttps://apple.news/Ax2IdQ-koTp6yaDV87rcq_Q

Seems Cisco thinks it’s worth while. I get the licensing fee aspect though.

[MWareman]

I had my Cisco rep contact me on this one, just before it went public...

Not sure it’s going to change much, at least initially. Cisco tends to let acquisitions operate fairly independently, at least for a while...