 So I'm here from Lawrence Systems and we're going to talk about IoT security. Now, people lump a lot of things in IoT. That makes these headlines way more fun to read, of course, because then it makes the attacks look bigger and bigger attacks and doom and gloom is something the news wants to sell you on. And let's talk about we're going to break down this versus the reality of security. Now, if you're interested in needing help with your network, whether it be IoT security or other projects, head over to LawrenceSystems.com. There's a hire us button and you can learn more about the hiring process having us help secure your network. Now, Hacking Nemo, an adversary compromises smart fish tank at Casino. I love the headline. This is from a couple years ago and there was a fish tank that had Wi-Fi that, well, it had some flaws and they attached to their corporate network, which is a horrible idea, because once someone pivoted off the fish tank, they were able to fish around and find all kinds of fun things on their network. And frequently companies leave things open on their network. So once you're inside or behind the firewall, lateral movement becomes a lot easier. Well, that being said, that's probably not a good idea to attach the smart fish tank to your corporate network. Same with this, IoT worm can hack Philips Hue, late bulbs and spread across cities. Easy chain reaction hack would spread across Paris. Well, back to the same problem of it's a great headline from 2016 and here we are in 2020 and I have not seen the apocalypse of flashing late bulbs that we thought we would see, but hey, once again, a good headline. It's a real risk and I've done a video on proxy chains and a red teamers guide to pivoting and they talk about how to, once you get into a device that has been pushed through the firewall and has access to it, you can then pivot and get inside of a network. These are the things we want to prevent. So let's go and look at how these systems are being attacked. Telnet, SMB and SSH, Microsoft SQL and MI SQL ports. And I bring this up and I'll leave links to all these too so you can do some further reading on it. One of the things is this is all stuff that got them through the firewall. This is why you want to put it on a separate network or have a good firewall. We're going to get to that in just a second here. And second part is IoT. The reason you see the numbers bigger than they are in terms of, and I say as they are, is I don't necessarily think routers should necessarily, it would be listed in IoT devices but they are. Cameras maybe but routers, they're routers so your firewalls. And the biggest piece of all these, you know, Mirai botnet and many of the other botnets out there that are variants thereof of Mirai and all these attacks are because consumer routers are poorly made. We're poorly made for a long time without security in mind, never get updated. Therefore, they are the method of attack all the time. And right there when they point this out, retroactively looking at victim devices, service banners, internet world scanning, most of the devices appear to be routers and cameras reported by a short amount and they are. So, a lot of people start really worrying about all their IoT devices but they're not as likely to be attacked when they're not directly attached to the internet with the exception of the routers, which if you have a good router, then you're a lot better off. And I have a couple of videos on this topic and we're going to break this down. I do have, and this is going to go a lot more in depth than this video will, but this is the detail of how to. I'm going to talk a lot about the philosophy here. PF sends some rules for IoT devices with MD&S. That's what this is right here. I have this video where it breaks it all down, how to set up the rules, how to put things on a separate network and talk to them. Then to go a step further, maybe you have an office network. This is a little bit more expensive, but an office network design and planning with VLANs, LOPP rules, IoT, and guests using Unify and PF sends. I break down all of those details on there. Now, these are two complete guides and setups and you can see they're a little bit longer, but we're going to talk about what goes where, because this is the one part where people start asking the question of what goes on what side of the network. I'm starting this simple, but you could add more networks as needed. IoT devices with the exception of routers. I'm going to make some assumptions here that you have PF sends or some other router that's not one of the really inexpensive big box store consumer brand ones that are easy to buy. I don't know how else to define them, because I can't say it's a Cisco, because yes, those old Cisco's, they made some consumer ones and they make commercial ones. If you have one of these consumer based routers such as the D-Link or Netgears, they frequently have security holes that never get patched, and if they do get patched, people don't load the patches. So I'm going to point out specifically, instead of trying to say it fuzzily, PF sends has a solid commercial router solution. It is both open source and a big favorite of mine. Other runners up and I've done videos on them, is you could do this as well with something like Untangle. Another really good option. I also point out in this particular design, I'm using a unified switch, but really any type of switch or multiple switches would work. We're really going to focus on the concepts here. Those other videos break down some of the more technical details in there. But when it comes to concepts, right here we have this network with full access to local internet and this is more like a guest network. It's separated. It is internet only, no local access as in these devices can't talk to these devices, but these devices can talk to these devices and that's usually adequate for separating the devices. But the next question is, well, what devices belong over here? Cell phones, I actually prefer over on this network. Now your cell phone is generally designed, whether you have an Android or iOS Apple device. Both of those are devices designed to be on what I would consider hostile networks. They generally provided you're running them stock, don't have open services on them for someone to attack them. They're made to go on public Wi-Fi and deal with that type of environment and your streaming devices, such as a Chromecast or a list of other devices you want to usually use those from the phone. You want to play your music or play a video on watching on the Chromecast in your refrigerator that can be on there too. Now having them all on the same network and I say like a guest network, but you don't want to do isolation policies because well, that will cause an immediate problem of if you isolate devices on a guest network a lot of buttons that you check to say isolation what that means is that stops the devices from laterally talking to each other. Maybe you want that on a guest network because you don't want the guest network to see other guests, but when it comes to setting up IoT devices, if I want my phone to talk to my Chromecast on the same network works. Now one of the other videos I mentioned there are tools so you can have devices on this network and through a tool called MDNS talk to this network, but it is one of those things that you'll find is a little bit buggy and not everything supports it. So phones, your Amazon dots or Google homes or all these and like I said, this is all about security, not privacy. That's a whole separate topic of what you think of having these devices or a fridge that listens to you is a whole different topic, but keeping them all on one network is fine because if any of these devices gets compromised in any way they're going to look for lateral movement. Are they likely from lateral movement to then in fact the Chromecast? Not likely. Could someone possibly hack the fridge and broadcast them to your Chromecast? That is a possibility. And there was an event perpetrated by the person named themselves the hacker giraffe that did compromise a bunch of Chromecast, not through this methodology, but through the fact that they opened things through universal plug and play and were able to broadcast things randomly to the network and on your Chromecast. So it's not an unheard of possibility but in general it's not where your security problems. So other than the potential for these devices to if they have some type of port open or are insecure they're all on the same network. Now if you wanted to really break it down and put every one of them on their own network you could do that too. But each of these devices reaches out to the internet and comes back with the data. They're all talking to the cloud server that they belong to. So they don't actually need to talk over here. Now what about printers? Aren't they an IOT device? Well, sure. Anything I guess you could call an IOT device but printers because we have our workstations and laptops over here on this network and this is the network where we're getting business done. You throw your printers over here. Now could you throw them over here? Yes. Will you have problems? Maybe. Depends on the driver of the printer. You have some printers that work really well being on a separate network. You have other printers that just don't. They don't like being on separated networks. The people who wrote the drivers of the printer didn't expect them to have separation. Now when you get into the commercial networks like your Xerox copy centers and your Kioseros and Ricos and your large copiers, they simply don't ever really seem to have a problem being on a separate network. We set those up when clients request and they're made to be on like a routed network and that's not a big deal. But a lot of the consumer ones, whether they're wireless or wired, putting them on a separate network creates immediate problems with the drivers not being able to communicate with them. Now this is not true for every printer. Someone's going to point out but I have this printer networks. Great. If you have an exhaustive list of which ones do and don't, cool I don't. And this is one of those problems we run into when people contract us for consulting is they've stuck the printer on the other network and the drivers aren't supported and they want to sort it out. I'm like there's not a really sorting out problem that's got to go on this network but isn't my printer an attack factor statistically unlikely. For someone to get into your printer one, we're assuming you've not opened the firewall up to talk to the printer. That would be the first thing you don't want to do and because by default with PF Sense the firewall does not allow things to come through and UPnP is off by default in PF Sense unless you have done something too insecure of the system the printers may or may not need access to the internet and you could write a rule to block their access because well the only thing you really need is to go from one computer to that printer from this computer to this printer but the printer itself does not need to get out to the internet so you could if you're really worried about it rate rules to block access to there but I've looked a lot of printers don't seem to ever call out to the internet unless they have something firmware that the driver updates that they do that that they need but it's not as often a lot of times that is all facilitated by the driver you're loading on your computer that speaks to the printer and it is what pushes those things and if you're truly worried about it get and I know they're harder to find now actually USB printers I've I went and looked I know it's a lot of the consumer ones don't always even have USB they're kind of expecting them to be wireless now I don't know a lot about printers because we still use old HP printers because they work even though which once again I do know there's some security flaws potentially in those printers because of their age but I don't really worry about it and why do I say that you know being a security guy because we don't even have internet access on those printers they're kind of locked down and someone would have to get in our network and the worst thing they would do because there's passwords between my servers and my computers and everything else is they would be able to maybe scan the network with a really old slow controller that's in here and it doesn't have routing in it so you can't go anywhere else but this partial network and you would have to figure out a way to get inside my network first for these devices to even start doing that and the reality is and this is something a lot of people overlook well couldn't they attack this well if they're already in my network they're probably going to use whatever tool got them in my network to provide better faster scanning and more effective scanning so my first goal is to keep them on this side of the firewall because once you're on this side the printer is the least of my worries this is a slow device any device they have is probably not as old as the printer and if they're on this side of the network ladder movement is going to be facilitated by whatever device they either compromised or added to this side of the network this is one of those security thinking things people need to do of they asked me about certain attacks I'm like that's the one it's like oh couldn't someone plug this in attack I'm like once they have physical access to your building there's a lot of different things you need to be concerned about it's not likely they're going to go put a dropper on an old printer it's more likely because of speed to attack it in some other way so printers I do let live on this network now a couple things I'll throw and I do cover this in my more extensive office setup video one of those videos I'll leave links to below is for example if you have phones using things like LLDP awesome you can build your own separated network for phones very easily and have it pass through or putting them on a separate network now phones once again kind of the same they may depending on who you use for internet they may need to reach out to the internet to talk to a server but often like in our case for example our free pbx servers local so they only need to be on the same network as our free pbx server to talk to that so you can kind of make your own determination but having on a separate network is not a bad deal at all that way all that traffic is over there and you can put special quality controls on it if need be because well you want phones phones don't need necessarily speed but they need low latency so you may want to set priorities on that that would be a separate topic lastly cameras what about these cameras aren't that a big part of the mirai botnet yes but the problem with the cameras is not actually usually cameras getting hacked it's the nvr system itself and people like to punch a hole through the firewall and expose it don't put that thing on this network don't put it on your network you use here which is the in this case the 192 1683 network that would be bad putting it over here is a better idea but trust me if you are using one of those off branded and once again it's hard to define these but there's a lot of these companies that make these inexpensive nvr recorders that are poorly done they sell them at a lot of the big box stores they don't get security updates or patches they're frequently wide open with admin and 12346 as their default password and no one ever changes even when you do change it they're written so many years ago and have so many security flaws and they frequently get infected well I don't recommend opening these crappy things to the internet people still do those at least should be over here in a separate network or if you want to create a separate complete network for all the cameras just so they're over somewhere else that's perfectly fine too the cameras themselves are less a worry you can block them from the internet because generally they don't need it but they do need to reach out to a time server and you can usually set something local for example in unify because once it's something that's important for a lot of the cameras is to do time synchronization so they do look for that so this is kind of a breakdown of where to put some of those things and some thoughts on design of it for the more technical aspects I'll link to those other videos where you can dive deeper into like the functional how I did it with PF Sense in unify and how I set the VLANs up etc but from a concept standpoint and security standpoint this is the IOT which by the way if you don't have other things in place for security like a password manager and all that do those first because a lot of people focus on this IOT and the reality is they click a phishing link and that's what gets them pwned they open up a bad link in a browser that's not been patched from an unpatched system that gets them pwned this is actually lower down the list despite having great headlines in terms of everyone really excited about IOT and being the death of the internet and the massive lights blinking everywhere and you know all the fun things that we have with you know hacking things on here but the reality of what I deal with the security and doing incident response and follow up this is rarely this is it takes some hunting to find that the IOT devices almost every time it's been phishing emails and other security practices from unpatched systems where people just opening up firewalls from their default opening them up and opening up a bunch of these devices that's where we see more problems not from oh my gosh my Amazon dot completely is what compromise a network mostly that's gonna have a privacy problem more so than a security problem with those devices alright and thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out if you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time