For all the network engineers, designer, sysadmins that day to day are connecting devices among network branches, this could be a really interesting story to share to any decision maker in any company.
It is a technical article, a small extract.
From this, he looked at its software and operating system, and that’s where he discovered the dark truth: his smart vacuum was a security nightmare and a black hole for his personal data. First of all, it’s Android Debug Bridge, which gives him full root access to the vacuum, wasn’t protected by any kind of password or encryption. The manufacturer added a makeshift security protocol by omitting a crucial file, which caused it to disconnect soon after booting, but Harishankar easily bypassed it. He then discovered that it used Google Cartographer to build a live 3D map of his home.
Should be carefully readed, IMO.
I’m adding a my personal take
If an app is mandatory for configuration, device should not be in any green or blue network
I completely agree! But what should the solution look like if you use all 4 zones in IPFire_? I currently use red, green and blue, all IoT devices are relegated to orange, with no access to red (not green and blue anyway). Soon I want to put a server into operation in orange, which should also be accessible from red (as well as from green and blue).
Regards,
Christian
I agree as well, I do run some Aqara sensors - no Roombas her, yet - and while allowed to access the Internet, they are not allowed to access Green. They run on Blue and are not trusted to access any local resources via the pinhole.
Thing is, they do get firmware updates and while I do not really check what is being updated, I have no reason to prevent them from getting the firmware since it may cripple their functionality.
Like when they got the power-state function for the power plugs, that simplified a lot, not having to walk around turning them on manually after a - rare - power outage. I do have a dozen of those power plugs to monitor power consumption of several connected computers and devices.
I do not see how we can prevent IOT devices from accessing the Internet if we want some functionality. All we can do is prevent them from accessing our Lan.
I currently have a few Shelly devices in use, along with two or four Reolink surveillance cameras, a robotic lawnmower, and a robotic vacuum cleaner. I plan to control all these IoT devices via OpenHAB in the future, which would also mean moving this OpenHABian system into this isolated network. This OpenHABian would then be the only one in this network segment with limited internet access. As long as IPFire only recognizes four zones, I’ll unfortunately have to extend the orange zone with its own segment using Opnwrt – not ideal, not very efficient, but I can’t think of anything else… I’d be interested to hear how others see this, or what solutions others have.
A few years ago I bought a robotic vacuum cleaner. Most of the features weren’t available unless it was connected to the Internet. I fooled into think it was connected to the the Internet by temporarily connecting it to my phone. It did indeed map out my home and could ’see’ beyond the boundaries. That’s ok but it was trying to send data to two data centres, one in Hong Kong and the other in Beijing. I don’t use it any longer.