Can I monitor my network for rogue IoT device activity?

26

7

In order to mitigate or manage the risk from having some of the devices on my home network compromised, is it feasible to monitor network traffic so as to detect a compromise?

I'm specifically interested in solutions which don't require me to be a networking expert, or to invest in anything more than a cheap single-board computer. Is this a feature that can practically be integrated in a router firewall, or is the problem too difficult to bound to have a simple, easy to configure solution?

I'm not asking about Wireshark - I'm asking for a self-contained system which can generate alerts of suspicious activity. Also thinking more focused on practical to setup for a capable amateur rather than a robust production quality solution.

addendum: I see there is now a kickstarter project (akita) which seems to offer cloud-based analytics driven from local WiFi sniffing.

Sean Houlihane

Posted 2016-12-06T19:21:46.890

Reputation: 7 357

Once the security becomes major issue , i am sure they will manufacture IOT Firewalls and IOT IPS , all your IOT traffic is routed through these devices just like other IT infrastructure, where you can monitor your IOT network Closely .user2728397 2016-12-06T19:39:38.120

1@Rakesh_K, this question exactly anticpates that type of device being invented - I would like to capture the known techniques which exist today.Sean Houlihane 2016-12-06T19:41:23.423

1Agreed. Also, there are an order of magnitude more protocols used in IoT, than are handled by a standard firewall.Mawg 2016-12-07T09:25:06.777

In fact, is this even an IoT specific question? Perhaps http://security.stackexchange.com/ ?

Mawg 2016-12-07T09:25:53.703

@Mawg, Yes, I think the detail is better covered on different SE sites, but I think this site will benefit from some 'can it be done' type security questions at this boundary point.Sean Houlihane 2016-12-07T09:42:14.940

Answers

15

This is not a straightforward topic. Detecting a compromise, as you put it, can happen in many forms and result in multiple outcomes in terms of system or network behavior. Observing that may require knowing the difference between normal and suspicious in terms of system and network behavior.

For a home solution at the network level, the recommended option is a (transparent) proxy or a customized gateway running multiple network services (i.e., DHCP, DNS) and security applications (e.g., firewall, IDSs, proxies) that can help with logging (e.g., HTTP proxy, DNS queries), hardening (e.g., filtering, blacklisting, whitelisting), monitoring (e.g., network traffic) and alerting based on signatures. Major tools for this include Bro, IPFire, pfSense and Snort.

See Setting up a Proxy server on my home router to enable content filtering for details on an example setup.

dfernan

Posted 2016-12-06T19:21:46.890

Reputation: 264

13

This is beyond trivial. Every somewhat sophisticated IoT device will communicate via HTTPS making it not too easy to know what it is talking about, even if you do have a not compromised internet gateway in your router.

Unfortunately you can't know which end points the IoT device is supposed to talk to and which not. While most of the big consumer electronics suppliers will have their dedicated back bones that doesn't mean the devices might not have good reason to talk to other providers of information (e.g. weather services, cooking recipe communities, etc ...).

All these things you cannot possibly know and even worse an over the air update of your IoT device can change that behavior completely. If you set up your own security gateway with filter criteria of blacklisting or whitelisting you might seriously impede your device's functionality. For example you might have successfully determined every of the usual addresses to whitelist but you'll never get an update because those are rarely used communication partners.

The answer: Pattern Recognition

Detecting that your device has been compromised is usually done by pattern recognition. That's no simple matter, but easy put, the pattern recognition engine on your security gateway will detect a drastically changed behavior if your toaster has been hacked and starts sending spam.

Helmar

Posted 2016-12-06T19:21:46.890

Reputation: 5 936

2This is very generic and is hardly a realistic option. Monitoring and detection based on heuristic or pattern analysis (assuming some Computational Intelligence (CI) methods) is highly dependent on the problem at hands, being mostly effective only in fine-tuned environments.dfernan 2016-12-06T21:58:49.067

2@dfernan It is. But the question is can I monitor my rogue device. I'd argue that it's not easily done is a proper answer. The question is impossibly broad since it's targeting all IoT devices not specific ones. Thus the answers have to be somewhat broad as well.Helmar 2016-12-06T23:01:15.213

10

At this point, the complexity of what you want is beyond "cheap, single-board computer" levels. The easiest solution available is to set up something like SNORT, which is an intrusion detection system. Initially, it will alert you to everything that's going on, and you'll get way too many false positives. By training it over time (itself a manual process) you can reduce it to a reasonable alert rate, but there are currently no "pre-canned" solutions available on the consumer market. They either require significant investments of money (corporate / commercial solutions) or time (open source DIY-class solutions), either of which would put the solution in question outside the acceptable scope of complexity. Your best bet is honestly going to be something like SNORT - something that's "good enough" to detect most issues and "easy enough" to train that you won't get too frustrated before it's usable.

John

Posted 2016-12-06T19:21:46.890

Reputation: 747

1This is mort the sort of answer I was looking for, I think. Easy enough, and good enough - particularly if the training can be crowd-source guided.Sean Houlihane 2016-12-06T20:32:04.417

1Finding that unicorn-like product / solution, though, will be difficult. I use SNORT as an example, but it is rather complex for a casual home user, and might prove to miss the mark on "easy enough" for you. My expectations are somewhat different from Average Joe's, as I've been a linux sysadmin for 20+ years.John 2016-12-06T20:33:37.217

And still learning Snort ;-) It's compelx - but, ultimately, worth itMawg 2016-12-07T09:27:30.917

7

The NoDDos tool I'm developing is targeted to do just what you are asking for. Right now it can recognize IOT devices by matching them to a list of known profiles, it can collect the DNS queries and traffic flows of each matched IOT device and upload it to the cloud for pattern analysis based on large sets of devices. Next step is to implement ACLs on the Home Gateway to restrict traffic flows per IOT device. The tool is targeted to run on Home Gateways. The current version is written in Python, requiring you to run Python on your OpenWRT HGW or install on a Linux DIY router. In OpenWRT I can't collect info on the traffic flows yet but on the Linux DIY router I can using ulogd2. So right now you need a simple Linux-based router with a regular Linux distribution to get this fully up and running with traffic flows but once my port to C++ is finished, you'll be able to run this on any OpenWRT router.

You can read my blog for more info about how the tool works.

Steven

Posted 2016-12-06T19:21:46.890

Reputation: 71

1I was hoping someone would come up with a tool like this. Can it (theoretically) run on a network- attached device, and just snoop the traffic? Seems an SBD might be easier than an open router for a lot of people.Sean Houlihane 2017-03-18T15:09:29.740

Welcome to the site, Steven. Make sure to have a look at the [tour] when you stick around. If you have any questions there is also the [help], [meta] and the [chat].Helmar 2017-03-18T19:10:24.627

NoDDos needs to access logfiles of the dnsmasq DNS/DHCP server and the iptables connection track events reported to ulogd2 for getting the traffic flows. So the Home Gateway or firewall is the right place for this. As the code and device profile database is open source, perhaps who knows in the future HGW vendors can include it in their product. In the mean time, I need to build up the profile database and that will require alpha testers to try out this tool on their HGWs and upload the results.Steven 2017-03-18T19:55:48.610

1

In short, standardization and product developments are underway to address this problem. Until then, there are few simple answers that don't require some networking knowledge.

My humble suggestion is easy to implement, and will provide your local network with some protection (although it won't protect the Internet at large) without knowing anything about networking other than how to plug in and use a wireless router.

Buy a separate wireless router for your home network, and use it just for your IoT devices. This will make it harder for the IoT devices to discover and attack your other devices (such as PCs, Tablets, and Smartphones). Likewise, it will provide your IoTs some protection from compromised computing devices you may have.

This solution may break some things, but the solution is perversely helped out by the mostly undesirable reality that today, many Iot devices achieve remote communications through a manufacturer-controlled cloud infrastructure, which will help your Iots to communicate with your computing devices more safely than having them on the same network. It also allows the manufacturer to collect personal information about you, and provide that to third parties.

Hugh Buntu

Posted 2016-12-06T19:21:46.890

Reputation: 27

2I think this is tangential to the question, not really an answer.Sean Houlihane 2017-03-20T18:14:18.767

1Actually, I thought some of the other answers were tangential. The asker specifically said he wanted answers "which don't require me to be a networking expert, or to invest in anything more than a cheap single-board computer", or "Also thinking more focused on practical to setup for a capable amateur rather than a robust production quality solution." -- I wrote an answer that I thought met those conditions. In honor of your comment, I deleted the last paragraph which was possibly unnecessary [i.e. RTFM].Hugh Buntu 2017-03-21T19:28:38.043

I asked specifically about monitoring, rather than protection. i think you're answer is better for one of these: http://iot.stackexchange.com/questions/1184 http://iot.stackexchange.com/questions/14/ or http://iot.stackexchange.com/questions/9 (although the latter has quite a lot of answers already!)

Sean Houlihane 2017-03-21T19:59:51.313