Work From Home Device Security

October 12, 2020

COVID and the 2020 lockdowns have compelled many organizations shift to a work-from-home (WFH) model and rethink the future of their physical office environments. In Seattle, it’s estimated that 48.7% of adults are now working from home, and companies that don’t see a productivity hit from remote work are shifting direction permanently. From a security perspective WFH (or coffee shop, or any other remote environment) isn’t new. Most organizations offer a way to remotely access the services required for employees to do their jobs, and traditionally the approach to defending those remote assets has been hardening of the endpoint through a comprehensive security stack. From that perspective, nothing changes with mass WFH, but there should be some acknowledgement that the bulk of your business process and employee activity now sits in a different physical and network environment, and you should determine how to likewise shift your security monitoring and controls to accommodate where your organization’s activity is actually taking place.

Security and Countermeasures

Tackling home device security will mean following some of the same principles that enterprise administrators employ when running a vulnerability management program, but without access to dedicated tools and systems. At a high level, there are a few pillars we will build upon:

Visibility

Admins have access to a wide variety of tools to identify hosts present on an office network as well as the technical knowledge to analyze what’s discovered. In a home environment, those same tools may not be available and many (most) users probably aren’t comfortable running Nmap or Wireshark. This analysis assumes there’s a consumer-grade network gateway in place, such as a combination firewall and wireless access point from companies like Netgear or Linksys. One of the features common to these gateways is the ability to see connected devices, which is where we will start.

When you’re looking the connected devices list, some of the entries will probably stand out from the discovered name, like your phone or tablets. Others may not have a description at all, outside of the IP and MAC address; this is where the investigation process will begin. As we walk through this process, we’re also going to start a text file or spreadsheet to store this information, and we’ll use another common feature, DHCP reservations, to make it easier to keep track of these devices in the future. DHCP is the service on your gateway that hands out IP addresses automatically to whatever devices connect. Since many consumer grade IoT devices don’t have the ability or make it difficult to assign a static address, using DHCP reservations on the gateway is the simplest route.

For each entry in the Attached Devices list we’re going to do the following:

Here’s an example of a home network notes file entry:

For unknown devices, we’re going to use the process of elimination, and when possible, MAC prefix information, to identify the vendor. Looking up the MAC registration doesn’t work in all cases, but it can be a useful clue, and it’s worth the five minutes spent to check. To do the lookup, we’re going to use the Wireshark OUI lookup page:

Take the unknown device MAC addresses and paste them into the box shown and click Find. Copy the results into your notes file next to the associated device. If you’re lucky, some of the OUI information helped identified a previously unknown device. For situations where this is the case, go back to the prior step and update the description under the attached devices screen and add a DHCP reservation.

Now let’s turn to the rest of the list, which takes us to the next phase, which we’ll call Unplug everything in your home. It’s important to note here that “Unplug” means disconnect from power. Since we’re using the process of elimination to identify devices, we want to ideally have nothing to start with other than the gateway, and even when a device appears to be powered off it can still be present on the network. The other step to take after you have unplugged everything is to reboot your gateway in order to clear the DHCP leases.

The current state of things should be a freshly rebooted internet gateway, a laptop logged into its administrative interface with the “Attached Devices” page open, and every potential IoT device in the home unplugged.

For each device: plug it in, wait 60 seconds, then refresh the attached devices list. For devices where you have a management application, you’ll also want to log in and validate the device status by performing some management function (e.g. for a smart plug turn it on and off again).

Side Note: Doorbells and Alarms

If you have a smart doorbell, it’s probably drawing power from the doorbell transformer and it’s not necessary to disconnect it in most cases because even if it was unidentified, before with everything else unplugged, you should be able to identify it. Home alarm systems that use your internet connection to talk back to a monitoring center can also have a backup battery and will still appear connected. Again if it was unidentified before, you should be able to pick it out of the list now that there’s a more manageable number of entries.

Once you’ve completed this task, take a screenshot of the active devices page for a record of the “normal state.” You should have the following items completed:

With that completed we can move on to basic security controls.

Security Controls

While typical home IoT devices don’t provide many security controls, there are still a few basics that should be covered. Initially, if you didn’t use an app-driven setup process and instead used a set of default credentials to set up the device, make sure you have changed the default password to something strong. If the option to change the username (i.e. Admin) is there, then change that to something unique, as well. For devices with a personal account and app, try to keep separate passwords for each vendor and don’t use your email address if possible. You should always consider the impact if one of the vendors is breached and your username and password are leaked. You often won’t find out about the breach until weeks or months later, if at all, so counting on being able to quickly change a shared password isn’t a good strategy. If you can avoid using your email address as the login username, that limits the impact of someone attempting a password guessing attack against the vendor management service from a list of known email addresses. Be sure to document the credentials used for accessing your devices in the notes file, and store the passwords in a secure location, such as a password manager. Bookmark the device or vendor management page in your browser as well.

Update Management

Review each device’s documentation in your network notes and verify how they’re updated. For devices that can do this automatically, it’s recommended that you enable the feature and then note this in the file. You’ll usually encounter a few ways that devices are updated:

The main caveat for prompted updates is that you usually have to interact with the device or its management interface and you may not be doing that on a regular basis. For example, try to recall the last time you logged into the admin interface of your home router. This may only be a once- or twice-a-year event, but updates may be released more frequently than that. The best approach here is to set up a once-a-month task that has you log in to the device management interface or app and look for an update. This should be a quick exercise (10 minutes at most), but it’s worth the return in preventative value. For high criticality devices, like a home security system, make sure you have any out-of-band update notification features turned on, like SMS or email.

Conclusion

To sum up our set of practices to securely manage home devices, you should be confident of the following things:

If you’re like most users, these three steps will address 99% of the issues you might encounter when it comes to home IoT.