Work From Home Device Security
Work From Home Device Security
October 12, 2020
- Our homes are more connected than ever, and so are our businesses. With more people now working from home, these two internet-connected environments are colliding on a scale we’ve never seen before.
- This situation introduces a whole new set of potential vulnerabilities that users must be conscious of.
- In this post Optiv IoT expert John Bock walks us through a step-by-step process that safeguards you against 99% of the home network threats you’ll face.
COVID and the 2020 lockdowns have compelled many organizations shift to a work-from-home (WFH) model and rethink the future of their physical office environments. In Seattle, it’s estimated that 48.7% of adults are now working from home, and companies that don’t see a productivity hit from remote work are shifting direction permanently. From a security perspective WFH (or coffee shop, or any other remote environment) isn’t new. Most organizations offer a way to remotely access the services required for employees to do their jobs, and traditionally the approach to defending those remote assets has been hardening of the endpoint through a comprehensive security stack. From that perspective, nothing changes with mass WFH, but there should be some acknowledgement that the bulk of your business process and employee activity now sits in a different physical and network environment, and you should determine how to likewise shift your security monitoring and controls to accommodate where your organization’s activity is actually taking place.
Security and Countermeasures
Tackling home device security will mean following some of the same principles that enterprise administrators employ when running a vulnerability management program, but without access to dedicated tools and systems. At a high level, there are a few pillars we will build upon:
- Visibility: Knowing what’s present on your home network and what its purpose is.
- Security Controls: Making sure that when possible, the device is configured in a secure state, and that you are authenticating to the device securely. If you can isolate your WFH environment, then do so.
- Update Management: Have a regular plan where you go through the process of checking for a device security update and understand which devices are configured for automatic updates.
Admins have access to a wide variety of tools to identify hosts present on an office network as well as the technical knowledge to analyze what’s discovered. In a home environment, those same tools may not be available and many (most) users probably aren’t comfortable running Nmap or Wireshark. This analysis assumes there’s a consumer-grade network gateway in place, such as a combination firewall and wireless access point from companies like Netgear or Linksys. One of the features common to these gateways is the ability to see connected devices, which is where we will start.
When you’re looking the connected devices list, some of the entries will probably stand out from the discovered name, like your phone or tablets. Others may not have a description at all, outside of the IP and MAC address; this is where the investigation process will begin. As we walk through this process, we’re also going to start a text file or spreadsheet to store this information, and we’ll use another common feature, DHCP reservations, to make it easier to keep track of these devices in the future. DHCP is the service on your gateway that hands out IP addresses automatically to whatever devices connect. Since many consumer grade IoT devices don’t have the ability or make it difficult to assign a static address, using DHCP reservations on the gateway is the simplest route.
Screenshot from Home IoT Netgear of Attached Device list
For each entry in the Attached Devices list we’re going to do the following:
- If you’re certain of the device, add a descriptive name in the gateway interface.
- Add that device to the DHCP reservation list.
- Copy and paste the device information, including the assigned IP address and MAC.
- Find the vendor website and model number, paste that link into the file.
- Download any pdfs you can find from the vendor website. Avoid third-party pdf generation sites.
- Make a note of how the device is managed – i.e. mobile app, website, local Bluetooth. If it’s a mobile app, look the app up on the app store and copy the link and name of the developer.
- Make a note of any subscription fees and how much you’re paying per month.
- Copy and paste the rest of the unknown devices into the list file and move onto the next phase.
Here’s an example of a home network notes file entry:
|Device Name||IP Address||MAC Address||Purpose|
For unknown devices, we’re going to use the process of elimination, and when possible, MAC prefix information, to identify the vendor. Looking up the MAC registration doesn’t work in all cases, but it can be a useful clue, and it’s worth the five minutes spent to check. To do the lookup, we’re going to use the Wireshark OUI lookup page:
Result of a search with the MAC address of an Inkbird device. For smaller IoT device vendors you can expect results like this, and not having it registered to the company you purchased it from is normal.
Take the unknown device MAC addresses and paste them into the box shown and click Find. Copy the results into your notes file next to the associated device. If you’re lucky, some of the OUI information helped identified a previously unknown device. For situations where this is the case, go back to the prior step and update the description under the attached devices screen and add a DHCP reservation.
Now let’s turn to the rest of the list, which takes us to the next phase, which we’ll call Unplug everything in your home. It’s important to note here that “Unplug” means disconnect from power. Since we’re using the process of elimination to identify devices, we want to ideally have nothing to start with other than the gateway, and even when a device appears to be powered off it can still be present on the network. The other step to take after you have unplugged everything is to reboot your gateway in order to clear the DHCP leases.
Example of an Attached Device entry from a Netgear router
The current state of things should be a freshly rebooted internet gateway, a laptop logged into its administrative interface with the “Attached Devices” page open, and every potential IoT device in the home unplugged.
For each device: plug it in, wait 60 seconds, then refresh the attached devices list. For devices where you have a management application, you’ll also want to log in and validate the device status by performing some management function (e.g. for a smart plug turn it on and off again).
Side Note: Doorbells and Alarms
If you have a smart doorbell, it’s probably drawing power from the doorbell transformer and it’s not necessary to disconnect it in most cases because even if it was unidentified, before with everything else unplugged, you should be able to identify it. Home alarm systems that use your internet connection to talk back to a monitoring center can also have a backup battery and will still appear connected. Again if it was unidentified before, you should be able to pick it out of the list now that there’s a more manageable number of entries.
A populated DHCP Reservation table with home IoT devices
Once you’ve completed this task, take a screenshot of the active devices page for a record of the “normal state.” You should have the following items completed:
- A text file or spreadsheet that lists all network connected devices in your home.
- Identification of each device, including support information.
- A folder of documentation for the devices.
- A way to manage all of the devices, such as a mobile app or website.
With that completed we can move on to basic security controls.
While typical home IoT devices don’t provide many security controls, there are still a few basics that should be covered. Initially, if you didn’t use an app-driven setup process and instead used a set of default credentials to set up the device, make sure you have changed the default password to something strong. If the option to change the username (i.e. Admin) is there, then change that to something unique, as well. For devices with a personal account and app, try to keep separate passwords for each vendor and don’t use your email address if possible. You should always consider the impact if one of the vendors is breached and your username and password are leaked. You often won’t find out about the breach until weeks or months later, if at all, so counting on being able to quickly change a shared password isn’t a good strategy. If you can avoid using your email address as the login username, that limits the impact of someone attempting a password guessing attack against the vendor management service from a list of known email addresses. Be sure to document the credentials used for accessing your devices in the notes file, and store the passwords in a secure location, such as a password manager. Bookmark the device or vendor management page in your browser as well.
Review each device’s documentation in your network notes and verify how they’re updated. For devices that can do this automatically, it’s recommended that you enable the feature and then note this in the file. You’ll usually encounter a few ways that devices are updated:
- Automatically: The devices are updated with no user interaction.
- Prompted: The device will notify you of an available update when you interact with it.
- Manual: You will need to check a vendor site or external notification, then download and install the update.
The main caveat for prompted updates is that you usually have to interact with the device or its management interface and you may not be doing that on a regular basis. For example, try to recall the last time you logged into the admin interface of your home router. This may only be a once- or twice-a-year event, but updates may be released more frequently than that. The best approach here is to set up a once-a-month task that has you log in to the device management interface or app and look for an update. This should be a quick exercise (10 minutes at most), but it’s worth the return in preventative value. For high criticality devices, like a home security system, make sure you have any out-of-band update notification features turned on, like SMS or email.
To sum up our set of practices to securely manage home devices, you should be confident of the following things:
- You know what devices are on your network, what their capabilities are, what data/information they capture, and how they are managed.
- You have made sure to change any default credentials and have disabled features you aren’t using.
- You have either configured the devices for automatic updates or set up a monthly task to check for security updates and apply them.
If you’re like most users, these three steps will address 99% of the issues you might encounter when it comes to home IoT.