How to harden security for IoT devices

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
mjmeans
DD-WRT Novice


Joined: 10 Jul 2014
Posts: 6

PostPosted: Mon Oct 31, 2022 18:27    Post subject: How to harden security for IoT devices Reply with quote
The idea (paranoia) here is that cheap IP devices, like IP cameras, have closed source and you can't be completely sure that they don't have cross-device telemetry (promiscuous mode or equivalent) and are potentially able to use that information to implement WiFi and/or MAC spoofing.

So, I want a way to keep devices from masquerading as other devices on the network, even if they try to change their MAC address.

Of course, it would be impossible to keep a device that includes a WiFi chipset (whether apparently enabled or not) from connecting to an insecure WiFi of another router in range to get outside access. That's a different issue.

Is it possible to set up multiple SSIDs so that each device, by its MAC, will only be able to connect to its own specific unique hidden SSID it's assigned to? And will this prevent a malicious device from detecting and being able to masquerade as the device? And can DD-WRT handle, for example, 16 SSIDs with their own single MAC address filter?

On the other side of the equation is router spoofing. I remember reading that there was a method hackers use to trick WiFi devices to connect to a hacker's router instead. Can any DD-WRT detect when that happens and either log it or take counter measures?

I'm also wondering if it would be simpler to find an open-source tiny Arduino Ethernet to WiFi with tinyVPN or something like that and only use IoT devices that have Ethernet only so that I can be sure the device itself isn't doing anything 'funny'.
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Oct 31, 2022 19:12    Post subject: Reply with quote
Why all this, create a net/ap isolated VAP with a different subnet for these devices and done.

You cannot stop anyone from checking out the wifi anyway see what macs are in use and spoof them, but even then they need the wifi key to login. So ensure your security stands up and keys are swapped often enough as per your paranoia.

As long as you have your firewall on any failed attempts to login should be logged, but yea, if anyone has the skills and really wants to good luck in stopping them with consumer grade stuff and assuming you dont have the skills to "fight" back.

Also a great deal of these devices and assuming you buy the right ones support 3rd party opensource firmware. Which I always do homework on as I dont buy stuff I cant modify with minimal effort.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
mjmeans
DD-WRT Novice


Joined: 10 Jul 2014
Posts: 6

PostPosted: Mon Oct 31, 2022 20:09    Post subject: Reply with quote
I'm not so worried about an individual trying to hack in. But I am worried about corporate or hostile government spying. It seems every month there are stories about China spying.

But not to single out China, USA software has its own problems. An arstechnica article in the last few days reported on all the network telemetry being sent to servers by almost all AOS forks that run as a system app (without user's ability to turn it off). Its discovery leading to India fine against Google for $160 M. What isn't stated, but should be obvious, is that these system app services could easily report the network connections or allow a MITM attack should the company decide to do it. Features like wifi sharing are something the user can explicitly turn on/off, but the underlying system service is still running.

All these IoT devices that have remote firmware updates could cause a zero-day exploit (accidentally or by-design) against these devices.

So, yes, I'm paranoid. Because these companies are actively trying to invade everyone's privacy and I don't like it. And governments are mostly impotent to stop it. (I doubt the $160 M fine against Google over Android spying will even be noticed by them. They probably spend that much on toilet paper each year). If they won't put a stop to it, then I have to harden my network to turn off the spigot.
mjmeans
DD-WRT Novice


Joined: 10 Jul 2014
Posts: 6

PostPosted: Mon Oct 31, 2022 20:35    Post subject: Reply with quote
Concerning your suggestion to VAP. My current router is an older one. I already use VAP to separate work computers from home computers. I set up the VAP with commands years ago and it has works well enough for that use. I'm confident that none of my work or home are running any form of spyware that can scan my network, but perhaps that is naive as well.

But now I'm wanting to add IP based security cameras (WiFI for outdoor ones and Ethernet for indoor ones), and other security devices (Ethernet mostly) in a way that will actively block any attempt of mac address spoofing or other malware or privacy leaks that may already be present in the firmware in those devices from accessing the internet.

I'm assuming I can set up multiple VAPs in a similar way.

But, I don't see a way in v24-SP2 to implement a separate MAC address filter per VAP, or the ability to separately disable UPnP for a specific VAP? Is this possible in DD-WRT?
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Mon Oct 31, 2022 20:49    Post subject: Reply with quote
I would consider fast-forwarding to the current release to see what has changed since v24-sp2 (2008 - 2010? No idea of your specific build / date with old semantic versioning info)


https://ftp.dd-wrt.com/dd-wrtv2/downloads/betas/2022/10-31-2022-r50755/

Here you are discussing hardening and running a firmware that likely contains many vulnerabilities and bugs that have since been fixed.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Gameman Advanced Kid
DD-WRT Guru


Joined: 18 Nov 2012
Posts: 1158

PostPosted: Mon Oct 31, 2022 21:06    Post subject: Reply with quote
I would also strongly suggest you upgrade your router. For me, I personally use the WRT32x because of its black color and because I like the processor it comes with.

Wifi is pretty good too. you can bring the 5ghz wifi capacity up to 2.6gbps.

_________________
For people who are new to the dd-wrt forums >> http://www.catb.org/~esr/faqs/smart-questions.html#rtfm

barryware wrote:
It takes a "community" to raise a router..


Internet Connection 1
Some Techicolor modem > Linksys WRT3200ACM

Internet connection 2
Ubiquiti Powerbeam Gen 2 > Netgear R9000

Official (but not really) dd-wrt General Discussion element/matrix chat

https://matrix.to/#/#dd-wrt-private-non-offical:matrix.org
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Oct 31, 2022 21:11    Post subject: Reply with quote
dale_gribble39 wrote:
snip... build / date with old semantic versioning info

DD-WRT does not follow or has ever followed any semantic versioning of any kind as it's set out or understood as such, however some components and libraries that are integrated into DD-WRT do.

Like Linux Kernel, it's not any kind of semantic versioning, never was, it may look like it but its not.

Yep semantic versioning as its is widely understood is pretty much chiseled in stone and theres no way to misinterpret what it is and how it works.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)


Last edited by the-joker on Mon Oct 31, 2022 22:04; edited 1 time in total
mjmeans
DD-WRT Novice


Joined: 10 Jul 2014
Posts: 6

PostPosted: Mon Oct 31, 2022 22:04    Post subject: Reply with quote
Yes, my router is old (BCM5357, 32 MB, 4 MB). And I need a new one. But I need one that will harden my network while keeping the features I am using and adding new features I need. If the hardening features are not possible in DD-WRT, then I have to go with a business Cisco or similar. Or if the features are possible, but only with some specific releases of DD-WRT, then that will help be choose a router.
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Mon Oct 31, 2022 22:11    Post subject: Reply with quote
the-joker wrote:
dale_gribble39 wrote:
snip... build / date with old semantic versioning info

DD-WRT does not follow or has ever followed any semantic versioning of any kind

I disagree. It may not be what you consider semantic versioning, but releases post-v24-sp1 / sp2 at some point rolled over to SVN revision numbers from v.24:

https://ftp.dd-wrt.com/dd-wrtv2/downloads/stable/

https://forum.dd-wrt.com/wiki/index.php/What_is_DD-WRT%3F#Firmware_Versions

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon Oct 31, 2022 22:13    Post subject: Reply with quote
Right, if you want a better router that's fine, even enterprise level or whatever, but youre locked to bullshit which is closed source, which is part and parcel of your complaint about the IoT devices.

Unless of course you build your own router and use various well reputed opensource projects to wack in it.

But you can never and will never achieve any modicum of control or whatever your misguided idea of security is by running outdated and vulnerable whatever it is like you are doing now with your old DD-WRT version or anything no matter what you do.

And lets say you're a billionaire and money is no object and you get state or the art whatever, security news say every other day that even such resource rich and apparently running state of the art nonsense get done for.

So security is a myth in tech. FACT! Anyone that says different is either delusional or is trying to sell you something. There are just mitigation levels.

In the end be paranoid all you like, even if its true (and your points are more than true), your tech whatever it is and lets say is the most secure ever existed in the history of secure systems, the most vulnerable element and most crucial to its successful penetration is you, all it takes is one click in the wrong place. These days most systems get hacked via highly sophisticated social engineering and dumb users who cant tell when they're being cultivated.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
mjmeans
DD-WRT Novice


Joined: 10 Jul 2014
Posts: 6

PostPosted: Tue Nov 01, 2022 0:34    Post subject: Reply with quote
If you're arguing that there is a point of diminished returns. I totally agree. I just want to stop substantially all the built-in garbage that are in these commercial IoT devices. Yes, I need a new router in order to even have some measure of success. But I want to pick the one that has the most secure configuration options available. While commercial or enterprise solutions may be closed source, they also may have commercial liability if they claim it is secure, though that is a very costly option and perhaps only offers a minimal additional level of security and compared to an open-source project as long lived as DD-WRT with possibly millions of man hours behind it which is why I want to stay with DD-WRT (albeit a newer release on a newer router) to the maximum security extent possible.

If DD-WRT is unable to do a single VAP and MAC filter per at-risk IoT device, for up to 16 such devices, let me perhaps ask in a different way. Which DD-WRT release has the most advanced IoT security focused features available, and which routers work with that release?
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Tue Nov 01, 2022 1:15    Post subject: Reply with quote
No DD-WRT release focus on IoT, this isn't a gimmick firmware, IoT or whatever its just a device. It's how you configure DD-WRT how you isolate the subnets and wireless (if it is wireless you are looking for its then VAP with ap/net isolated on separate subnet) as I already answered you on my first reply regarding that.

You can enable masquerade to allow those devices internet access and further use iptables to curtail such access by ports, or allow none at all which as per your paranoia is what I would do, if I cant flash those devices with opensource something if possible.

You want these devices to be on a subnet with no communications to your LAN/WAN and only allow them NTP updates or setup your own NTP server somewhere, everything else is not needed for these devices they only need a current time as none not even most dd-wrt routers have RTC, only some x86/64 do. SO separate subnet, if wireless what I said and if you need further segregation and specific allowances you can achieve it with iptables.

As for commercial liability on any such nonsense good luck with that, no such thing exists. Read any TOS or T&C its pretty obvious unless you pay extra for insurance and none insures you against governments spying on you using their built in telemetry or whatever else nonsense. Good luck with that line of reasoning.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Tue Nov 01, 2022 7:59    Post subject: Reply with quote
best way to deal with wired IoT devices is vlans and switch
best way to deal with Wireless IoT is guest WIFI AP with net/ap isolation own its own vlan on own bridge with own dhcp / subnet...than you apply few restriction rules regrading that vlan on br...

In my case i have a vlan assigned to bridge(bridged vlan) and bound to the one of the switch ports, than i have one managed switch connected to this vlan + x1 WAP router connected to the switch...all for IoT

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Tue Nov 01, 2022 13:30    Post subject: Reply with quote
Unbridged WIFI VAP with AP/NET siolatinon and separate DHCP (Networking tab) separate subnet is enough, no need for extra bridges, and using masquerade for WAN access should do it fine.
Then IPtables to block anything but NTP updates.

Or preferable local NTP server somewhere on LAN and allow no WAN access/disable masquerade.

Cant get better than that. External managed switch to segregate Wired devices but again on a separate subnet.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum