
Hacked from a lightbulb - bjoko
https://blog.checkpoint.com/2020/02/05/the-dark-side-of-smart-lighting-check-point-research-shows-how-business-and-home-networks-can-be-hacked-from-a-lightbulb/
======
tines
> Their research brought up an interesting question: Could attackers somehow
> bridge the gap between the physical IoT network (the lightbulbs) and attack
> even more appealing targets, such as the computer network in our homes,
> offices or even our smart city?

> And the answer is: Yes.

Does this surprise anyone? Was this really a question brought up by their
research? A computer with a network connection is a computer with a network
connection, no matter how small.

~~~
function_seven
It surprised me a little. These Hue bulbs are Zigbee only. They don't speak
TCP/IP. So using a bulb as the entry point to attack a home LAN requires some
chaining of exploits. First to compromise the Zigbee network and gain access
to the bridge, then compromise that to work your way into the rest of the
network.

I mean, I didn't think it was impossible. But it's not as apparent an attack
surface as a wi-fi gadget would seem.

------
jimsmart
As the old adage goes: the S in IOT stands for security. ;)

------
yborg
[https://www.forbes.com/sites/leemathews/2017/07/27/criminals...](https://www.forbes.com/sites/leemathews/2017/07/27/criminals-
hacked-a-fish-tank-to-steal-data-from-a-casino/)

You can be hacked from your doorbell, thermostat, or refrigerator now. Soon,
hacks to vehicles will be able to propagate into home networks to install
malware. It's an exciting time to be a cybercriminal...

~~~
spikej
So what's a "best practice" if you ARE going to have these things in your
home? Keep them on a guest network that doesn't have access to your private
network? (with a separate device to control things)

~~~
Mister_Snuggles
I have a separate network for my IoT stuff - this network can access the
internet, but cannot initate connections to my main network[0]. My main
network can initiate connections to the IoT network. The Hue bridge works
fine, with the default app, in this setup.

My main control device is a VM running Home Assistant, so the underlying
system (Hue and TRÅDFRI mainly) doesn't really matter much.

[0] Mostly. There's a port open for one device to do HTTP POSTs of data to one
machine on the main network. MQTT is also open so that my ESP32/ESP8266 stuff
can push data to the broker.

~~~
htgb
This seems really nice! May I ask how you set it up? Is it a question of
configuring routing, a firewall, or both? Does it matter if you have separate
or a shared subnet?

I have some router with Shibby Tomato laying around (DD-WRT is unsupported),
but I'm not sure if I need some other hardware, software, or if it's just a
matter of finding the right settings…

------
kurthr
What strikes me about these IOT devices is that their value doesn't just go
down as they get old/outdated/unsupported, but they can easily become a
negative value that far exceeds the original price paid.

That is fairly unique (almost unknown in any simple physical device) and
requires a very different purchasing/disposal/return policy.

~~~
tehlike
Same for most networking equipment, i suppose.

------
mirimir
I guess that many don't isolate IoT stuff in at least a vLAN. And I guess
that's because "consumer" routers don't have such features.

It's pitiful.

~~~
tzs
Also consumers often just use the router their ISP provided.

Suppose your router does not have VLAN support, and you do not wish to replace
it. Can you add sufficient VLAN support to your network by adding switches
with VLAN support?

TP-Link has a couple of switches (TL-SG105E and TL-SG108E) [1] that are not
full managed switches but do more than common unmanaged switches. They are
priced about the same as unmanaged switches. I got the 8 port model for $30.

These switches have some VLAN capability, although I haven't looked into what
it can do. (I got it for its port mirroring ability, not its VLAN ability).

If you are using your ISP's router/WiFi access point, and your IoT devices use
WiFi then I'd guess there is not much you could do with switch-based VLANs.
The Hue bulbs, though, talk to a Zigbee hub that you plug into your ethernet,
so you can make all the Hue traffic go through a switch.

Another problem is that nearly all the documentation I've found on using VLANs
gets real "enterprisey" real fast. For even fairly sophisticated home users it
is probably really confusing, and so even if they have a router with good VLAN
support they might not be able to figure out how to use it.

[1] [https://www.tp-link.com/us/home-networking/5-port-
switch/tl-...](https://www.tp-link.com/us/home-networking/5-port-switch/tl-
sg105e/v5/#specifications) (SG108E is essentially the same, just with 8 ports
instead of 5).

~~~
jlgaddis
I think the easiest -- but not the best, of course -- ro separate these for
the average home user/consumer would be to just "daisy chain" two standard
consumer routers.

The first plugs into your "Internet modem/router". Connect all of your
"untrusted" devices to it. Your second router also connects to the first, just
like the other devices do. Your "trusted" devices will connect to this second
router.

Your "trusted" devices (PCs, laptops, tablets, etc.) will be subject to double
NAT and, of course, NAT is not a security feature but this second router will
provide a bit of separation between your trusted and untrusted devices by way
of NAT and stateful firewalling, just as it would protect your internal
network if it were connected directly to your upstream ISP's network.

Again, this isn't ideal but it _would_ work for the average home user and it
eliminates the need to deal with/learn about VLANs or buy special hardware
that supports them.

~~~
mirimir
Yeah, this is the obvious simple fix.

This VM that I'm typing in is behind at least eight NAT routers. There's the
pfSense perimeter router, and at least one router between that and the ISP.
And then there are three pfSense VPN-gateway VMs, each with NAT by the VPN
server, and local NAT to a VBox internal network.

------
StreamBright
Some of my friends do not understand why I buy deadwood books, dumb TV,
traditional dumb lightbulbs and do not use any home automation or IoT at all.

~~~
leeoniya
there's no need to stick to dumb devices, especially when new devices have
much better hardware. just dont connect them to a network unless they're
VLANed, pi-holed, or even MITM'd with filtering.

~~~
epalm
Personally I don’t think the benefit of smart devices outweighs the risk of
not keeping them “VLANed, pi-holed, or even MITM’d with filtering”.

What are the benefits anyways? Not having to physically get up and flick a
light switch anymore? Getting a push notification from my fridge that we’re
out of milk? Whyyy?

------
horseman
This why I keep all my devices are on a separate network from my computers.

