I want my gadgets, but I also want to be secure
I am an early adopter of new and interesting tech. I have a ton of gadgets, and every month something new is getting plugged into my network. From Nest cameras, Alexa and Google at Home, to Internet connected lights; I’m currently considering what I can do with my doorbell. But I’m also a security person — and my inner security voice is always screaming in my ear about the potential security vulnerabilities in every new gadget I buy and how I am just making attackers’ lives easier every time a new toy comes online. But I plug it in anyways, because I want to experience the promises of the technology and see how it may enrich my life. Or at least be fun to play with.
Fast forward to a conversation I was having with a friend about high-profile individuals targeted by attackers, what the attack approach would be, and what if anything could be done about it. This made me reflect on my personal attack surface and ask myself the hard question: If I was hacked, how would I know before it was long gone and too late? I’m considering the full spectrum of threats, from common malware getting on my systems through the usual Internet activities, to adversaries devious enough to intercept an Amazon delivery and backdoor a device I wind up plugging into my network. And as I said, I plug in a lot of devices…
Hackers targeting high-profile executives at home is real. And although I am not a high-profile executive, my career absolutely mandates I should still personally be well prepared since I’m someone who is intimate with enterprise security and, generally speaking, aims to follow best security practices for home and family. But setting up and monitoring a home network is a bit different from the standard enterprise security approaches. There a couple things I know I won’t do:
- Setup any sort of IDS-type network monitoring. I don’t have an SOC staffed with an analyst team (nor will I pay an MSSP) to watch for alerts and triage the false positives. And I am definitely not going to be reviewing my alerts daily.
- Segment my network into different trust zones. This is too complicated and, frankly, I need everything in my home to be able to talk to each other to achieve the Smarthome dream. That’s how my mood lights turn on and jazz music happens at the same time, controlled by my phone and coordinated with things like IFTTT.
- Pipe my entire network traffic to my someone, to do traffic inspection on my behalf. No seriously, I was talking about writing this article with a friend, and they mentioned how they GRE tunnel executive’s home network traffic to a SOC for traffic inspection. Yikes! Privacy nightmare!
- Write code, compile drivers, configure services. Become a Linux guru and a network packet jockey, maintain network taps and servers, patch things daily, build things nightly, and otherwise live and breath the bits and bytes to make all this happen. I just want to focus on my life and have great technology-enabled experiences that are (hopefully) secure.
Given all the above, I want a “it just works” solution/setup that I can plug in and forget about. I’m willing to roll up my sleeves and do some custom hands-on engineering to make it all happen, but that starts to exclude others who are less technically savvy than myself from also doing what I come up with. I wanted something that security-concerned individuals can reasonably deploy, without having to be any sort of engineer nor babysit the solution at the system admin level. This being the case, here is where I ended up.
A starter approach to raise the bar
It’s much too complex to try to prevent attackers from exploiting something and getting a starting point. Instead, assume the attackers have managed to obtain a foothold in the corner of your network, and go from there. The key is to consider what would they do next (e.g. recon), and how would one detect/block that while also exposing their presence. I decided I needed two simple things:
- Visibility of what’s on my network (devices), and ability to block or blacklist devices if they look compromised or otherwise unknown (Hello, wifi AP hacks!)
- Detection of an attackers looking to further do bad things and move around my network. The answer to me felt obvious: anywhere visibility is bad but you need some indication attackers are poking around, drop in a tripwire/honeypot!
For visibility (#1), I started off with Google’s Wifi AP, which gaves me visibility of devices on my network. It really surprised me though, that the AP lacked any features or capability to block anything! This seems like an obvious feature that should be there, but it was not.
For detection of network movement (#2), a honeypot is a good fit to the need, but it needs to be plug and play. I wanted something I could just sit and notify me if it’s ever touched. The problem is a honeypot needs to be a running system, and I did not want to mess with setting up another computer or running a VM/Docker image on an existing computer. I’m looking for something self-contained and preferably self-hosted.
What I ended up actually doing
One of the great things about being an engineer and a maker, is that if you can’t find exactly what you’re looking for, you can always build it yourself! Deploy a Linux box or two, mash up some open source, create some scripts, schedule some cron jobs, etc. But that brings overhead, lead time, and a whole bunch of commitment towards incubating a solution when, overall, I just want to get it done. And I wanted something that can be easily deployed by executives at home, so compilers and command lines were a non-starter. I wanted off-the-shelf and ready-to-run.
For the honeypot I found Thinkst Canary (https://canary.tools/), which was perfect. It is an all-in-one hardware device (yay, another gadget!) that has a cloud management console allowing you to control the honeypot facade and see any security alerts. Simple, easy, secure and surprisingly highly configurable. It also allows me to generate “data canaries” (honeypot data tokens), which I can litter around my systems to see who is opening my files. I’ll dive into this deeper, in a future article.
Next up is the network visibility and blocking capability. Many Wifi APs offer this capability, but I decided I wanted something that could be dropped onto an existing Wifi network, not mandate a Wifi router replacement. It was hard to really find a satisfying 3rd party solution; I even went as far as coding up my own (https://github.com/csima/arpscan). But forunately Fing recently released their Fingbox (https://www.fing.io/fingbox-network-security-appliance/) which does exactly what I was hoping for. The Fingbox gives visibility reports of all network devices, allows me to group and classify devices, and I can even kick things off the network. Plus it’s a self-contained, managed hardware device.
And it works!
So, there I was. Two physical devices I can plug into my network and simply configure with my phone. I got them deployed and then promptly went about my life, forgetting they were there. Occasionally the Fingbox would fire an alert, whenever I plugged in something new in or booted up some legacy device it wasn’t aware of. I have to give Fing credit here, as the alerts were immediate and spot-on.
After running for two weeks with no noticeable security activity, my mother in-law dropped by and used the Wifi network. Almost immediately I received an alert of an Android device portscanning my network and accessing the data canary. The origin device causing all the trouble was, in fact, my mother in-law’s phone. Through the simple Fingbox UIs I immediately kicked the phone off the network and asked to take a peek at it. Sure enough, a malware scanner app confirmed the phone had an infection. Now that’s what I call success!
Where to go from here
The security industry continues to focus attention on the enterprise — but our home networks have become complex, sprawled, and porous enough that they need direct attention too. Especially as I start thinking about targeted executives, and their exposures at home being no less a risk than their exposures within the enterprise. Thus the need for something at home that goes beyond the typical consumer-grade antivirus software.
I feel the setup I mentioned herein offers a solid approach to raise the security bar a bit while still keeping it extremely simple to deploy/manage and not impacting any privacy. I know I sleep a bit easier at night knowing something is in place.
If you prefer to build from scratch
Although my solution is simple and straightforward, it also costs money. Thinkst Canary is an amazing product — but it is not cheap, and definitely falls outside of the typical home user gadget price range. If your more inclined to leverage open source and build/deploy things yourself, here are a couple of recommended honeypot alternatives to consider:
A comprehensive list of available honeypot options can be found at https://github.com/paralax/awesome-honeypots