Amneisa33: Vulnerability in TCP/IP stack put many IoT devices at risk

That is another reason to keep your IoT devices either firewalled or, preferably, totally away from the Internet cloud.

Some here put their IoT devices on a separate VLAN locally too.

I’d recommend holding back from becoming too concerned about this until some more specific details are posted. I’ve seen these sorts of press releases before and sometimes they drum up the fear and over hype the risk only to discover when you look at the details that the attacker has to have physical access to the machine or even if the vulnerability is exploited it’s only a risk in VM environments or the like. I’m not saying this is the case here. I can’t, they’ve not provided any details, which is something of a red flag frankly. The sky might be falling or these might be theoretically possible but not practical.

In the mean time, don’t expose stuff on your LAN to the Internet. If possible it’s good to block IoT devices from connecting to the Internet as well (obviously not possible with cloud based devices). If you must have IoT devices that can connect to the Internet, putting them on a separate VLAN can provide some protections, mainly preventing those IoT devices from spying on your main network. However, that is largely outside the bounds of what the average user can do.

It’s important to understand one thing about network based attacks like this. The target has to be reachable over the network. If your device is not reachable over the Internet, the attacker would have to be on your network already. That’s why it’s so important to not expose services on your LAN to the Internet. That simple mitigation (and mostly default setting for all home routers) will protect you from 90% or more of all the network based attacks from outside your network. When you expose your openHAB instance to the Internet, even if it’s through a reverse proxy, you’ve punched a hole through that armor and suddenly you’ve become vulnerable to a huge range of attacks.

Keep everything patched. If you have anything exposed to the Internet, you have to be fanatical about patching.

2 Likes

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.