Cybersecurity – A Beginner’s Guide to DIY Smart Home

So, you’re transforming your home into a smart one and have created your first device. Before you expand your Internet of Things network further, it’s crucial to consider cybersecurity. A well-secured IoT network can prevent unauthorized access and protect sensitive data.

Bear in mind that no network or device can be entirely invulnerable to unauthorized access. Therefore, instead of futile attempts to make your IoT network impenetrable, you should focus on these two basic objectives:

  1. Implement various obstacles proportional to what you’re protecting, making an attack not worth the effort. (Measures insufficient for managing heating or solar power might be more than enough for exterior lighting or monitoring retention tanks).
  2. Introduce failsafes to minimize the damage caused by a successful attack and limit the time and resources needed for recovery.
Cyber security

Basic principles

Basic DIY devices, such as those based on ESP8266 or ESP32, often lack built-in firewalls and advanced encryption capabilities. As a result, they largely rely on the security of the Wi-Fi network to which they are connected. While the device may not be powerful enough to sustain TLS-encrypted communication, all data exchange is still encrypted using the Wi-Fi network’s WPA encryption.

However, once the attacker connects to the same network, this data exchange can potentially be intercepted and read. This means that when using such devices, implementing certain network organization strategies and adhering to basic security principles is crucial. Continue below to find out more.

1. Cybersecurity through obscurity

The first rule of cybersecurity: you do not talk about cybersecurity. Do you have a dedicated network for enhanced protection? Great, but remember, the less you disclose about your cybersecurity measures, the better. Discussing the specifics of your security setup can inadvertently weaken it.

This concept isn’t limited to the digital realm but applies universally. Giving potential intruders a peek into your defense strategy is like openly revealing the placement of your home’s security sensors. It’s a heads-up you wouldn’t want to provide.

2. Separate and secure your Wi-Fi network

Though it may seem trivial, one of the key principles in IoT security is appropriately restricting access to the network hosting these devices. A good practice is partitioning Wi-Fi access by creating separate networks or subnetworks, either for guests or exclusively for sensitive devices, and securing them with complex, hard-to-guess passwords. It’s crucial to ensure that unauthorized individuals cannot access the network where unencrypted communication with your devices occurs. Enhancing security further can be achieved by disabling WPS (Wi-Fi Protected Setup) and ceasing the broadcasting of your SSID.

Do not forget to regularly update your router’s firmware for any security patches, as cybersecurity evolves rapidly. What’s secure today might not suffice in a few months. Additionally, it’s wise to periodically monitor network traffic and review the list of connected devices. Many attacks are preceded by a phase of reconnaissance, where attackers observe network activity to identify patterns or optimal times for exploitation.

3. Protect the external communication

While local network communication may sometimes remain unencrypted due to microcontroller limitations, it’s imperative that any communication leaving this network is secured using SSL/TLS encryption. This applies to all supporting services, including MQTT brokers and Node-RED instances. Within your secure, local network, unencrypted messages may roam freely, but ensure that any MQTT exchange with the outside internet always employs encryption.

Scenario A: I Have a Public IP Address

In cases where you have a public IP address, the setup is relatively straightforward. This configuration allows you to host an MQTT broker on your home network while maintaining its accessibility from the internet. Most common MQTT brokers, such as Mosquitto, support opening multiple port listeners with different security configurations. Consequently, you can set up your system to communicate with the broker unencrypted within the local network, while only permitting TLS-encrypted connections from the internet.

It is crucial never to forward ports from the external network to your unencrypted MQTT listener port or directly to your DIY devices. Doing so would leave these components critically vulnerable.

Find out more about securing your MQTT Mosquitto broker here: http://www.steves-internet-guide.com/mqtt-security-mechanisms/

Scenario B: I Don’t Have a Public IP Address

Handling MQTT communication without a public IP address can be more challenging, but there are still viable options. Even if your devices cannot directly communicate with externally hosted MQTT brokers using SSL/TLS encryption, you can use a locally hosted, unencrypted MQTT broker. Then, employ a Node-RED flow to act as a bridge, connecting external TLS-encrypted communication with internal, unprotected one.

Here is an example of setting up this bridge in Node-RED:

  1. Establish a connection to the externally-hosted, TLS-encrypted broker. This ensures that all communication leaving your local network is securely encrypted.
  2. Connect to the locally-hosted, unencrypted broker. This broker manages internal network communication.
  3. Implement broker-specific topic flags. Use clear, distinct topic flags for all messages to avoid confusion and prevent infinite feedback loops within the bridge. For instance, you can use message prefix “nonTLS/” for the local broker and “TLS/” for the external broker.
  4. Subscribe to “nonTLS/#” on the local broker, change the prefix to “TLS/”, and forward this modified message to the external broker.
  5. Conversely, subscribe to “TLS/#” on the external broker, replace the prefix with “nonTLS/”, and send this modified message back to the local broker.
TLS bridge effectively connects local unencrypted communication with external encrypted communication, ensuring security when interfacing with the broader internet.

4. Diversify the IoT providers

Relying on a single IoT infrastructure or device vendor offers both advantages and drawbacks. The convenience and user-friendliness of maintaining a single brand are apparent, but this approach comes at the cost of two significant, long-lasting security risks.

Firstly, the concentration of data through a single service provider increases the risk of your data falling into unauthorized hands. Even with a trustworthy provider, the potential for data leaks is an ever-present concern. In the event of a data breach, having all your data centralized means it could all be exposed at once, rather than just a portion. This makes damage limitation unnecessarily challenging, as the breach’s impact is amplified by the volume and scope of the data exposed.

Secondly, vendor lock-in significantly shifts negotiating power to the provider. If you’ve already established a considerable network with a particular vendor’s devices and services, transitioning to another provider can become prohibitively expensive. Vendors are aware of this and might exploit it by increasing prices for embedded services or hardware extensions, or by gradually altering terms and conditions to their advantage. This could include demanding access to or rights over more of your data.

To mitigate these risks, consider diversifying the vendors of your IoT devices and services. This strategy can neutralize such vendor incentives and help you retain greater negotiating power.

Incorporating open-source services wherever appropriate can enhance both your market position and cybersecurity, provided they are correctly installed and maintained. Open-source software, often developed by dedicated professionals and enthusiasts, tends to offer state-of-the-art quality and security. Its transparent nature also minimizes the risks associated with shady corporate practices taking place in the background.

5. Do not underestimate your cybersecurity

Although it might seem justifiable to lower security measures for non-sensitive applications, be careful in determining the true sensitivity of any data. It’s obvious why securing your thermostat controls is essential, but it can be tempting to consider passive telemetry data like room temperature or lighting levels as non-sensitive. However, remember that protecting against cyberattacks isn’t your only concern. Unsecured environmental data can inadvertently reveal your daily routines, potentially informing an intruder of the times you’re cooking, showering, sleeping, or away from home. Before dismissing any data as non-sensitive, always perform a thorough thought experiment to evaluate its potential for misuse.

Imagine yourself in the shoes of an intruder targeting a house with a similar IoT setup. Ask yourself if and how the available data could be exploited. If there’s any scenario where the answer is yes, it’s a clear indication that your cybersecurity needs improvements.

Do not forget that the the most effective security measure is to minimize the amount of data that needs protection in the first place. Be considerate in deciding which data needs to be accessible outside your local network.

Summary

Cybersecurity can be a complex topic, but you can significantly enhance your own security by adhering to a few fundamental principles. Below is a summary of these essential do’s and don’ts. Following these guidelines will help you maintain a more secure IoT environment, protecting against common vulnerabilities and threats.

Do:

  • Create Separate Networks or Sub-Networks: Distinguish between your sensitive infrastructure and guest access.
  • Use Complex Wi-Fi Passwords: Choose hard-to-guess passwords and update them regularly.
  • Disable WPS and Hide Your SSID: For your sensitive network, disable WPS (Wi-Fi Protected Setup) and SSID broadcasting.
  • Update and Secure Your Wi-Fi Router: Keep the firmware up-to-date and restrict physical access to the router and all connected devices.
  • Monitor Network Traffic: Regularly check for any suspicious activity on your network.
  • Back Up Sensitive Devices: Ensure you have reliable backups for all critical devices.
  • Diversify Services and Vendors: Avoid reliance on a single service provider or vendor.

Don’t:

  • Discuss Your Cybersecurity Details: Keep specific information about your security measures private.
  • Share Sensitive Network Credentials: Avoid giving out access to your secure network to guests.
  • Allow Unencrypted Internet Communication: Never forward unencrypted communication to the internet.
  • Connect Sensitive Devices to External MQTT Brokers Without Encryption: Always use TLS encryption for any device connecting to an MQTT broker outside your local network.
  • Depend Solely on One IoT Vendor/Service: Diversify your IoT infrastructure to reduce risks.
  • Centralize All Your Data: Avoid putting all your data in one place, which can be a significant risk if breached.
  • Externally Publish Unnecessary Data: Be cautious about what data is made available outside your local network.
  • Leave Devices in Their Default Settings: Personalize all passwords and security settings.