When I get back home after a long day at work, it’s dark, and my mind often wanders into thoughts of how secure (physically) my home actually is. As I unlock the front gate, then the flyscreen door, then the actual front-door (3 locks), I grin as I consider how easy it is for someone to simply break a window to get in, or jimmy the flimsy sliding door locks on the side of the house. I suppose it’s more of a deterrent than anything else. Why do I concern myself with these things? Well, I’ve had my prized possessions stolen before. My mountain bikes mean the world to me, and the scum of the earth bike thieves took them. Absolute scum.
As I open my door, it’s nice to see that my TV is still hanging on the wall, and everything is as I left it. I suspect this is a thought that goes through the minds of a lot of people. Did I remember to lock the front door? Who REALLY cares if you didn’t? (Well to start off with, without any signs of forced entry, it’s unlikely your insurance company will replace that TV!). If you were confident you left it unlocked, chances are you’d turn around, even if it meant being late to that important meeting, and lock up. Why do we give so much credence to physical security, yet the majority of us don’t even bat an eyelid in regards to our meta-physical security, our data… (which I know technically isn’t meta-physical, It just sounds so cool I had to say it…)
“Home network security is something that we tend to overlook, and I suspect the primary reason is that we don’t value its contents to the same extent as our physical world.”
Let’s take the worst-case scenario. Assuming your home network gets 100% pwned. What will you lose? Let’s follow Doctor Angela Ziegler as an example. Doctor Ziegler is a medical scientist conducting some ground-breaking research at the state-of-the-art facilities at work. She works long hours and tends to bring work home with her on her work issue laptop. At home, she enjoys watching live gaming streams of overwatch on twitch, and the occasional episode of the (legitimately downloaded) TV-Show “Where Are My Pants?”.
At home, she has a NAS drive she purchased from her local target, containing precious photos of her colleagues (some who have passed away, others suffered a worse fate), as well as some auxiliary research papers. Connected appliances such as her cloud controlled Air-conditioner, and her Lucky-Goldstar (LG) Internet Connected refrigerator also form part of her network, along with all the latest generation gaming consoles.
Back at the office, we trust that all her research is secured by the security team, but what about back home?
Who setup the network at home? Were there any thoughts towards security during its design? Was it even designed, or did she just use the default Huawei Modem/Router supplied by her ISP?
What are the risks here? What does Dr. Ziegler have to lose? If your thoughts jumped to the NAS drive, with the photos and research, you would be partially correct. This is indeed the most obvious concern, if this data were to be lost, would it be replaceable? A TV at home is easy to replace, in fact, you would probably upgrade, but the photos, they are gone. What dollar value would Dr. Ziegler place on these? If you could buy your own photos that were previously lost, how much would you pay? Especially if it contains photos of friends and family who are no longer with us… Think ransomware. Apart from the personal effects, what about the auxiliary research documents? What value do they have for Dr. Ziegler, and the organisation funding her research? What if these got into the hands of a competitor? (Talon)
If you are thinking that those documents should be stored on the servers back at the office… yeah, that’s fair… in best practice. However, as humans, we are often the weakest part of any network. We are lazy, and take shortcuts when available. It’s far quicker for Dr. Ziegler to have these files locally when she works from home, rather than VPN in to the office, using that annoying 2-factor authentication the security team back at the office implemented… Where did she leave that key-fob anyway?
On that note, she doesn’t only use her work issue laptop for research either. She sometimes uses her personal desktop (gaming rig) to crunch some numbers. After all, it’s far more powerful. This is the same machine she uses to watch twitch.tv streams and browse the Internet. What security does she have on this machine? Surprisingly, the common answer here is “none”.
We have barely scraped the surface though. Remember those connected appliances? It wasn’t long ago that a vulnerability in Miele dishwashers was discovered (Article Here), allowing an attacker root access to them. So what? I hear you cry. What’s the attacker going to do? Clean my dishes?
Fair response I suppose. I guess it would be possible to control different aspects of the machine itself, but that’s not the likely goal for an attacker (although I can think of a few funny pranks to do). They could use your machine as part of a botnet, to be used for an attack on an external party (such as DDOS’ing Blizzards servers), or they could use it to move laterally through your network. I.e. once they have control of your dishwasher, they can attack your NAS drive. This same concept applies to all devices on your network.
The good news is, it’s not that hard to follow some security best practices at home. Simple things like changing the default passwords on your devices and NAS go a surprisingly long way, Setting up Wifi with a strong password and appropriate encryption, segregating work from play by not using the same machines, and ensuring that a sufficient endpoint solution (anti-virus, anti-malware etc) is present on ALL your machines. Above all, backup your important documents! Not just on a NAS locally, but offsite too. There are many cloud-based backup solutions that could be used for Photos and Private material… BUT NOT FOR SENSITIVE WORK CONTENT!
I will address Doctor Zieglers not so unique situation in a later post, detailing a potential solution. The first step however, is identifying the risk. So the next time you return home, and follow your own unlocking routine, maybe have a think about what it is that you’re securing, and more importantly, what you’re not!
Written by Ronen Meshel
You can read more about Ronen on his website: ronen.it/