Jailing IoT devices with OpenWRT

Most IoT devices communicate with servers on the Internet. How to ensure they are not used for malicious purposes by the manufacturer, government, or some random hacker?

My PetWant cat feeder has remote control via a mobile phone app, video and, most importantly, feed notifications reporting if the food was dispensed or got stuck as it happens sometimes.

The device has telnet interface, contacts over 10 servers around the world, attempts to download firmware updates from a server in China. It also checks for, and, if found, executes an arbitrary script from the same server. The device is built around IP security camera Foscam, there is a good analysis on what it does.

OpenWRT is an open source firmware for many wireless routers. I run it on TP-Link AC1750.

My concerns

  1. My cat feeder has access to my home network: home server, phones, laptops, and could be used for snooping on them.
  2. It also can be used to launch a denial of service attack on somebody (check out recent Mirai botnet).

Unfortunately, I can’t disconnect it as I need feed notifications on my phone.

Jail it!

My solution is to jail it – isolate it into a separate network with Internet access and clamp its upload bandwidth to 5kbps.

Another solution сould be to restrict communication to the hosts it needs to communicate with, but the list of these hosts seems to change from time to time.

Creating a Separate Network with OpenWRT

  1. Create an additional wifi network on one of the radios
  2. Set wifi security for it
  3. Assign it an IP address
  4. Enable DHCP server in the network
  5. Allow it to communicate with WAN

All of the above is done in OpenWRT admin, with no scripts or coding.

Create an additional wifi network on one of the radios:

Login into OpenWRT, go to Network-> WiFi in main menu, click Add

wireless-overview

In Interface Configuration, General Settings, specify SSID for new wifi network, check “create” as a network connection and fill its name (I called it “lanpw”):

interface-configuration

On Wireless Security tab, specify wifi encryption and password:

interface-configuration-security

Click “Save”.

Now go to Network-> Interfaces, find the interface you’ve just created (“lanpw” in my case)

Set protocol to “Static Address”  and click “Change Protocol”

Fill in an IP address (this also defines the address of the network, so make sure to specify something different from other networks you have. I chose 192.168.5.1, with netmask 255.255.255.0 the network is 192.168.5.0) :

interfaces-lanpw

Specify the DHCP network range – click “Setup DHCP Server”, I left the defaults:

dhcp-server

on Firewall Settings tab, select “unspecified -or- create:” and fill name for new firewall zone.

firewall-settings

Click “Save”

Connect the created network to the Internet (WAN):

Select Network-> Firewall in the main menu and find your created firewall zone, “lanpw” in my case, and click Edit:

firewall-zones

Check connections to wan for source and destination forwarding. Note I left out the connection to my lan, as I don’t want my new network to communicate with it.

inter-zone-forwarding

Click “Save and Apply” and restart the router. Test the new network with a mobile phone or some other device. It will be able to talk to the Internet, but not devices in the home network.

Clamping Upload Bandwidth

  1. Create a traffic control class in QoS settings restricted to 5kbps
  2. Mark traffic from the jailed network with this class in firewall scripts

Building on the Simple QoS settings I run, I added a new class, and named it “1:40” :

$TC class add dev $IF_DSL parent 1:1 classid 1:40 hfsc ls rate 5kbit ul rate 5kbit

Ls 5kb means minimum limit when other traffic is present and ul 5kb means the limit when there is no other traffic.

In the script, add classification command – make sure to edit your interface name and IP address:

$IPTMOD -s 192.168.5.0/24 -j CLASSIFY --set-class 1:40

I also add same command in OpenWRT firewall custom rules, reloaded each time firewall config changes, this is the same command as above but all variables expanded:

/usr/sbin/iptables -t mangle -A POSTROUTING -o eth0 -s 192.168.5.0/24 -j CLASSIFY --set-class 1:40

7 thoughts on “Jailing IoT devices with OpenWRT

  1. David

    I can see why you are worried about hardware that delegates all those tasks to supposedly trustworthy parties. I don’t allow any internet access to the tv and have my own player for watching videos.
    It seems that you could block all but authorized communications from one mac address to permitted ip using openwrt software. Having one or more separate networks does give a lot of control over potential hacking.
    I think the nice solution might also be to operate your own vpn that your phone connects to, then access the devices ‘locally’ from that. This could be a problem with complex server side relays from the manufacturer though and is a good reason to prefer open source products.

    Reply
    1. admin Post author

      David, in my case the phone is talking to their servers, so I have to let the feeder talk to whatever it wants (the list of servers change), while not allowing it to see anything in my LAN and clamping on DDoS potential. I thought separate low-speed Internet access was the best. Can’t see video from the feeder in my current config, though, too slow 🙁

      Reply
    1. admin Post author

      Whoa, that very impressive! I am driving feed events from RPI W using optical coupling to the “Set” button.

      Reply
  2. Peter

    Thank you for this. This might be very helpful for me as I recently flashed my router with Openwrt. I’m trying to do the same thing. I was under the impression I had to establish VLANs.

    Reply
    1. AJ

      I’m new to OpenWrt and was also under that impression. Why is this a better solution than putting our IoT devices in a VLAN?

      Reply
      1. admin Post author

        You can do VLAN as well – the idea here is a) separate IoT traffic at OSI layer 1 or 2 b) shape IoT connection to the Internet to 5kbps, so device stays relatively happy but cannot mount any credible denial of service.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *