Most IoT devices communicate with servers on the Internet. How to ensure they are not used for malicious purposes by the manufacturer, government, or some random hacker?
My PetWant cat feeder has remote control via a mobile phone app, video and, most importantly, feed notifications reporting if the food was dispensed or got stuck as it happens sometimes.
The device has telnet interface, contacts over 10 servers around the world, attempts to download firmware updates from a server in China. It also checks for, and, if found, executes an arbitrary script from the same server. The device is built around IP security camera Foscam, there is a good analysis on what it does.
OpenWRT is an open source firmware for many wireless routers. I run it on TP-Link AC1750.
- My cat feeder has access to my home network: home server, phones, laptops, and could be used for snooping on them.
- It also can be used to launch a denial of service attack on somebody (check out recent Mirai botnet).
Unfortunately, I can’t disconnect it as I need feed notifications on my phone.
My solution is to jail it – isolate it into a separate network with Internet access and clamp its upload bandwidth to 5kbps.
Another solution сould be to restrict communication to the hosts it needs to communicate with, but the list of these hosts seems to change from time to time.
Creating a Separate Network with OpenWRT
- Create an additional wifi network on one of the radios
- Set wifi security for it
- Assign it an IP address
- Enable DHCP server in the network
- Allow it to communicate with WAN
All of the above is done in OpenWRT admin, with no scripts or coding.
Create an additional wifi network on one of the radios:
Login into OpenWRT, go to Network-> WiFi in main menu, click Add
In Interface Configuration, General Settings, specify SSID for new wifi network, check “create” as a network connection and fill its name (I called it “lanpw”):
On Wireless Security tab, specify wifi encryption and password:
Now go to Network-> Interfaces, find the interface you’ve just created (“lanpw” in my case)
Set protocol to “Static Address” and click “Change Protocol”
Fill in an IP address (this also defines the address of the network, so make sure to specify something different from other networks you have. I chose 192.168.5.1, with netmask 255.255.255.0 the network is 192.168.5.0) :
Specify the DHCP network range – click “Setup DHCP Server”, I left the defaults:
on Firewall Settings tab, select “unspecified -or- create:” and fill name for new firewall zone.
Connect the created network to the Internet (WAN):
Select Network-> Firewall in the main menu and find your created firewall zone, “lanpw” in my case, and click Edit:
Check connections to wan for source and destination forwarding. Note I left out the connection to my lan, as I don’t want my new network to communicate with it.
Click “Save and Apply” and restart the router. Test the new network with a mobile phone or some other device. It will be able to talk to the Internet, but not devices in the home network.
Clamping Upload Bandwidth
- Create a traffic control class in QoS settings restricted to 5kbps
- Mark traffic from the jailed network with this class in firewall scripts
Building on the Simple QoS settings I run, I added a new class, and named it “1:40” :
$TC class add dev $IF_DSL parent 1:1 classid 1:40 hfsc ls rate 5kbit ul rate 5kbit
Ls 5kb means minimum limit when other traffic is present and ul 5kb means the limit when there is no other traffic.
In the script, add classification command – make sure to edit your interface name and IP address:
$IPTMOD -s 192.168.5.0/24 -j CLASSIFY --set-class 1:40
I also add same command in OpenWRT firewall custom rules, reloaded each time firewall config changes, this is the same command as above but all variables expanded:
/usr/sbin/iptables -t mangle -A POSTROUTING -o eth0 -s 192.168.5.0/24 -j CLASSIFY --set-class 1:40