Can I monitor my network for rogue IoT device activity?

Question

In order to mitigate or manage the risk from having some of the devices on my home network compromised, is it feasible to monitor network traffic so as to detect a compromise?

I'm specifically interested in solutions which don't require me to be a networking expert, or to invest in anything more than a cheap single-board computer. Is this a feature that can practically be integrated in a router firewall, or is the problem too difficult to bound to have a simple, easy to configure solution?

I'm not asking about Wireshark - I'm asking for a self-contained system which can generate alerts of suspicious activity. Also thinking more focused on practical to setup for a capable amateur rather than a robust production quality solution.

addendum: I see there is now a kickstarter project (akita) which seems to offer cloud-based analytics driven from local WiFi sniffing.

Answer 1

This is not a straightforward topic. Detecting a compromise, as you put it, can happen in many forms and result in multiple outcomes in terms of system or network behavior. Observing that may require knowing the difference between normal and suspicious in terms of system and network behavior.

For a home solution at the network level, the recommended option is a (transparent) proxy or a customized gateway running multiple network services (i.e., DHCP, DNS) and security applications (e.g., firewall, IDSs, proxies) that can help with logging (e.g., HTTP proxy, DNS queries), hardening (e.g., filtering, blacklisting, whitelisting), monitoring (e.g., network traffic) and alerting based on signatures. Major tools for this include Bro, IPFire, pfSense and Snort.

See Setting up a Proxy server on my home router to enable content filtering for details on an example setup.

Answer 2

This is beyond trivial. Every somewhat sophisticated IoT device will communicate via HTTPS making it not too easy to know what it is talking about, even if you do have a not compromised internet gateway in your router.

Unfortunately you can't know which end points the IoT device is supposed to talk to and which not. While most of the big consumer electronics suppliers will have their dedicated back bones that doesn't mean the devices might not have good reason to talk to other providers of information (e.g. weather services, cooking recipe communities, etc ...).

All these things you cannot possibly know and even worse an over the air update of your IoT device can change that behavior completely. If you set up your own security gateway with filter criteria of blacklisting or whitelisting you might seriously impede your device's functionality. For example you might have successfully determined every of the usual addresses to whitelist but you'll never get an update because those are rarely used communication partners.

The answer: Pattern Recognition

Detecting that your device has been compromised is usually done by pattern recognition. That's no simple matter, but easy put, the pattern recognition engine on your security gateway will detect a drastically changed behavior if your toaster has been hacked and starts sending spam.

Answer 3

At this point, the complexity of what you want is beyond "cheap, single-board computer" levels. The easiest solution available is to set up something like SNORT, which is an intrusion detection system. Initially, it will alert you to everything that's going on, and you'll get way too many false positives. By training it over time (itself a manual process) you can reduce it to a reasonable alert rate, but there are currently no "pre-canned" solutions available on the consumer market. They either require significant investments of money (corporate / commercial solutions) or time (open source DIY-class solutions), either of which would put the solution in question outside the acceptable scope of complexity. Your best bet is honestly going to be something like SNORT - something that's "good enough" to detect most issues and "easy enough" to train that you won't get too frustrated before it's usable.

Answer 4

The NoDDos tool I'm developing is targeted to do just what you are asking for. Right now it can recognize IOT devices by matching them to a list of known profiles, it can collect the DNS queries and traffic flows of each matched IOT device and upload it to the cloud for pattern analysis based on large sets of devices. Next step is to implement ACLs on the Home Gateway to restrict traffic flows per IOT device. The tool is targeted to run on Home Gateways. The current version is written in Python, requiring you to run Python on your OpenWRT HGW or install on a Linux DIY router. In OpenWRT I can't collect info on the traffic flows yet but on the Linux DIY router I can using ulogd2. So right now you need a simple Linux-based router with a regular Linux distribution to get this fully up and running with traffic flows but once my port to C++ is finished, you'll be able to run this on any OpenWRT router.

You can read my blog for more info about how the tool works.

Answer 5

In short, standardization and product developments are underway to address this problem. Until then, there are few simple answers that don't require some networking knowledge.

My humble suggestion is easy to implement, and will provide your local network with some protection (although it won't protect the Internet at large) without knowing anything about networking other than how to plug in and use a wireless router.

Buy a separate wireless router for your home network, and use it just for your IoT devices. This will make it harder for the IoT devices to discover and attack your other devices (such as PCs, Tablets, and Smartphones). Likewise, it will provide your IoTs some protection from compromised computing devices you may have.

This solution may break some things, but the solution is perversely helped out by the mostly undesirable reality that today, many Iot devices achieve remote communications through a manufacturer-controlled cloud infrastructure, which will help your Iots to communicate with your computing devices more safely than having them on the same network. It also allows the manufacturer to collect personal information about you, and provide that to third parties.