Knowing how an IoT device behaves when it starts up can help troubleshoot security issues.
When devices were first introduced as "internet enabled," they were portrayed as convenient time savers. IoT devices have had varying levels of success, from internet refrigerators that became digital note boards to widely used webcams, home security devices, DVRs, thermostats and remote computer access systems.
As with all growing technology, the internet of things has attracted the attention of people who exploit it for their own purposes. Manufacturers, unfortunately, didn't pay much attention to IoT security when they began introducing their devices. Security experts warned of IoT vulnerabilities, and last fall, their fears were justified when a botnet of compromised IoT devices called Mirai unleashed a crippling DDoS attack against DNS provider Dyn.
One technique I've preached the value of since the mid '90s – a boot baseline – can help with IoT security. The process is quite simple: Capture all the packets as that device powers on. Reviewing these packets gives us an understanding of what happens when an IoT device turns on and connects to the network, which can help with security investigations and in determining whether a device is infected.
In this video, I demonstrate how to get a baseline trace for a Linksys web camera by capturing a trace using Wireshark.
Just a few tips when performing a boot baseline trace:
- For best results, start with equipment out of the box, or minimal configuration if you need to configure wireless settings.
- When capturing Ethernet-attached devices use taps, span ports or hubs.
- When capturing wireless devices, use the same technique as above, but target the Ethernet port on the access point