Thursday, September 27, 2012

Everything 2.0

I've been sharing security issues related to enterprise setting in my previous posts and this time around I'll move my focus to the place where we live and love, our home.

Let's rewind a few years back, say 5 years? We organically had handful of cables connecting to entertainment equipments whether in living rooms or bedrooms. Remember those bulky cables like RCA, component cables, and for certain audiophiles, there were optical S/PDIF (TOSLINK) cables meshed behind the TV stand? Main contributors to these cable mess were VCR, DVD player, satellite receiver, home theaters and whatnot for living room.

Fast forward to the present day, those bulk of cables are now largely replaced by the adoption of HDMI for various devices, and there is one more, Ethernet cable or WiFi to offer the extension of Web 2.0 beyond our computing devices. If you happened to purchase anything ranging from Bluray player to Smart TV to AV receiver recently, you are in the club of Everything 2.0 which means they have either or both of network connection mentioned above.

Now, let me bring up the reason why I pick up these devices and how they are leveraging the same (if not, more) security awareness as in corporate networks. While connected to the Internet, the rule of thumb is that you are vulnerable whether you are at home or at office. In fact, if you are at office you are considerably safer than in your home (and if you don't get this feeling, make some noise to your IT boss) provided that there are layers of security such as firewall, IPS, email gateway and so forth. So the network services you receive at your workplace could do less harm to your personal life.

So we could put up a list of average household items that we might have for infotainment.
  1. Smart TV
  2. Apple TV
  3. Set-top box
  4. AV receiver
  5. Bluray player
  6. HTPC
  7. NAS with DLNA support
And what makes me concerned of security at home with these toys? Network connection is one thing, yet another thing, they have something more serious, operating systems or firmware. For computers, we are more or less familiar to do software updates or even for smartphones we would naturally apply the OTA releases when pushed from the service providers. This is where the gap comes in. How often your instinct tells you to update your bluray player's firmware, with "Java" running inside, too common in almost all players and receivers sold today? And if your answer is somewhat between "No" and "should I?", you've been warned.

For customers of Hulu, Netflix or other pay-per-streaming services, these devices happily store your credentials as soon as you sign in. Another factor is that your home network is as secure as the strength of your home routers, in case you happened to own Huawei routers, please accept my sympathy. In addition, the release of Cloud-manageable home routers from Cisco - Linksys (yes, I mean EA series) which opened more possibilities to be exploited.

When I read this post about Java ME (embedded version 3.2), it gave me a chill because in near future, we may be seeing Stuxnet-like attacks to them as it was for Siemens SCADA. I dearly hope it doesn't materialize by any chance, if it were, the scale would be humongous.

So, in order to round things up, you have to ensure those devices listed above can receive updates, and better yet, apply the update automatically. Be on alert to periodically, if not religiously, check firmware updates for your home gateway. In some cases, if you have been using port forwarding (PAT) on your router to access other devices like wireless camera, make sure you put a STRONG password.

Over and out. À bientôt.