Need help protecting weak IoT device from ARP spoofing

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
Orionis
DD-WRT Novice


Joined: 30 Apr 2016
Posts: 8

PostPosted: Tue May 22, 2018 18:29    Post subject: Need help protecting weak IoT device from ARP spoofing Reply with quote
edit: Forgot, DD-WRT v3.0-r35681 on TP-Link C7v2

The situation
After a fresh flash and configuration

1) ARP Spoofing attack begins on the weak IoT device
2) Signal Strength of the IoT device to Gateway now shows -50% of normal, but everything seems OK (I suspect man in the middle registration to spoofed gateway, but probably automated, because not smart enough to hide signal strength differential)
3) ARP attacks on rest of network (I suspect the weak IoT device has given up the network map after it passed through the spoofed gateway)

Then I can't tell how it happens, only that something very bad has happened.

DNSmasc seems poisoned
Multiple systems become infected with Trojans (only detectable with offline scanners)

I am fairly certain WPA2 is not compromised because I am only using AES with a random machine generated number. (so it is unlikely it was bruteforced) Unless there is something new I don't know about breaking IoTs with weak defense.

This is repeatable, because I only checked for ARP spoofing after noticing other bad things, and reflashing the router and compromised admin machine.

...and hey, if you want to go tinfoil hat, maybe this is not some shitlord skiddie stealing my internet
*dramatic music* maybe it's laying of the ground work for a cyberwar! https://www.us-cert.gov/ncas/alerts/TA18-106A *eyeroll*

So... as the title suggests, any advice on basic configuration for securing insecure IoT devices?
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6414
Location: UK, London, just across the river..

PostPosted: Tue May 22, 2018 19:29    Post subject: Reply with quote
just block IoT WAN access add this line in firewall script
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s IP of IoT -j DROP

just replace IP of IoT with your IoT IP

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Orionis
DD-WRT Novice


Joined: 30 Apr 2016
Posts: 8

PostPosted: Tue May 22, 2018 19:50    Post subject: Reply with quote
Hi,
and thanks for the response.

I am not understanding what this will do to prevent the device from being attacked over WiFi with something like aircrack?

Also the device needs internet access, or there is no point in having the device.

If you can maybe elaborate a little it would be helpful to me and others who also find themselves in this situation. (an ever increasing prospect until IoT security is taken seriously and WPA3 is mainstream)

*Some optional words that may be irrelevant but make me feel better by venting* Since the device has been attacked at least 3 times (once before I clued into the attack vector and had noticed problems, so redid configuration, second time after DD-WRT updated for KRACK as a general mitigation strategy for continued noticed problems, and 3rd time when I noticed something wrong still and began logging actively for intrusion... I am assuming that the attacker 1) can pick it out specifically from all the other signals in the neighborhood and 2) picks it out specifically because it is weak and the way into my network.

Would it help if I named the brand and device for a more specific defense strategy? I don't really like calling vendors out because some real criminal scumbag found a specific vulnerability and baked it into a tool for SKIDDIES to play "I'm a cool hacker" with.
Orionis
DD-WRT Novice


Joined: 30 Apr 2016
Posts: 8

PostPosted: Tue May 22, 2018 23:09    Post subject: Reply with quote
More:

I don't need to call out the vendor anymore.
https://www.youtube.com/watch?v=galmWzHcNPU

The problem on MY network was first noticed in Mid-March 2018.
It is end of May 2018 and I haven't received a firmware update on the IoT device in question.

Regardless, while I'm waiting for my firmware patch...

The question remains.

You probably have crappy IoTs on your network.
How do you secure them from arp spoofing which leads to extreme destruction of security when there is a specific attack vector for the device?

I am hoping there is no one so malevolent in my neighborhood as to be doing this kind of thing on purpose... but for certain so much more has happened to my network than the IoT being connected to a spoofed AP. Once that happened, it seems the entire network was compromised in a matter of hours. (so again, WPA2 was probably not cracked by brute force, but something in the IoT device in question allowed entry to the entire network somehow)

I also don't believe anyone broke into my house to glean the information directly from the IoT, they were able to do it remotely. (rather concerning)

Maybe a better solution would be to start a new post with my settings to help harden general security, for cases when this kind of thing happens?
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Tue May 22, 2018 23:15    Post subject: Re: Need help protecting weak IoT device from ARP spoofing Reply with quote
Orionis wrote:
DNSmasc seems poisoned
Multiple systems become infected with Trojans (only detectable with offline scanners)


its dnsmasq's fault ur device got a trojan? seems like another case of poor support from the device oem instead...

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55488 std
[QUALCOMM] DIR-862L --------------------------------> r55460 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

Orionis
DD-WRT Novice


Joined: 30 Apr 2016
Posts: 8

PostPosted: Wed May 23, 2018 2:09    Post subject: Reply with quote
tatsuya46 wrote:
seems like another case of poor support from the device oem instead...


Agreed, hence the reason for the actual request.

"Hey guys, look at this Bullcrap regarding this one IoT device. Is there a suggestion for the configuration of the router I can control, so all my traffic isn't sent via the shitlord express to Russia, where the real hacker is compromising networks for realsies with the harvested info?"

'cause you know... this won't be the first or last time something like this happens to someone.

:\
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6414
Location: UK, London, just across the river..

PostPosted: Wed May 23, 2018 5:46    Post subject: Reply with quote
well, there is not much to do if you have a corrupted device inside your network.....
if you can hook it to Wireshark and investigate all the background activity than isolate it with iptables rules, than you can feel more safe but in general its not good idea to have compromised device along with other devices on the same network segment...so either a VLANS or another router will help you with that...
Personally i do not believe someone is kracking it via WI FI...and takes control over it...and so on...
There is another option may be you have some virus or Trojans crippling in your network devices, try some AV scanners or so...
More often those IoT devices have a Trojans that are flooding your network with either UDP or TCP messages to a remote IP or range of IP's so if you can find and isolate those IP's this could be your remedy...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Orionis
DD-WRT Novice


Joined: 30 Apr 2016
Posts: 8

PostPosted: Wed May 23, 2018 20:42    Post subject: Reply with quote
Alozaros,

Thank you very much for your help and recommendations.

Also
https://blog.talosintelligence.com/2018/05/VPNFilter.html

Re-Flash your problem items immediately.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum