Posted: Tue May 22, 2018 18:29 Post subject: Need help protecting weak IoT device from ARP spoofing
edit: Forgot, DD-WRT v3.0-r35681 on TP-Link C7v2
The situation
After a fresh flash and configuration
1) ARP Spoofing attack begins on the weak IoT device
2) Signal Strength of the IoT device to Gateway now shows -50% of normal, but everything seems OK (I suspect man in the middle registration to spoofed gateway, but probably automated, because not smart enough to hide signal strength differential)
3) ARP attacks on rest of network (I suspect the weak IoT device has given up the network map after it passed through the spoofed gateway)
Then I can't tell how it happens, only that something very bad has happened.
DNSmasc seems poisoned
Multiple systems become infected with Trojans (only detectable with offline scanners)
I am fairly certain WPA2 is not compromised because I am only using AES with a random machine generated number. (so it is unlikely it was bruteforced) Unless there is something new I don't know about breaking IoTs with weak defense.
This is repeatable, because I only checked for ARP spoofing after noticing other bad things, and reflashing the router and compromised admin machine.
...and hey, if you want to go tinfoil hat, maybe this is not some shitlord skiddie stealing my internet
*dramatic music* maybe it's laying of the ground work for a cyberwar! https://www.us-cert.gov/ncas/alerts/TA18-106A *eyeroll*
So... as the title suggests, any advice on basic configuration for securing insecure IoT devices?
I am not understanding what this will do to prevent the device from being attacked over WiFi with something like aircrack?
Also the device needs internet access, or there is no point in having the device.
If you can maybe elaborate a little it would be helpful to me and others who also find themselves in this situation. (an ever increasing prospect until IoT security is taken seriously and WPA3 is mainstream)
*Some optional words that may be irrelevant but make me feel better by venting* Since the device has been attacked at least 3 times (once before I clued into the attack vector and had noticed problems, so redid configuration, second time after DD-WRT updated for KRACK as a general mitigation strategy for continued noticed problems, and 3rd time when I noticed something wrong still and began logging actively for intrusion... I am assuming that the attacker 1) can pick it out specifically from all the other signals in the neighborhood and 2) picks it out specifically because it is weak and the way into my network.
Would it help if I named the brand and device for a more specific defense strategy? I don't really like calling vendors out because some real criminal scumbag found a specific vulnerability and baked it into a tool for SKIDDIES to play "I'm a cool hacker" with.
The problem on MY network was first noticed in Mid-March 2018.
It is end of May 2018 and I haven't received a firmware update on the IoT device in question.
Regardless, while I'm waiting for my firmware patch...
The question remains.
You probably have crappy IoTs on your network.
How do you secure them from arp spoofing which leads to extreme destruction of security when there is a specific attack vector for the device?
I am hoping there is no one so malevolent in my neighborhood as to be doing this kind of thing on purpose... but for certain so much more has happened to my network than the IoT being connected to a spoofed AP. Once that happened, it seems the entire network was compromised in a matter of hours. (so again, WPA2 was probably not cracked by brute force, but something in the IoT device in question allowed entry to the entire network somehow)
I also don't believe anyone broke into my house to glean the information directly from the IoT, they were able to do it remotely. (rather concerning)
Maybe a better solution would be to start a new post with my settings to help harden general security, for cases when this kind of thing happens?
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Tue May 22, 2018 23:15 Post subject: Re: Need help protecting weak IoT device from ARP spoofing
Orionis wrote:
DNSmasc seems poisoned
Multiple systems become infected with Trojans (only detectable with offline scanners)
its dnsmasq's fault ur device got a trojan? seems like another case of poor support from the device oem instead... _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
seems like another case of poor support from the device oem instead...
Agreed, hence the reason for the actual request.
"Hey guys, look at this Bullcrap regarding this one IoT device. Is there a suggestion for the configuration of the router I can control, so all my traffic isn't sent via the shitlord express to Russia, where the real hacker is compromising networks for realsies with the harvested info?"
'cause you know... this won't be the first or last time something like this happens to someone.
Joined: 16 Nov 2015 Posts: 6414 Location: UK, London, just across the river..
Posted: Wed May 23, 2018 5:46 Post subject:
well, there is not much to do if you have a corrupted device inside your network.....
if you can hook it to Wireshark and investigate all the background activity than isolate it with iptables rules, than you can feel more safe but in general its not good idea to have compromised device along with other devices on the same network segment...so either a VLANS or another router will help you with that...
Personally i do not believe someone is kracking it via WI FI...and takes control over it...and so on...
There is another option may be you have some virus or Trojans crippling in your network devices, try some AV scanners or so...
More often those IoT devices have a Trojans that are flooding your network with either UDP or TCP messages to a remote IP or range of IP's so if you can find and isolate those IP's this could be your remedy... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913