Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

09:55 AM
Larry Loeb
Larry Loeb
Larry Loeb

FBI's Portland Office Spies IoT Education Opportunity

The Federal Bureau of Investigation's office in Portland, Ore., uses 'Tech Tuesday' to offer IoT security advice.

The Federal Bureau of Investigation’s office in Portland, Oregon has started an effort that it calls "Tech Tuesday" to disseminate actionable security advice to users. Last weekit got around to the Internet of Things (IoT).

The FBI concentrated its advice on limiting an IoT device's access to the Internet router that it uses, since an attacker can leverage the unimpeded path to the enterprise network that can be provided by a WiFi router for malicious activity. As far as the router itself goes, they strongly -- and wisely -- advise changing the router's factory administrative settings from the default passwords. The new passwords should be strong enough to protect the router as well.

However, the network itself needs to be secured. As Portland put it, "Keep your most private, sensitive data on a separate system from your other IoT devices."

Many unsophisticated users will think that this means two separate routers will be needed to establish the two differing networks. That approach will indeed work, but there is a better one.

"Micro-segmentation" has been around in WiFi routers for a while. It enables a router's admin to create a virtual network (VLAN) which will act as different network than the primary one; even if they are resident on the same physical router. The enterprise could isolate other network-using devices with this technique such as printers, which have been hijacked in much the same way as a router can be.

Router maker Ubiquiti has blogged about the specific steps needed to create such a VLAN. First, the VLAN is created and ID'd. A Gateway/Subnet tag is then selected for it. Establishing a DHCP service map between the ports on the router and the IP of connected clients is the next task.

Activate the VLAN with all the choices that have made by assigning it a port on the router.

The last major step is to block traffic from the new VLAN to other networks. This is done by changing the firewall of the router. It is necessary to create a new rule for the firewall that includes the identity of the network that you wish blocked from communication with the other. If done right, all traffic from all other networks to the new network is allowed, but no traffic is allowed to be initiated from the new IoT VLAN to the sensitive network that is connected.

The FBI's Oregon office is trying to bring security to users, and for that it should be commended. But the simple format that it uses in this effort may need more detail about things that can be done, and where users should go to get them done.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.