This post will cover cyber security concerns, so not over the air antennae, satellite content feeds, or Red Box
If you have Suddenlink or similar cable service to your house for Cable TV, Internet, telephone land line, etc. the coax cable feeds into your house and the DVR and secondary units to take that coax cable TV signal to your TV, monitor or other display devices. When you add Internet service you get or provide a cable modem to access the Internet TCP/IP signal bandwidth. Most households then add a router or two, a Wireless Access Point (WAP) or more and use this home infrastructure to add all manner of useful devices. Internet door bells, smart phones, security cameras, tablets, and growing.
Most routers and WAPs have some Internet security built in. Firewalls, WEB proxies and similar.
Over time you add wireless printers, smart TVs, laptops, security cameras, and now devices to stream video content to your display devices. It might surprise you to look at your router or WAP to see how many devices have been added over time. It also might surprise you to see rogue devices on your home network.
My concerns with adding devices to your home network for video content:
1) If not done explicitly those devices get added to the same Virtual Network (Vlan) as your devices you use for banking, shopping, email, etc. WiFi uses encryption, but only for the data portion of packets. If a wireless device is on the wireless network it can decrypt those packets. For devices on the same Vlan a promiscuous device can "see" all traffic. Most of the streaming devices only need to get to the Internet, not to your home networked devices used for finance. Consider using the "Guest" network feature in most Wireless Access Points and/or routers. The Guest feature places the device on a separate Vlan that can get to the Internet but not the home network on another Vlan. Depending on the WAP the Guest devices do not use the same encryption password used to encrypt the data on wireless traffic packets. To gain access the Guest devices, supply a password on the first WEB attempted access. This Guest access password is not used for encryption. By default the Guest network name is your Service Set IDentifier (SSID) name with a "-guest" string appended.
In addition to Guest access you can use Media Access Control (MAC) filtering. Each network device has a unique 48-bit address. Various means exist to determine the MAC address for each device. The wireless access point can filter these MAC addresses. The MAC address can be added to the allow list or the deny list.
2) Always on. For the remote control to work to turn these devices on, they have to be on listening to the remote. They are in low power mode, not streaming or performing their many other functions. If you sniff the air looking at the radio used by WiFi streaming devices you will see these devices almost constantly broadcasting packets when they are "off".
3) Plug and Play. If consumers had to configure their firewalls and security devices to get these devices to work "out of the box" the device sales might not be as strong. Consider a very wide variety of consumers firewall/router/wireless access points to configure for manufacturers of streaming devices to contend with. This issue is mitigated with Plug-and-Play to configure the ports needed for Internet access. On your router or Wireless Access Point look for a UPnP setting. This is from a Linksys WRT 1900AC
4) Bandwidth - yours & theirs. Video content can only travel as fast as the slowest link in the network packet delivery chain. Adding faster links in the network chain will not help due to the slowest link being a bottleneck. I advise creating a network topology map that includes the advertised link speed to and from each component.
For normal viewing of Internet delivered video content you probably have enough bandwidth with 100Mb/sec. Most of your devices can deliver 100Mb/sec. Internet service via cable modem has bandwidth limitations as well. Like airlines, bandwidth from Internet Service Providers (ISPs) is oversubscribed. If you have neighbors who have several streams of video and large downloads at the same time, your bandwidth will suffer. If one of those neighbors uses some of your bandwidth to satisfy their bandwidth desires... WiFi should be encrypted. Tools exist that can determine the WiFi encrypting passphrase given enough packets to analyse. Video content delivery provides that bandwidth.
5) Data Cap. Check your service agreement with your ISP. If you have a data cap and switch or add Internet video content delivery devices you might encounter a larger charge from the ISP. Even if your agreement does not charge extra for a data cap, your ISP may throttle delivery.
6) Most of the devices like Roku, AppleTV, smart TVs, smart DVRs, and similar are proprietary. The use of CPU, memory, network connection, WiFi settings, etc. are closed source. Thus no third party security assessments are performed. Security for small consumer WiFi devices does not have the economic driver to address security concerns as well as function and performance.
7) Though proprietary for function, most of these devices use embedded operating system and core applications. Those operating systems have both old and new vulnerabilities.
8) To address both of the above two issues, the manufacturer should issue firmware, operating system, and application patches and updates. To deliver these updates the Internet is used. The devices may automatically check, download, and apply updates. Or notify registered owners of the availability of updates. Strongly consider registering your streaming devices to be notified of updates.
9) I would advise to not automatically fetch and apply updates. Reason: anyone can take over or masquerade as a update server and deliver malware content.
10) A lot of processing power is in that small device. The more CPU power in a smaller space generates more heat. During streaming a Roku gets to 112 degrees F. These devices usually run until a timer of inactivity shuts them into power saving mode. Be aware of the power and heat. Provide enough air circulation in confined spaces, provide enough room around device to not scorch a wall. Use care in handling device after using. Protect children from skin contact.
11) Voice. Most of these devices can use voice to control these devices. Most use the Internet to interpret the voice command, then send the command(s) to the device. Recent court cases have allowed subpoena for ambient conversations. Recall "always on". I do not use voice control, nor any home voice control nor activated devices. I can see the lure. Security researchers have found ways to enable microphones on device remote controls even when the user has that function disabled.
Note: The same techniques are used to enable microphones and webcams on laptops and PCs.
Great technical overview, now most people in sun city will need the Cliff Notes or cyber security for dummies version to understand this all. You need to break this down in your SIG
ReplyDelete