Your average user says "Sure I can setup cameras" then sees "remote access" in the menu, sets it up, maybe it has some UPNP to the router and BOOM. Magic remote login without any type of mitigation.
The hardware was nice, cameras did a reliable 1080p full color, but the whole reason my mom wanted it was so she could check in while she and my dad were traveling (and also sneak a peek at her bird feeders while she was away; avid birder, that one).
So, I hooked that thing up to the network and did a port scan on it... First noticed - it's listening to port 22, auth is a googleable default password. It supports UPnP to punch a hole through the NAT and serve up video on another port. OS on the server box is some slightly customized version of linux with an _old_ kernel.
So I said, "Sure mom, I can set this up for you. We're going to need to get you a new firewall, it'll probably be easiest to put a *nix box in front of your wifi access point, then we can set up a tunnel between the isolated camera server and a locked down outside server that only you have access to so we can be sure that no one else is looking at those cameras. Should only take me a few hours, and we'll need to buy a box to run the firewall, and then a small monthly fee to keep the internet accessible server running"
Her response, "but it says on the box that it's easy to setup for outside access!". Mine: "It's easy to setup for everyone to access, much more involved if you want to make sure it's only you who has access".
Admittedly, it did have some authentication for accessing the video streams, but I didn't trust that thing as far as I could throw it; I'm glad she decided not to go through the trouble of getting it working (but mostly because I'm lazy and didn't want to have to setup and support that damn thing).
I can only imagine that the people who bought that device and didn't have a security paranoid person to help them set it up are all contributing to this most recent DDoS attack.
Her response, "but it says on the box that it's easy to
setup for outside access!". Mine: "It's easy to setup for
everyone to access, much more involved if you want to
make sure it's only you who has access"
So...you wanted to have authentication and it has authentication...I must be missing something.
So, yeah, it makes sense to block it - personally I block IOT devices from the Internet entirely (and don't let them initiate requests to my local network even) and use a VPN (IPSEC/IKEv2). That wouldn't work for devices that connect to cloud services, so I'd have to set up new firewall rules if I got one of them.
You missed that you could SSH into it with a default password that is easy to find on a web search.
The original engineering and architecture of the the internet (and the web) was not intended to create something you put all your eggs in. It was for sharing information, not building your mission critical business operations on.
Right now, if you dumped your business into a cloud service you're mostly dead in the water. But those who have local infrastructure can keep working. As people have been noting here, centralization is bad.
Many people have heard that the Internet began with some military computers in the Pentagon called Arpanet in 1969. The theory goes on to suggest that the network was designed to survive a nuclear attack. However, whichever definition of what the Internet is we use, neither the Pentagon nor 1969 hold up as the time and place the Internet was invented. A project which began in the Pentagon that year, called Arpanet, gave birth to the Internet protocols sometime later (during the 1970's), but 1969 was not the Internet's beginnings. Surviving a nuclear attack was not Arpanet's motivation, nor was building a global communications network.
Bob Taylor, the Pentagon official who was in charge of the Pentagon's Advanced Research Projects Agency Network (or Arpanet) program, insists that the purpose was not military, but scientific. The nuclear attack theory was never part of the design. Nor was an Internet in the sense we know it part of the Pentagon's 1969 thinking. Larry Roberts, who was employed by Bob Taylor to build the Arpanet network, states that Arpanet was never intended to link people or be a communications and information facility.
[1] https://www.amazon.com/Where-Wizards-Stay-Up-Late/dp/0684832...
[2] http://www.nethistory.info/History%20of%20the%20Internet/beg...
Which means it falls under what he said.
The idea is that all your IOT stuff establishes a connection to this server, creating an encrypted network between them. You then add your control servers to that network and job done. You devices don't need any inbound access to talk to each other. All the connections are outbound, so no ports to open on your firewall and no risk.
You could do this by yourself, but we take that hassle out of your hands. Happy to help with custom deployments too outside our main service; it's a great way of learning our customers' needs.
It's hard though to have your exact setup as a service, it implies incoming VPN connections to the site where you deploy your IOT and a VPN server of sorts.
Our main focus was remote teams and devs having to use remote servers, however IOT might be a killer use here.
Very nice service by the way. I have used ngrok in the past and found it invaluable for a few odd applications. I'll give it a try in future.
It could suit your needs or we can help with custom deployments. In any case I'd like to learn more about your needs and your expectations. Can I drop you an email?