Anyone who eats fries on toast deserves to be replaced by a machine.

For my embedded devices I've got a few rules running on my network and also no UPnP enabled.

If the device communicates over the network (eg, printer, smart switch, smart LED bulbs) it is on a firewall list that denies internet access.
If the device needs internet access, or internet access is useful and I don't have root / admin access to it (eg, wireless access point, smart TV) it is on another VLAN with full logging with restrictive internet access.
If the device is a PC, mobile device etc requiring the use of intenet access it is on my normal network however there is no UPnP to be offered.
If the device is a server or something directly connected to the internet with port forwards it is seperated from my home network with both firewall rules + VLAN's with security precautions, logging etc in place on the devices themselves.

This way, I am not contributing 500Mbit of my upstream bandwidth to a DDOS event. It is harder to manage but this way also my network has a layer of trust. Guests who want internet access get their own VLAN'd wireless connection also.

Like many of you, we were super cautious with our network and disabled everything we could to avoid problems. Until my man was diagnosed with a condition that requires a CPAP machine. This machine is internet-connected and sends data back to the medical company and his doctor. Based on the readings, the medical company adjusts the flow of air and changes settings on the device over the network. This is the most commonly used CPAP machine model in North America with millions in homes across the continent (and elsewhere, no doubt). I'm not going to comment on its security but you can guess what I would say. Users cannot adjust settings. Changes are done remotely. 

I was without internet connection for most of the day of the attack, like most of the eastern seaboard. Most sites I normally go to were offline. It was a weird day. Coincidentally, early that morning my man woke up choking. Some time in the early hours his CPAP machine halved the flow and pressure. He couldn't breathe so woke up. He lodged a fault with the company BUT as soon as I heard it was an IoT botnet I thought about that machine. 

We aren't just talking non-essential IoT gizmos. How many other medical devices are insecure and connected? Even more worrying, how many deaths could result? 

The problem with moving things off onto their own vlan that I have found is that many braindead home automation devices will not work across subnets, they use broadcast to find things on the lan and then once found them will use the IP address to control them. If you change network they assume they cannot get them by that IP address and fall back to cloud control of them. Which means the things need internet access and you have latency issues with controlling them.

For like controlling the wemo switches from the amazon echo, its the same lan or nothing as they do not go back to the cloud server ever, even for previously discovered devices.

Thanks for this useful thread.  We are pretty light on the IoT in our household, but have couple of AV deviced that connect to the outside world. 

Rikkitic:

Anyone who eats fries on toast deserves to be replaced by a machine.

 

BarTender:

Fred99: Get notice from ISP - please disconnect or secure your device "gizmobabycam" within 24 hours, or we'll disconnect your internet connection (or limit your upload bandwidth to 10kb/s until your devices are secure).

That will be a very expensive ordeal to deal with. As hand holding potentially tens of thousands of customers can through that will be time consuming and thus expensive.
Aren't ISPs supposed to just be shifting bits. Since now you're talking about port scanning customers and removing or limiting service. That could be interpreted as a privacy breach.

The T&C from your ISP will already allow them to cut or limit connectivity if your net activity, with or without your knowledge, interferes with the network.

Isolate the ISP from backlash by setting up an agency to do the discovery under strict protocols, then pass IP addresses and limited details to the ISPs, as they're discovered - not the lot in one huge list.  

http://www.radionz.co.nz/news/world/316434/webcams-used-in-cyber-attacks-on-websites-recalled

Yeah good luck recalling 5+ year old crap sold thru ebay and aliexpress to random corners of the world.

The re-branders of the XM gear that sold thru target and walmart etc may have some luck, but noone will know that their "H264" DVR is affected by any recall at all.

I actually have 2 old analog camera DVRs that came from PB about 3 years ago that is a non-rebadged XM one. No idea who the importer was etc.

One had a totally different software to the other. One is only able to have a 6 character password on it.

I have small set of wifi capable devices that need to talk to each other but not anything else. These used to be connected to the main wifi modem-router.

Having read this thread I've just switched them over to an old wifi router (not a modem) which they all connect to.  It has no connection to the internet.  Effectively a dead-end router. 

I can still connect to the devices with my laptop by connecting to the dead-end router.  If I have to connect a device to the internet for a firmware update or similar, then I can temporarily connect the dead-end router to the main modem/router via a cable.

I guess someone could still hack into the dead-end router, but they would be very bored by what they find.

And now even your doorbell can join in!

http://www.geekzone.co.nz/content.asp?contentid=21232

Rikkitic:

 

And now even your doorbell can join in!

 

http://www.geekzone.co.nz/content.asp?contentid=21232

 

I have a fear that the doorbell will team up with the fridge, LED lights, and other IoT devices to overthrow us.

Imagine being held captive by your fridge and toaster...

Freeze your fingers and burn your toes. Torture by appliance.

Rikkitic:

 

Freeze your fingers and burn your toes. Torture by appliance. 

 

Beginning to sound like an episode of the walking doge.

cynnicallemon:

 

I have a fear that the doorbell will team up with the fridge, LED lights, and other IoT devices to overthrow us.

 

Imagine being held captive by your fridge and toaster...

You have to really watch those internet connected refrigerators - particularly those with a bar code scanner.  They are cold and calculating.....

The toaster is a real hothead.  You can watch him as long as you like, but he'll pop as soon as you turn your back.