It may help that it looks like just a monitor. Although if someone hacks into it, who knows?
The idea of someone maliciously controlling a 100 ft tall tower dryer is a bit alarming. These things run 24x7 and are fed with really big gas lines, and the smaller dryers on individual farms have a tendency to clog up and/or catch fire. I’d like to think the “Watchdog” remote monitor is a separate device from the main PLC and can only monitor, not control the dryer. Compartmentalizing systems is a great security measure. Which seems to have gone by the wayside, as you hear about people hacking into cars and airplanes via their WiFi and entertainment systems. Why does the radio need to talk to the brakes? From: Af [mailto:af-boun...@afmug.com] On Behalf Of Forrest Christian (List Account) Sent: Wednesday, October 5, 2016 7:15 PM To: af <af@afmug.com> Subject: Re: [AFMUG] grain dryer port forwards and IoT security Actually depends on the device. Many of these simply aren't able to get 'owned' like, as an example, something which runs Linux. On the other hand, opening 22 and 23 scare me. Especially 23. Port 80 isn't as big of a deal as long as the device is hardened and passwords are changed. On Wed, Oct 5, 2016 at 5:25 PM, Eric Kuhnke <eric.kuh...@gmail.com <mailto:eric.kuh...@gmail.com> > wrote: It's dumb and the manufacturer should feel bad. But it's not really your problem to secure their device, if it gets pwned you can cut it off from the network per your TOS/AUP. Not much riskier to the ISP than being a colo provider and renting a small section of rack space and selling a static /30 to a customer who doesn't know how to secure their Linux server. On Wed, Oct 5, 2016 at 4:22 PM, Ken Hohhof <af...@kwisp.com <mailto:af...@kwisp.com> > wrote: We hooked up Internet to a new GSI tower dryer at a grain elevator, and assuming this is the correct manual, it wants ports 22, 23, and 80 forwarded to it. http://www.grainsystems.com/content/dam/Brands/GSI/Manuals/English/Conditioning/pneg1720-062114-OS.pdf Without additional firewall rules, does this sound risky? They have a cellphone app, which apparently goes directly to the dryer, not through some intermediary like a Team Viewer server. So I don’t see what firewall rules we could put in. Doesn’t this let every hacker, script kiddie, and bot herder in the world try to break into it via SSH, telnet and HTTP? Do these guys move on if the default password has been changed? I would think they would run dictionary attacks against it. -- Forrest Christian CEO, PacketFlux Technologies, Inc. Tel: 406-449-3345 | Address: 3577 Countryside Road, Helena, MT 59602 <mailto:forre...@imach.com> forre...@imach.com | <http://www.packetflux.com/> http://www.packetflux.com <http://www.linkedin.com/in/fwchristian> <http://facebook.com/packetflux> <http://twitter.com/@packetflux> <http://ws-stats.appspot.com/t/pixel.png?e=setup_page_outlook_compose> <http://ws-stats.appspot.com/t/pixel.png?e=setup_page_outlook_active&uid=e965778f9a351fad7a8a860dffc144ce> <http://ws-stats.appspot.com/t/pixel.png?e=setup_page_outlook_active&uid=e965778f9a351fad7a8a860dffc144ce>
