Does the local network need to be hacked first for IoT devices to be accessible?

The devices are designed to be accessible from outside the home. To offer this service to their owners, they make themselves accessible through the homeowner's router/firewall. The way they do this is by sending a UPnP packet to the owner's router that tells the router to open a port that connects back to them. They then listen for connections that arrive directly from the internet.

In other words, the devices first hacked their owner's routers by design, which exposed their own vulnerabilities. (This has nothing to do with secured, private, or open WiFi, other than many IoT devices connect via WiFi; UPnP exposes the exact same vulnerabilities on wired devices connected by Ethernet cables, too.)

To protect yourself, disable UPnP on your router.


Your understanding of the attack is not as clear as you think. In this article, Krebs mentioned that the attackers didn't really have to hack the devices. The vulnerability was well known, they just had to scan the internet for those devices.
Sure, if SSH/Telnet to the devices was disabled, the problem would have been solved easily. To make the matter worse, the hard coded credentials present in the hardware were not even visible to the web interface for the administrator.
Yes, it is absolutely imperative to know what are the devices present in your network and what are the services that you do/do not need.

EDIT : After @tlng05 's clarification about the question.
As already mentioned in other answers, you should disable UPnP on your router to absolutely make sure that your device is not straight forward configurable from the outside world.


Your misconception is here:

secured private wifi networks

Whilst many home WiFi networks are secured against unauthorised wireless devices connecting directly, many are wide open to access from the wider Internet. It's this access (that's demanded by the IoT devices to perform their legitimate functions) that can be abused (and on a much bigger scale than physically visiting many WiFi networks).

The attack surface of a router is on both all networks!

Tags:

Iot

Network