gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d43855b3d1
secubox-openwrt/package/secubox/secubox-iot-guard/README.md
CyberMind-FR 8ef0c70d0f feat(iot-guard): Add IoT device isolation and security monitoring 
Backend (secubox-iot-guard):
- OUI-based device classification with 100+ IoT vendor prefixes
- 10 device classes: camera, thermostat, lighting, plug, assistant, etc.
- Risk scoring (0-100) with auto-isolation threshold
- Anomaly detection: bandwidth spikes, port scans, time anomalies
- Integration with Client Guardian, MAC Guardian, Vortex Firewall
- iot-guardctl CLI for status/list/scan/isolate/trust/block
- SQLite database for devices, anomalies, cloud dependencies
- Traffic baseline profiles for common device classes

Frontend (luci-app-iot-guard):
- KISS-style overview dashboard with security score
- Device management with isolate/trust/block actions
- Vendor classification rules editor
- Settings form for UCI configuration
- RPCD handler with 11 methods
- Public ACL for unauthenticated dashboard access

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-11 10:36:04 +01:00

168 lines
4.3 KiB
Markdown
Raw Blame History

# SecuBox IoT Guard
IoT device isolation, classification, and security monitoring for OpenWrt.
## Overview
IoT Guard provides automated IoT device management:
- **Auto-Classification** - Identifies IoT devices by vendor OUI and behavior
- **Risk Scoring** - Calculates security risk per device (0-100 scale)
- **Auto-Isolation** - Automatically quarantines high-risk devices
- **Anomaly Detection** - Monitors traffic patterns for behavioral anomalies
- **Cloud Mapping** - Tracks cloud services each device contacts
IoT Guard **orchestrates existing SecuBox modules** rather than reimplementing:
| Module | Integration |
|--------|-------------|
| Client Guardian | Zone assignment (IoT zone) |
| MAC Guardian | L2 blocking/trust |
| Vortex Firewall | DNS filtering (IoT malware feeds) |
| Bandwidth Manager | Rate limiting |
## Installation
```bash
opkg install secubox-iot-guard luci-app-iot-guard
```
## CLI Usage
```bash
# Overview status
iot-guardctl status
# Scan network for IoT devices
iot-guardctl scan
# List all devices
iot-guardctl list
iot-guardctl list --json
# Device details
iot-guardctl show AA:BB:CC:DD:EE:FF
# Isolate to IoT zone
iot-guardctl isolate AA:BB:CC:DD:EE:FF
# Trust device (add to allowlist)
iot-guardctl trust AA:BB:CC:DD:EE:FF
# Block device
iot-guardctl block AA:BB:CC:DD:EE:FF
# View anomalies
iot-guardctl anomalies
# Cloud dependency map
iot-guardctl cloud-map AA:BB:CC:DD:EE:FF
```
## Configuration
Edit `/etc/config/iot-guard`:
```
config iot-guard 'main'
option enabled '1'
option scan_interval '300' # Network scan interval (seconds)
option auto_isolate '1' # Auto-isolate high-risk devices
option auto_isolate_threshold '80' # Risk score threshold for auto-isolation
option anomaly_detection '1' # Enable anomaly detection
option anomaly_sensitivity 'medium' # low/medium/high
config zone_policy 'isolation'
option target_zone 'iot' # Target zone for isolated devices
option block_lan '1' # Block LAN access
option allow_internet '1' # Allow internet access
option bandwidth_limit '10' # Rate limit (Mbps)
config vendor_rule 'ring'
option vendor_pattern 'Ring|Amazon Ring'
option oui_prefix '40:B4:CD'
option device_class 'camera'
option risk_level 'medium'
option auto_isolate '1'
config allowlist 'trusted'
list mac 'AA:BB:CC:DD:EE:FF'
config blocklist 'banned'
list mac 'AA:BB:CC:DD:EE:FF'
```
## Device Classes
| Class | Description | Default Risk |
|-------|-------------|--------------|
| camera | IP cameras, video doorbells | medium |
| thermostat | Smart thermostats, HVAC | low |
| lighting | Smart bulbs, LED strips | low |
| plug | Smart plugs, outlets | medium |
| assistant | Voice assistants | medium |
| media | TVs, streaming devices | medium |
| lock | Smart locks | high |
| sensor | Motion, door/window sensors | low |
| diy | ESP32, Raspberry Pi | high |
| mixed | Multi-function devices | high |
## Risk Scoring
Risk score is calculated as:
```
score = base_risk + anomaly_penalty + cloud_penalty
```
- **base_risk**: 20 (low), 50 (medium), 80 (high) based on vendor/class
- **anomaly_penalty**: +10 per unresolved anomaly
- **cloud_penalty**: +10 if >10 cloud deps, +20 if >20 cloud deps
## Anomaly Types
| Type | Severity | Description |
|------|----------|-------------|
| bandwidth_spike | high | Traffic Nx above baseline |
| new_destination | low | First connection to domain |
| port_scan | high | Contacted many ports quickly |
| time_anomaly | medium | Activity at unusual hours |
| protocol_anomaly | medium | Unexpected protocol usage |
## OUI Database
IoT Guard includes an OUI database for ~100 common IoT manufacturers:
- Ring, Nest, Wyze, Eufy (cameras)
- Philips Hue, Lifx, Wiz (lighting)
- TP-Link Kasa/Tapo, Tuya (plugs)
- Amazon Echo, Google Home (assistants)
- Espressif, Raspberry Pi (DIY)
- Samsung, LG, Roku (media)
Add custom OUIs to `/usr/lib/secubox/iot-guard/iot-oui.tsv`:
```
AA:BB:CC MyVendor camera medium
```
## Files
```
/etc/config/iot-guard # Configuration
/usr/sbin/iot-guardctl # CLI controller
/usr/lib/secubox/iot-guard/ # Library scripts
/usr/share/iot-guard/baseline-profiles/ # Traffic baselines
/var/lib/iot-guard/iot-guard.db # SQLite database
```
## Dependencies
- secubox-core
- sqlite3-cli
- jsonfilter
## License
GPL-3.0
Reference in New Issue View Git Blame Copy Permalink