I couldn’t find a similar discussion and also wasn’t sure what section to put this in, so here goes…
has there been any discussion of methods and best practices to keep our Blynk devices from becoming part of the ever-growing IoT botnet?
what device?
For me, the esp8266 but really anything that uses blynk I would expect.
Current botnets of IPs cameras were pretty primitive. Just network scanner + regular (default) password. That’s how it happened. With Blynk this is not possible as there are nothing like “default” password.
However in case you don’t use SSL connection your token could be intercepted on it’s way to Blynk cloud. There not much we can do about that. You need to use either ssl connection (ESP supports it) or local server. Also for attacker there is no much interest in getting your token. As attacker can get access only to your hardware. While the real goal of botnets is money. With access to your hardware there is not much you can do with it 
.
my ESP ‘things’ all connect to my WPA encrypted home network, which i require a password for.
so you would have to be a pretty amazing hacker to get access to my home network (and consequently any of my hardware).
at least that is my understanding of it all…
If you only access your things from within your house, never from outside your network, all is good.
If you can get at your things from outside your network, that’s a hole that has to be protected and monitored or you’re asking for trouble down the line.
so you are more asking about network security than device security?
maybe @Lichtsignaal has some advice?
Always use up to date and valid certificates, even within your own network.
If you have Blynk server running local, use a complex password and install fail2ban (if you are running linux). Use a firewall and don’t forward any ports.
Furthermore, don’t worry too much. There is too much sht out happening al ready without you ever knowing or realizing it. You should take a couple measures, like I indicated, but you can’t go around being paranoid all day worrying someone will turn off your light or see how warm it is in your house
5 Likes
lol I dunno… if my lights suddently started strobing without my doing it, I’d be pretty worried! 
Well, it’t not as bad as losing an entire database with privileged medical information, so it’s best to try and not worry too much. There are worse things in this world then re-installing your Pi with the local server every, say, 6 months.
2 Likes
Could you please explain how specifically protect my publicly available local Blynk server with fail2ban?
I can protect my sshd. But what about Blynk? What should I add to my /etc/fail2ban/jail.local to block bruit force on Blynk’s ports?
I wouldn’t worry too much. Blynk already uses some non-RFC ports in that sense and the end-user is not very attractive for hackers unless it’s REALLY easy to get in and if you set your passwords and certificates it’s probably gonna be ok (never can be sure). The safest bet would be, imho, to install PiVPN and use a VPN client on your phone to connect to your home netwerk instead of via the Internet. That way you only have to open up tcp/443 and OpenVPN/SSL protection in fail2ban is probably easier than Blynk. With the added bonus you don’t have to open 22 anymore (unless you want a 2nd way of having access to your Pi/network).
I’m sorry for posting here but I want to say thanks because this topic helped me a lot