Connected Devices are Creeping into your Home
Most of the challenges and discussions we see around security for the Internet of things (IoT) involves critical infrastructure, power and water utilities, manufacturing, communications, or transportation, to name a few. At Intel Security, most of our work is focused on these areas, securing industrial controllers, manufacturing devices, smart meters, and other challenging environments where a compromise could damage businesses, and perhaps even cost lives. However, there is another side to IoT security, which I believe could be even more nefarious –the ever growing number of IoT devices in the home.
I speak from experience here. A few years ago, my home network comprised a couple of PCs and a wireless router. Today, it is incredible. At last count, my family and I had 52 Internet connected devices. The usual combination of smart phones, tablets, personal and work laptops, plus music systems, digital thermostats, lights, security cameras, door locks. Even our TVs are Internet connected, as is our seldom-used elliptical trainer.
"For home IoT security to succeed, it needs to be an ‘Apple’ experience – obvious, unobtrusive, and yet valuable"
With a few devices and a router, I became the default system administrator. That is not something I wanted; I just want things to work. With 52 devices and growing, the household system administrator is a job that has quickly exceeded my available time and expertise. Keeping up with updates and patches for all these various devices is a task I admit, I have failed at. I have no idea how to patch my Blu-ray player, and certainly no idea about the wireless lights. I have reconciled myself to existing in a home, over run by un-patched devices, many of which were designed without any security in mind.
My CIO does not like this situation. I work from home as much as I work from anywhere, so my work devices exist on the same contaminated network as everything else. Even though McAfee offers employees free use of our products, we don’t ship “Security for Smart TVs”. Worse, my personal devices also have access to email and other corporate resources, further blurring the boundaries. Working from home now has at least the same security risks as working from a hotel, airport, or coffee shop. Any one of those numerous consumer devices could be compromised and could be spying on and exfiltrating my data.
For many years, hackers have had access to Wi-Fi access points that can subtly spy on user traffic. It is trivial to build a tiny device ‘parasite’ that lives off of your network and siphons all of your traffic, and these hardware solutions are common place. If you can subvert an embedded device into spying for you, then it is equally possible to subvert a device already in the home. We have already seen attacks against wireless routers. What if the attack targeted something less obvious, like an ordinary digital thermostat, or a smart TV? How would you ever know it had happened?
Even worse, what if the spying functionality was slipped into the device at the factory? You may remember stories about USB sticks shipping with malware preinstalled, but there is also evidence of compromised digital photo frames, and even urban rumors of ‘smart toys’ with hidden network recording functions. This may sound like the plot for a movie, or digital fear mongering, but it has been possible for a number of years.
Using devices from trusted manufacturers should help, but that is no guarantee of security and invulnerability from attack. Trusted manufacturers are likely to become more popular. The more popular a device is, the more potential there is to make money or wreak havoc, so the more attention it gets from the hacking community. It only takes one successful attack that is difficult to patch to be devastating.
When personal computers faced this type of threat, we created software to protect them. We cannot possibly create software to run on the innumerable different devices in a home. One alternative to securing the devices is to secure the network they are on, which could be at your house or at the ISP. There are several vendors experimenting with solutions in this domain, including Intel. Security features such as Internet filtering, botnet detection, and device quarantine have existed in enterprise class devices for many years. Adding theses features to home routers and gateways is quite possible, given the sophistication of modern hardware, although retrofitting legacy devices is problematic.
The bigger challenge is making these advanced topics accessible to everyone. Insisting homeowners understand firewalls or network concepts is a sure way to trigger low adoption. For home IoT security to succeed, it needs to be an ‘Apple’ experience – obvious, unobtrusive, and yet valuable.
Moving the problem to the ISP has its own advantages and disadvantages. The efficiency of scale comes into play with the ISP being able to filter and protect every home through a central system. Scale also presents the biggest disadvantage, as inspecting all the traffic generated by an ISP’s user base is an incredible challenge, especially given the trend towards higher and higher connection rates. The ISP also has to do a lot of work to differentiate between devices in your home. Try distinguishing a Windows Surface tablet from a Nest thermostat just by looking at the IP traffic.
Ultimately, we believe a hybrid approach is necessary, to secure the connected home and its occupants, and to help CIOs mitigate and control the risks of an increasingly mobile workforce. We expect to see deep and valuable security controls integrated with modems and routers, coupled with cloud and ISP based measures to protect and monitor for external risks; without forcing you and I, to become home system administrators in our spare time.