Without doubt, internet of things will transform our life in the coming years. We will connect more and more devices in our houses to the internet with the intention of making our lives easier and more comfortable. An exemplary future scenario would be the optimization of sleep and waking up based on sensors in one’s bedroom and calendar information in the cloud. During the night, our smart phones will interact with all sorts of sensors and create the optimal temperature and humidity levels for a good night of sleep. Towards the morning, again using sensor information, our smart phone or smart hub would gradually increase the light intensity by interacting with the smart lighting system and already heat up the living room by sending a message to the smart thermostat. By the time we get up, the shower is automatically activated and when we enter the kitchen, our coffee machine will greet us with a freshly brewed coffee. While such an scenario of IoT in the home may sound appealing, it may also pose a threat to the security of the home network and by extension a threat to the user’s privacy and property.
The threats that users will face are entirely dependent on which devices are in their network and the data that these devices collect and/or store. For example, users who use a Network Attached Storage (a so-called NAS) in their home network to store pictures or other sensitive data, are at risk of theft of this privacy sensitive data. This could happen because of a security flaw in the NAS itself (as shown by Jacob Holcomb ) or by means of a compromise of another IoT device in the network that has access to the NAS. Similarly, a user who has installed a security camera for his or her own safety is also at risk of a serious privacy violation. If an attacker somehow manages to capture the camera stream, the scenarios for abuse are plenty. And lastly, even property or valuables are at risk of being stolen for example,in case attackers manage to get hold of data collected by IoT devices that reveals whether the person is at home and pick the right moment to break in.
The root causes for these threats are twofold. The first root cause is that IoT devices are undeniably vulnerable at one at one point or another during their lifecyle for various different reasons. Some IoT devices are incapable of running any security software, applying (strong) encryption, or strong authentication. Other devices might come with security features enabled, but become insecure during their lifetime. The vendor may no longer (be able to) provide software updates, users simply opt to continue to use the device long past the announced end-of-life date, or users turn off the security features because the configuration is too demanding. And yet another group of devices may simply be forgotten about by the consumer. These devices, such as connected solar panels, sensor systems, etc. will remain connected, but unmaintained. As such, the odds that in the long run IoT devices will contain security vulnerabilities are high and a security breach is therefore likely.
The second root cause is the outdated security model of home networks and the way IoT devices leverage that model for their functionality. The security model of home networks is that of an egg shell approach: hard on the outside, soft on the inside. Home gateways provide a protection for internet traffic coming into the home but do not restrict communication between devices on the same network. This model made sense when there were only a very few devices in the house that had limited interaction with each other. Today, the security model of smart home networks is losing its validity because more devices, including less trustworthy devices, become part of that same network. Devices within the home network have unrestricted access to each other, which is both a feature and a design flaw.
IoT devices leverage this model: vendors assume the availability of a home network, which provides the IoT devices with both connectivity to the internet, and a possibility to interact with other devices on the same network virtually unrestricted. The reason why IoT devices need access to the internet is to connect to the vendor’s cloud service. Part of the functionality, such as controlling the device when away or analysing the collected data, is provided through the cloud service of the device. The reason why IoT devices need to access the home network is the ability to interact with other devices, such as a smart phone, sensor or NAS, that are connected to the same network. Examples of such interactions include the possibility to control a smart thermostat from a smartphone connected to the same network, storing a security camera video stream on a NAS, streaming audio to an audio device, and providing sensor data to a display. In order to make this work these devices run discovery protocols like UPnP that assume that the network is a so-called flat network with unrestricted access to other devices.
In summary, security of IoT devices for the smart home should be of great concern. Even more so, because a breach of the security of one of these devices almost always equals a breach of the security (and privacy of the users) of the in home network. The contributing factors for this problem are the weak security of IoT devices and the outdated security design of home networks; the problem is made worse by the fact that many IoT devices leverage the outdated security model with unrestricted access to devices in the home network to provide full functionality. Changes are therefore not easily applied. Fortunately, over the last few years vendors and governments have woken up to the issue to and are in the process of issuing new standards and regulations that aim to improve the security of the IoT devices themselves . Even though this will improve security of IoT devices a bit, as Bruce Schneider pointed out, there is a need for a ‘plan B’ . According to the authors of this article, a part of this plan B should be an updated security model of the home networks.
Towards a solution
The reasons why a solution for in home IoT is difficult are the same as the reasons why security of IoT devices is a problem. The traditional security advice of installing security software and configuring strict access is void as said before. Another security advice would beto introduce different zones in the in home network. A home network would then be split in multiple zones such that some devices can talk freely to each other and others can’t. Even though it is a sound security advice, it would go against the current trust model of in home networks and would likely affect the proper functioning of the IoT devices as we know them today. And even more complex solutions are possible, for example one where communication between devices is controlled by firewall rules. Even though it is technically possible, the configuration of firewalling rules between the different in home networks would quickly become impossible to maintain due to the sheer number of firewall rules.
Nonetheless, we believe that the basis for a security solution for IoTshould be network based. By this we mean that such a solution should control the network traffic to and from the device in such a way that it can contain vulnerabilities, isolate comprised devices, and still allow genuine traffic to and from the device in order to allow the end-user to continue to use the device as far as it is usable. We believe that a well-designed network-based solution should have the following properties:
- it should not get in the way of what the end-user needs,
- it should work for legacy devices,
- it should provide adequate protection from infected devices without total loss of functionality,
- it should adapt to new devices being and new services being added to the network,
- it should provide authorization and fine grained access management without too much configuration hassle,
- it should be integrated with a “standard” device of any in home network,
- it should furthermore be centrally manageble,and
- it should be updateable by a reputable party.
For present-day networks, one might be inclined to say that the home gateway is a candidate that fits these criteria. The advantages are that these devices already play a major role in the network management e.g. because they hand out IP addresses and provide access to the internet. Furthermore, they are managed by a the operator, which is a reputable party and has the power to update and upgrade the gateways. Lastly, the home gateway in many cases is also the access point and switch of the home network, which means that in its most basic function the home gateway has the ability to stop any traffic between any two devices. Apart from this basic functionality, the home gateway will need to be upgraded to provide additional security functionality and perhaps even be upgraded to also managed Zigbee and Bluetooth devices and networks. Although that might sound far-fetched, such an upgrade would allow the DSL or cable operator to become a provider of managed security services for home automation and gain a stronger presence in the home.
Another option that we see is that a smart hub, takes this role. Smart hubs are devices that – as their name suggest – smartly integrate with various IoT devices. Often, they are capable of multiple network protocols and take a central place in the house. Another advantage is that they are connected to the cloud and that these cloud providers, such as Google and Amazon, have the capabilities, knowledge, and data to ‘profile’ the IoT devices and to distinguish between genuine and malicious behaviour. A further advantage is that they integrate with existing end-user services and smart phones so that configuration should be a breeze. With their knowledge and expertise, we expect that these cloud providers can provide a home automation security service that will be able to contain vulnerable devices by dynamically allocating zones or firewall rules as necessary. By doing so, they should be able to allow these devices to continue to function, albeit with some limited functionality (such as shown in figure 2). Of course, it remains to be seen what will be realized, but the potential is high.
Yet another possibility is presented by the sudden emergence of so-called security routers and a possible merger with smart hubs. In the last year, a number of security routers were introduced by companies like Norton, TP-Link, and F-Secure (reference  lists a number). Even though these devices are a step in the right direction and will certainly help to improve security, they seem to be mostly aimed at protecting the IoT devices from malicious content coming from the internet and to not seem to have the advanced security features that we presented above.
In summary, the (lack of) security of IoT devices for in home usage has pointed us to think about other possible ways of securing them. A possible solution is a network based solution where a (cloud) provider provides a managed security solution based on the presence it already has in the in home networks. Three parties that immediately come to mind are the fixed line operators, the vendors of smart hubs, and the vendors of security routers. As with any predictions, it remains to be seen whether this market will pick up and whether it will pick up on the solutions that we proposed. So, from now on, we can only hope that they do and that in a few years’ time, we will wake up well rested, due to a secure IoT environment in the home.
References and further reading: