The Internet of Things is transforming our homes into data centers before our very eyes. Yet unlike in the data center, we don’t have IT professionals on call to manage, patch and secure these systems. Already in 2016, there are reports of LG Smart TVs being targeted by scareware. And just recently, new research has highlighted serious flaws in the Samsung SmartThings platform which could allow remote hackers to unlock doors, trigger false fire alarms and reprogram security settings inside our smart homes. Many home users are unfortunately unprepared to deal with such events. They need to wake up to the fact their innocuous-looking domestic IT could be hijacked by cybercriminals or government spooks, with potentially serious consequences. But industry and regulators also need to take action — to force manufacturers to improve the security of consumer electronics products.
The vision set out by the prpl Foundation in a new guidance document is all about building security into the silicon — with a secure boot establishing a root of trust; and restriction of lateral movement thanks to hardware virtualization.
Complexity breeds insecurity
IoT innovation is everywhere, and it’s becoming ever more pervasive. Time was when we had one dumb feature phone in our pocket, a single shared PC in the home, an analog TV and a collection of unconnected home appliances. Today we have at least one smartphone alongside a tablet and maybe some other smart peripherals. In the house there could be a smart TV, home entertainment hub, smart router, connected fridge, smart toaster, IoT kettle, Wi-Fi washer/dryer and so on. Even the garage doors, lightbulbs and burglar alarms in our homes increasingly feature embedded, Internet-connected computing systems. That’s not to mention our automobiles — where everything from vehicle emissions to the on-board entertainment system, and even steering and braking is increasingly controlled by tiny sensors, software and silicon.
This new wave of IoT products might be highly intuitive on the surface, but it’s not as easy to manage as many people think. In fact, even the most tech-savvy consumers would have problems identifying and patching the growing collection of smart products in their homes. What makes matters more complex is that many manufacturers don’t release timely updates for their products, if at all. This is despite the fact that many are designed without security in mind. The firmware is left unsigned, which means if an attacker can reverse engineer the code they could remotely modify, reflash and reboot the device to execute arbitrary code. And too often lateral movement is allowed, meaning hackers can pivot inside a targeted system until they find what they’re looking for.
Even with an IT administrator on hand in the home, we would struggle to lock down this kind of risk. So what could an attacker actually do by exploiting these firmware ‘design flaws’?
- The so-called “SYNful Knock” attacks discovered in 2015 showed how likely nation state actors managed to modify the firmware image of Cisco routers to achieve persistence inside victims’ networks. Compromising such a device at the gateway to the home network could give attackers a perfect opportunity to steal data, monitor communications and install malware on parallel systems.
- Remote control of a smart device or embedded computer could allow an attacker to turn that device into a bot to launch DDoS, click fraud, information-stealing attacks and much more. One IoT device on its own is about as powerful as a BB gun. But imagine what you could do with a million BBs, all focused on the one target? Such botnet armies are well-known in security circles, but traditionally are composed of compromised computers. Yet IoT devices are perfect for this purpose: always on, always internet-connected and with fatally flawed architectures that can be exploited.We know of several cases already where IoT devices have been taken over en masse to build botnets. As far back as January 2014 a global phishing and spam attack was traced back to a compromised network of smart household devices. And cybersecurity firms are predicting things will get worse over the coming year.
As seen with SYNful knock, it’s not just criminal gangs that have the capabilities and motives to find vulnerabilities in IoT systems. Governments and the defense contractors they employ are actively looking for such weaknesses. Even if they claim this is done for national security reasons, we all know that once a vulnerability has been exploited in a system, it will eventually find its way onto the cybercrime underground forums and websites that crisscross the darknet. Do the intelligence agencies work with major technology vendors to engineer backdoors? We don’t know for certain. But at the very least, their efforts to discover and use such flaws are a security threat to us all.
Time for change
So what do we do about this? I propose the following:
- Good security is at least half about good management of the product. Yet the consumer technology industry prioritizes the user experience over everything else. If a more secure product requires one more page of the user manual to read or 30 seconds more brain power, it is dismissed. Regulators must understand this. And they must impose a bare minimum standard for security updates — forcing manufacturers to administer these, so devices are not left unpatched for too long.
- The recently discovered Samsung SmartThings flaws raise some important questions about smart home security. Do these systems really need a mobile app? Does the app need to connect to central server in the cloud? And, most importantly, is it right to have a smartphone control anything that is critical to you? In many cases the app itself is developed not by the smart device OEM but a third party over which they might have little control or visibility. OEMs should implement open and interoperable standards in their devices and home IoT architecture should rely only on a local, secured hub.
- If you’re going to shift responsibility from the end user to the vendor, you need a secure infrastructure extended into the device itself. As outlined in the prpl Foundation document, we need:
- Secure boot — ensure IoT systems will only boot up if the first piece of software to execute is cryptographically signed by a trusted entity. It needs to match on the other side with a public key or certificate which is hard-coded into the device, anchoring the “Root of Trust” into the hardware to make it tamper proof. This would have prevented the attacks on Cisco and others.
- Hardware virtualization — this enables separation of each software element, where a system can be designed that keeps critical components in secure isolation from the rest and preventing lateral movement. This can allow consumers to enhance and modify their products whilst crucially allowing regulators to prohibit and lock down modification of any function deemed too dangerous.
How many smart devices are there in your home? When was the last time you checked the firmware to make sure it was updated? The answer for most people will be “not sure.” Yet these embedded computers are connected to the Internet and each other — in vast numbers — all over the world, and contain fundamental flaws which can be exploited by anyone with the right know-how. This can’t be allowed to continue.
As the Internet of Things and connected embedded computing begin to permeate every part of our lives, we need to come together as an industry and rethink our approach to securing and managing these devices.
Click here to read more about prpl Foundation’s blueprint for a hardware-led approach to IoT security: Security Guidance for Critical Areas of Embedded Computing.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.