When it comes to disruptive change, the emergence of the smart home is driving demographic, economic, and technological advancement as never before, says David P. Maher, executive VP and chief technology officer of Intertrust. This application of IoT, where private households and the devices that run them are connected to the internet, is creating an ecosystem that grew to more than 6.2 billion devices last year alone and is expected to grow to 7 billion by the end of 2020.
While these figures generate excitement in the consumer electronics industry, they also represent a surge in the number of vulnerable home IoT devices. As a result, providers of home IoT platforms, intelligent assistants, and connected services of all types are now moving to adopt a ‘comprehensive systems’ point-of-view to ensure that incumbent consumer-oriented issues like usability, convenience, privacy, and security are addressed in a unified way.
Home IoT platform providers such as Google, Apple, Amazon, and virtually every provider of home-oriented devices appear to have come to the important realisation that consumers have not been able to enjoy the full potential value of home IoT, and never will, until fundamental ease-of-use and security issues are addressed.
Everything from device identity and naming to safe and secure discovery must become much easier for consumers. Just as important, a more comprehensive, yet lighter-weight form of interoperability is needed to allow new services to help coalesce a homeowner’s IoT devices into a coherent and usable system that offers real convenience, security, and privacy.
This year we are certain to see a real “connected home over IoT” approach. This reflects the important work advanced by the Project Connected Home over IP, an industry working group that aims to develop and promote a shared vision that smart home devices should be secure, reliable, and seamless to use.
Home IoT devices bring both vulnerabilities and frustration into the home. However, there is an opportunity to make them work with a new class of integrated services that merge both physical security and cybersecurity capabilities that are simple for consumers to use and understand.
Intelligent services, not just intelligent assistants, can also help ensure that when a new device is added to a system, it serves as a defensive sentinel, rather than an attack point for intruders. Technologies will help, but so will standards for device and application security self-defense.
So far, the home IoT industry has largely avoided debilitating cyberattacks, however as smart home technology comes into the mainstream, this could be the year that such attacks become real. It is crucial that the industry as a whole realizes that the clear and present danger of vulnerable home IoT networks is the real security issue, and take appropriate action to reduce this threat.
Many home IoT devices are sorely lacking when it comes to protecting users, something that cyber intruders have also noticed. A Honeypot survey revealed that cybersecurity company F-Secure saw a 12-fold increase in attacks by way of protocols used by IoT devices and Windows. Much of the attack traffic came from the Mirai malware that was first noticed back in 2016. While certainly troublesome, so far Mirai has served mainly to collect compromised home IoT devices into botnets for DDoS attacks on servers and has generally left device owners alone.
History doesn’t portend an optimistic state of affairs to continue. The first internet worm, called the Morris Worm, was introduced more than 30 years ago. It wasn’t until 7 to 10 years later that truly destructive virus attacks appeared in the wild, spawning today’s cybersecurity industry. It’s only a matter of time before cyber intruders find valuable targets in the smart home using malware that will open the floodgates to a new set of vulnerabilities.
With the sorry state of home IoT security, home owners usually rely on network security, often provided through their ISP. One important point that is often lost is that IoT devices are actually operating in an environment comprised of a network of networks. For example, many home IoT devices shipping today support both WiFi and Bluetooth. Network security measures may address the WiFi network but not the Bluetooth network. Enterprising cyber intruders could potentially use the Bluetooth network to compromise IoT devices in the home, or mobile devices could be compromised and introduced into a home network.
These devices are often ‘hyperconnected’ in that they can communicate with any number of servers participating in cloud service ecosystems for which the device is a member. Each of these represent yet another potential path for bad actors to attack home IoT devices. Not only is network security insufficient to protect many potential paths of attack, but once a compromised device is introduced it can easily become a vector for infecting other devices on the same network. The entire smart home network must then be considered compromised, a proverbial ticking time bomb for the homeowner.
The limitations of network security places the onus on developers of home IoT devices to adopt a security strategy based on a zero-trust principle. In a zero-trust security posture, a device cannot rely on other devices in its environment for security. Every single device must be resistant to security attacks as they are potential entry points to more valuable and sophisticated targets. In fact, the FBI has issued a warning on “drive-by” hacking, whereby attackers use unsecured devices to get to the router and gain access to everything on the home network.
An overall systems approach to security will take the entire home network into account, from lightbulbs and speakers to phones and laptops. While strong security can be employed in simple devices, the practice needs to become more commonplace and supported by cloud-based services. But even if all home IoT devices were to start shipping with appropriate security tomorrow, there will still be a myriad of “orphaned” devices already installed with indeterminate chances of being updated.
The solutions to address home IoT security vulnerabilities are becoming more difficult as time goes by which only emphasises the need to address them now.
About the author
David P. Maher is Intertrust’s executive VP and chief technology officer. With more than 30 years of experience in secure computing, he holds dozens of patents and has published papers in the fields of mathematics and computer science. A consultant for the National Science Foundation, National Security Agency, National Institute of Standards and Technology, and the Congressional Office of Technology Assessment, Maher holds a Ph.D. in Mathematics from Lehigh University.