The Internet of Things (IoT) is fast expanding and encroaching on every aspect of our lives. There are already more than 4 billion connected devices across the world, and IoT devices will outnumber humans several times by 2020. Many of these devices are in our homes, and they give us an unprecedented ability to sense and control our appliances, helping us achieve convenience, energy saving and home automation in ways that were virtually impossible a few years back.
However, the promise of efficiency and modernization offered by IoT can’t be realized without the security and privacy controls to go with it. There are many reasons for you to worry about your smart-home’s security, because insecure IoT device will effectively enable malicious hackers to remotely monitor your home’s activities, hijack your appliances, or trigger the functions of your home’s controller at their will to further their own evil ends.
In order to mitigate the risks to security and privacy in IoT networks, led by cybersecurity scientist Lloyd Greenwald, researchers at R&D firm LGS Innovations published a study, in which they presented a way to seal a smart-home’s privacy through commercial off-the-shelf (COTS) products and services. Their recipe includes simple cryptography and information manipulation techniques that obscure potential adversaries’ view of home device data and increase the difficulty in conducting successful attacks.
For their experiment, the LGS researchers used a set of SmartThings sensors and controllers connected to their cloud server through an IoT hub and home router. A Nexus 4 mobile device and wireless router were also used to access and manage the devices, which offer administration interfaces in form of web and mobile apps hosted by separate servers.
An observation of the incoming and outgoing traffic of the smart-home showed that the communications between IoT devices and their cloud servers were protected through an SSL encrypted channel. However despite the measures taken to protect the consumer’s privacy, LGS researchers found that through passive monitoring of home network activity, a lot of pertinent information can still be leaked, including location, behavior, life patterns, and preferences.
Furthermore, many case studies and researches have shown that IoT devices are largely prone to encryption vulnerabilities, including the Heartbleed bug and shared private encryption keys, through which attackers can circumvent and crack into secure communication channels and read unencrypted data.
Concealing the user’s location
Many of the functionalities offered by IoT devices require the user to sacrifice privacy and disclose location information to the IoT devices. At the very least, location details are revealed through IP address information.
In order to overcome this weakness, LGS researchers proposed setting up a Virtual Private Network involving a VPN server (LGS used Digital Ocean as the service provider) and a router installed with a VPN client (the study used an Ubuntu machine with an installation of OpenVPN client). They also installed the VPN client on the mobile device to secure the administration channel.
The use of VPN helped the researchers further encrypt communications and also mask IP location information. The IoT network continued to work as expected and the app received notifications as sensors were triggered.
However, the uses of a VPN layer did introduce some latency in message delivery. In an email, Greenwald wrote, “We expect any added delay due to the VPN to be unnoticeable compared to the delay and jitter between the IoT server and mobile device.” Greenwald also reminded that the internet doesn’t make any timing guarantees in the first place, which makes the use of time-sensitive devices risky even without a VPN.
Mobile location spoofing
Some IoT sensors use geofencing techniques and are triggered when the mobile device running the app comes within a predefined radius of the sensor. This means that while the VPN can provide IP-masking, the mobile app can still reveal the location, the LGS report states, because the phone acts as a mobile presence sensor.
To overcome this privacy concern, the LGS expert used the Fake GPS location app to spoof the location of the smartphone and offset it by one mile. However, this privacy protection measure did have the tradeoff of causing disruptions in services and sensors that rely on exact geolocations.
“There are some tradeoffs in utility when employing the privacy protection methods we suggest in the paper,” Greenwald wrote in his email. “Some of these utility tradeoffs can be reduced when you have knowledge of the changes.”
Event reporting manipulation
Even though the VPN and location spoofing methods conceal the true location of the consumer, attackers can still learn a lot through the observation of timing and frequency of sensor events. The next phase of the LGS study was to overcome the theft of behavior and daily life patterns.
In order to disrupt the timing of events, the researchers used a set of firewall rules on the Ubuntu machine in order to delay or block some of the events being reported to the cloud server. This had the effect of distorting the order of events being triggered within the smart-home. The tradeoff was minor delays in some conditional IFTTT (IF This Then That) actions, such as placing a phone call when the door sensor is triggered.
The LGS researchers also added a twist by artificially creating events in order to confuse the likely eavesdroppers on the home network. For this, they assembled a LEGO MINDSTORM robot and combined it with a set of motion and open/close sensors. Subsequently, they programmed the robot to periodically trigger the sensors, thus generating false traffic and creating the impression that the house is occupied to an outside observer.
While Greenwald admitted that the introduction of this technique could cause disruptions in services that require accurate information about events, he also explained that “manipulations can be removed at the client (e.g. mobile phone) if you’re not relying on server analysis for the service.” Since the newly introduced sensors were labeled with false names (e.g. one sensor was labeled as “backdoor” while the house didn’t have a backdoor), the user could filter them at the mobile app level and remove the fake data.
However, removing the false data at the data center is tricker and this practice can disrupt analytics operations being performed by the cloud server. LGS is studying methods to overcome this side-effect as well, the paper states.
What the LGS study doesn’t cover
The method presented by LGS researchers improves the privacy and security of IoT ecosystems, and through the manipulation of smart sensor data and the use of encryption systems, it increases the cost of adversary attack.
However, there are several security domains where IoT technology is lacking sorely, most notably at Wi-Fi network level. Vulnerabilities in these areas can lead to the hacking and hijacking of IoT devices. Greenwald wrote that while the study doesn’t cover WiFi security, LGS is conducting orthogonal work “in detecting network events from network traffic using deep learning,” which will be published in a future paper.
In the meantime, to complement the DIY method presented by Greenwald and his team, you can use one of the many IoT security solutions such as F-Secure’s SENSE box and Luma’s smart Wi-Fi home router, which offer smart, cloud-based solutions that analyze home network traffic to identify and isolate threats.
IoT technology has long been renowned for being a tradeoff between utility and privacy. With initiatives such as the one introduced by LGS will help reduce the effects of this tradeoff while allowing consumers to take maximum advantage of their smart sensors and appliances.
Image source: Shutterstock