Unfortunately, it is fair to say that the vulnerabilities of Internet of Things (IoT) are preceding its innovations and utilities. From the hacking of the Ukraine power grid, to last year’s DDoS attack against the Dyn DNS provider, IoT devices are behind security incidents of all sizes.
The IoT industry is exposing how putting connectivity into anything and everything opens up a Pandora’s box of vulnerabilities, and give cybercriminals limitless ways to hurt their victims. One area of concern are smart homes, where a slew of not-so-secure devices are finding their way and exposing their owners to unprecedented threats.
In this month’s interview, Leon Kuperman, CTO of smart firewall manufacturer CUJO, discussed IoT security threats and new approaches to securing the homes of the future.
Your home is now full of connected computers
“The smart home will now have to deal with several new network entry points including protocols such as bluetooth, Zigbee, ZWave and others,” Kuperman says, referring to the connected fridges, light bulbs, toasters, coffee makers, etc. that are entering homes.
Other renowned security experts have underlined the threats of connectivity and computing being incorporated into every device. Mikko Hypponen, another cybersecurity expert, recently said at a tech conference that everything will inevitably get connected, and internet connection lines will fade.
“Everything is now a computer,” Bruce Schneier said at a Congress hearing last year, where he laid out the new threats of the IoT era in wake of October’s massive DDoS attack against major internet services.
And they’re not as secure as they should be
“Additionally, these smart devices are typically running a full Linux operating system and all of the vulnerabilities that comes with it,” Kuperman says. Another critical point. As opposed to old embedded systems that run very rudimentary and limited firmware, IoT devices usually run a stripped-down or full version of an operating system, a very complex piece of software in its own right.
Quoting Schneier again, “Complexity is the worse enemy of security,” because the more complicated a software gets, the harder it is to find and plug the security holes.
Moreover, Kuperman adds, these devices don’t run traditional endpoint protection tools, which leaves them unchecked to impose an attackers will on the home network. “We call this type of attack ‘lateral movement’ when an IoT device is compromised and then used to spread through the home to gather sensitive data from PCs, laptops, phones and tablets.”
A number of IoT devices have been found to have this specific vulnerability. One of the most famous cases was the HVAC vulnerability that allowed hackers to get into the networks of retail giant Target and steal customer credit card information.
Most generic network devices are configured to only allow access from local devices. That’s why a compromised IoT device that shares a network with your laptop or printer could become a critical danger. For this very reason, one of our holiday smart home security tips last year was to put your home’s IoT devices on a separate, isolated network. But that is only a temporary patch on a wound that is still there.
IoT devices have critical functionality
“Devices are becoming mission critical for consumers,” Kuperman says, adding that we now have connected everything from our door locks, window sensors, security cameras, medical devices to less important devices like our toothbrush, toaster and mattress.
With everything being connected to the internet, malicious actors now have the ability to remotely monitor and manipulate the devices in your home. How does this make you vulnerable?
“If a burglar breaks into your house, without any sign of forced entry, how are the police equipped to investigate the break in?” Kuperman asks. “How is the insurance company going to cover your losses?”
Another way cybercriminals can target their victims is by denying them access to the critical functionality of their devices, a threat we’ve previously discussed thoroughly on TechTalks. The mysterious fsociety of the TV series Mr. Robot use this kind of attack to force one of their targets to leave her home.
Smart homes do not have professional security teams
“In the corporate environment there are teams (usually called Security Operations) to constantly monitor and tune systems for these issues,” Kuperman says. “Unfortunately in a home network, there is only one IT person, that’s Mom or Dad.”
Being under-resourced in security results in devices not being monitored or updated frequently enough. Smart home devices are installed and forgotten along with all their known and unknown vulnerabilities. In many cases, such as DDoS attacks conducted by IoT botnets, devices in your home might become instrument to the attack without you even noticing it.
“We don’t have the skills, resources or budget to protect home networks using traditional cyber security methods,” Kuperman says. “In many ways, protecting a home network is much harder than protecting a corporate network.”
What is the new approach to securing smart homes?
“Some solutions include a ‘corporate port’ of techniques that have been successful in corporate environment with the hope that they will work well in home networks,” Kuperman says. For example. the concept of Deep Packet Inspection (DPI) is often used in corporate networks, with the assumption that a company can look at all communication and web browsing sessions for their employees.
But these traditional approaches to IT security will most likely not work on smart homes, and lack of human resources is not the only reason, Kuperman believes. “Customers will not agree to DPI and potential exposure of their encrypted browsing sessions,” he says.
A true solution will be one that will both respect consumer privacy while at the same time fending off cyberattacks with the minimum user involvement. To this end, the engineering team at CUJO is relying on artificial intelligence and machine learning algorithms to secure smart homes.
“We look for ways of automating absolutely everything that our technology is supposed to accomplish,” Kuperman says. “That includes self testing, self healing algorithms that use the smartest machine learning techniques to detect and thwart threats that would normally be handled by human analysts.”
CUJO has a centralized database of known IoT devices and their baseline behavior, which it uses to look for behavior anomalies in devices present in a home network. “In a home user environment, if we see a thermostat start talking to a destination on the internet that we’ve never seen for that model, we block the communication to prevent any damage from a potential infection,” Kuperman says. “We then provide remediation help to get the device back to a state of safety.”
This new trend of AI-powered solutions might be the crux of solving the widening cybersecurity talent gap and an fast-growing IoT industry that has already outnumbered the human population. “In a way, home and IoT security are going to lead the way in the next generation of cyber security advances,” Kuperman says.