Protecting Smart-Home Devices from Cyber Attacks

By Alan Grau, VP of IoT/Embedded Solutions, Sectigo

“If you build it, they will come.” This was true in the 1989 movie “The Field of Dreams” and is also true for smart home and internet of things (IoT) devices. The difference, of course, is who will come? Baseball fan and farmer Ray was delighted to see the ghosts of former baseball greats arrive to play ball on the field he built. In contrast, smart-home system manufacturers and device owners are less thrilled to welcome hackers who visit, only to probe and attack new smart devices.

Existing botnets and automated cyberattacks continually scan the internet seeking new devices to attack. A device with a public IP address will be attacked, and will be compromised within minutes of first connecting the device to the internet if it has known vulnerabilities.

Smart-home devices are typically deployed behind a home gateway router with a built-in firewall but, in reality, they are only marginally more protected. The security for home routers is notoriously weak, with their discovered security vulnerabilities shared and published all over the web.

Once a home network is compromised and its security bypassed, the lack of embedded security technologies make it is easy for hackers to penetrate all the connected devices, like security cameras, smart locks, printers, gaming systems, and appliances. Essentially, every internet-connected thing in the home id ripe for reaping.

Recently, connected doorbells and cameras have suffered from several high-profile cyberattacks, such as the “Bad Santa” attack whereby a hacker told a young girl in Mississippi that he was Santa Claus and taunted her through the camera. This attack occurred just four days after the family installed the camera with the intent of increasing safety in their home.  Other incidents include , in one case, a Ring camera in the bedroom of an eight-year-old girl that was accessed by a hacker who instructed a child to mess up her room and to call her mother by using racial slurs.

A slew of other smart-home devices have been found to be vulnerable, including smart light bulbs, smart locks, smart toilets, and baby monitors. Connected appliances are vulnerable as well.

One of the first recorded botnet-infected appliance incidents occurred during the holiday season in late 2013. According to Business Insider and Proofpoint, a refrigerator-based botnet was used to attack businesses. Unlike most malware attacks, this Botnet did not attack the host it infected but instead was used to send out waves of distributed denial of service attack (DDoS) attacks that were used to cripple businesses.

Smart-home devices – cameras, doorbells, smart speakers, and even appliances like refrigerators, can be hacked and taken over by bad actors.

These breaches show that connected devices require higher levels of security. The state of California and the European Union have already enacted legislation requiring greater levels of security for IoT devices, and many other jurisdictions have pending legislation to improve IoT device security.

In addition, industry consortiums and government regulatory bodies, such as the FDA, have begun to define cybersecurity requirements for IoT devices in specific vertical markets. Despite waves of recent legislation that mandate higher levels of security, it does not seem likely that these security problems will be resolved any time soon without additional measures taken by OEMs and suppliers across the IoT ecosystem.

Implications of Smart-Home Cyberattacks

Stories of hackers harassing children are shocking and, as such, quickly gain headlines. These attacks show how vulnerable our privacy has become with the growth in smart-home devices, but with failing security measures.

The concerns go beyond just privacy. IoT botnets frequently conscript smart-home devices, weaponizing them into DDoS attacks, using them to send massive amounts of spam emails, or to perform crypto mining.  Other attacks have resulted in loss of personal data including financial information and Wi-Fi passwords.

Worse still, cyberattacks can escalate into physical threats. Criminals can monitor security cameras to determine when homeowners are absent and hacked door locks could allow easy entry for someone looking to steal more than just data.

IoT Security Requirements

We have moved beyond the introductory days of the IoT to mass deployments. The IoT is no longer an emerging technology, and it needs mature and powerful security solutions. It is no longer acceptable to sell and deploy any connected devices with weak or nonexistent security. Consumer confidence has been damaged and needs to be restored. Weak security is no longer acceptable to users of internet connected “things.”

By using a variety of known, state-of-the-art security protocols and processes, it is possible to develop and build a connected home environment that is safe from cyberattack.

Keeping IoT devices and information safeguarded from cyberattack is not simple and will never be perfect. It’s an ongoing evolutionary battle. Cyber criminals are always upgrading their methods and developing newer and evermore-sinister attack tactics. However, staying current with cyber security best-practices and using proven security solutions provides a strong foundation for the industry to protect devices from cyberattacks.

Security Challenges for Smart-Home Devices

Smart-home devices comprise a wildly diverse range of device types, ranging from small to large and from simple to complex. Unlike PCs or laptops that can run sophisticated anti malware and ani virus products, these are embedded devices. They are fixed-function units designed specifically to perform a specific task.  Many of them use a specialized operating system such as VxWorks, MQX or INTEGRITY, or a stripped-down version of Linux.

Installing new software on the system in the field either requires a special upgrade process or is simply impossible.  In most cases, these devices are optimized to minimize processing cycles and memory usage and do not have extra processing resources necessary to support traditional security mechanisms.

As a result, standard Windows or iOS security solutions cannot be used to solve the challenges of embedded devices. In fact, given the specialized nature of embedded systems, PC security solutions won’t even run on most embedded devices.

Using multiple layers of protection is the driving principle for enterprise security. This includes firewalls, authentication/encryption, security protocols, and intrusion detection/intrusion prevention systems. These are well-established and proven security principles. Despite this, firewalls are virtually absent in embedded systems, instead OEMs are relying on simple password authentication and security protocols.

Many OEMs have erroneously made assumptions that embedded devices are not attractive targets to hackers, embedded devices are not vulnerable to attacks, or authentication and encryption provide adequate protection for embedded devices. These assumptions are no longer valid because the number and sophistication of attacks against embedded devices continues to rise and greater security measures are needed.

IoT Security Implementations

To protect homes and businesses from cyberattacks, any connected devices must include an array of security features that protect the device from a variety of attacks, protect the integrity of the device, and enable “device identity” so that all connected things can be authenticated to safely communicate via the internet using encryption. There are a variety of industry-proven and tested IoT identity and integrity solutions that provide IoT manufacturers with highly effective techniques and protocols for authenticating and securing connected devices (see diagram 3).

Diagram 3: Manufacturers developing secure connected devices can use one or more of these six security techniques to protect their products from attack when installed in homes and businesses.

These can include:

  • Secure Boot: This provides embedded software APIs that ensure software has not been tampered with from the initial “power on” to application execution. It also lets developers securely code sign bootloaders, microkernels, operating systems, application code, and data.
  • Secure Remote Updates: It’s important to validate that device firmware has not been modified before installation. Secure remote updates ensure components are not modified and are authenticated modules from the OEM.
  • Secure Communication: The use of security protocols like TLS, DTLS, and IPSec adds authentication and data-in-motion protection to IoT devices. By eliminating sending data in the clear, it is much more difficult for hackers to eavesdrop on communications and discover passwords, device configuration, or other sensitive information.
  • Embedded Firewalls: By working with real time operating systems (RTOS) and Linux to configure and enforce filtering rules, embedded firewalls prevent communication with unauthorized devices and blocking malicious messages.
  • Secure Elements: OEMs and medical device manufacturers should use a secure element, such as a trusted platform module (TPM) compliant secure element, or an embedded secure element for secure key storage. Secure key storage enables secure boot, PKI enrollment using key pairs generated within the secure element, providing very high levels of protection from attacks.
  • Device Identity Certificates: Adding digital certificates to devices during manufacturing ensures authentication of devices upon interfacing with the network as well as before communicating with other devices in the network. This protects against the introduction of counterfeit devices onto the network.

Summary

Cybercriminals are attacking IoT devices, including smart-home devices, with very little technical resistance. Far too many devices are easy targets, lacking basic, fundamental security solutions. Unless device manufacturers start protecting all emerging connected devices from attack, our smart homes will continue to fall prey to cyberattacks.

About the Author

Alan Grau

Alan Grau has 30 years of experience in telecommunications and the embedded software marketplace. Alan joined Sectigo in May 2019 as part of the company’s acquisition of Icon Labs, a leading provider of security software for IoT and embedded devices, where he was CTO and co-founder, as well as the architect of Icon Labs’ award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security.

 

 

 

About Sectigo

Sectigo (formerly Comodo CA) provides purpose-built and automated PKI management solutions to secure websites, connected devices, applications, and digital identities. As the largest commercial Certificate Authority, trusted by enterprises globally for more than 20 years, and more than 100 million SSL certificates issued in over 200 countries, Sectigo has the proven performance and experience to meet the growing needs of securing today’s digital landscape. For more information, visit Sectigo.

Don’t miss all the news and information you need to make your design job easier. Sign up for Sensors Daily Newsletters. It’s free, fast, and incredibly easy. For a media kit offering innovative and effective sponsorship opportunities, please contact Michael Mitchell via email at michael@sensorsdaily.com.