A comprehensive approach to mitigate the problem of an insecure smart home is to secure the network. This is in contrast to a single-minded focus on securing individual IoT devices, which will not be possible, for a long time yet.
We are increasingly connecting our homes to the internet, making them ‘smart’, and probably making them vulnerable. The problem with our ‘smart homes’ is that we do not have the same level of control over our Internet of Things (IoT) devices’ security as we do our PC or Mac. Most end users may not be able to improve security by, for example setting or changing a password, or might not be bothered. Why would a refrigerator or thermostat need security? How can a webcam watching my dog be a security threat?
It is incumbent upon us, the vendor, the service provider, the router manufacturer to implement a layer of IoT security that is non-intrusive and does not require end user involvement. We can build security into the smart home’s connection to the internet – generally the broadband router or ISP cable modem – to control smart device traffic and afford a higher level of IoT security.
Devices that used to operate in isolation – TVs, cameras, thermostats and more besides – no longer stand alone; the contents of our homes are going online to give consumers simple and convenient control over their environment and operations. This level of connectivity is growing at such a rate that IHS Markit projects the number of connected IoT devices will rise from nearly 27 billion in 2017 to 125 billion in 2030.
In the face of this phenomenal forecast growth more needs to be done to address vulnerabilities and avert security incidents. One study, from the Economist Intelligence Unit, highlights the need. It found that 80% of studied IoT enabled devices failed to require adequate password protection and had issues which raised privacy concerns. In addition, 70% of the devices did not encrypt the user data sent to the network.
DDoS attacks and the emergence of the Mirai botnet are a clear sign that smart home device issues have moved beyond theoretical into daily reality. The DDoS attacks in 2016 were among the largest ever recorded and managed to knock a variety of targets off the internet. The attack on Dyn, an internet infrastructure provider, also led to service disruptions at Spotify, Twitter, Reddit, and The New York Times. These huge attacks were largely caused by very small devices – digital video recorders and IP cameras. Most of them were made with hard-coded passwords that the end user couldn’t change – and that the Mirai botnet targeted. And, it is almost certain that most of these device owners had no idea about their smart plaything’s role in these attacks.
A survey of Information Systems Audit and Control Association (ISACA) members found that 63% of IT professionals were not confident they can control who has access to the information collected by IoT devices at home. Their list of top security tips for connected devices was to avoid storing sensitive data on the device (45%), turn off internet enabled functions when not actively in use (15%), change privacy settings (15%) and change passwords (11%).
The problem is that many of these traditional security steps are just not possible with IoT devices. Of course, there is sensitive data stored on them which gets sent to the company’s servers managing the device. More critically, sometimes this information is encrypted and sometimes not. Smart home devices are often meant to be left on. After all, why physically turn a device on or off when your goal is to have a smart device that does these manual steps for you? Changing passwords and privacy settings – that’s a great step – if the device lets you do it.
There are multiple roadblocks to securing our connected environments: intrinsically vulnerable devices, users unable or unwilling to securely install them, and a lack of an industry-wide set of device security standards. Looking beyond the roadblocks, there is usually just one internet road leading into the home – the broadband router or the cable modem from the ISP. Controlling smart device traffic at this point removes a number of the roadblocks without the need for any additional hardware or installation. Intelligent software that identifies what goes in and out and then uses artificial intelligence to dynamically analyze behavior can quickly identify intrusive or hijacked IoT device activity and stop it. In this way, router manufacturers and ISPs can safeguard users’ connected devices against hijacking, ransomware, misuse and intrusion, boosting their security offering and their competitive advantage.