IoT in the Home Requires a Complete Security Rethink

Written by

We're entering exciting times. Burgeoning technologies that were once stuff of science fiction look soon to become ubiquitous and commonplace.

We're excited in the advent of our smart technologies: smart devices in our pockets that keep us connected at all times via the internet; smart cars to get us to work with limited user interaction; and smart homes to take care of our heating, lighting, entertainment and security needs. Granted we're not there yet, there's still not a car that can drive fully autonomously on public roads.

Even Tesla are careful to qualify that their autopilot feature is still in beta phase of testing and won't be fully ready until it's accumulated a billion miles worth of data. To give that some perspective, that equates to driving around the Earth 25,000 times and is greater than the distance from here to Saturn.

Although the technology exists and the ability to utilize it has been about for quite some time, we're still not at a place where full large scale public adoption of smart technology reigns, particularly in the areas where our more traditional technologies reside (and where we do too) in the home.

Two notable mainstream examples pioneering home automation are Google with their Nest range of products and British Gas' Hive. The two were primarily developed for use in managing home heating systems, but are being expanded to incorporate a number of additional devices including smart lightbulbs, smoke detectors and security cameras.

As the market expands, popularity for these types of products will also undoubtedly rise, as will the requirement for their co-compatibility and interaction.

There is one glaring obstacle standing in the way of full commercial adoption and viability in the vision of the home of tomorrow – security, or to be more precise, the lack thereof.

Due to various factors, we've seen a recent upsurge in the number of attacks emanating from compromised IoT devices as well as compromise attempts of the IoT devices themselves.

Anyone involved in threat monitoring will attest to the recent increase in the number of compromised devices attempting attack against the low hanging fruit of insecure, internet-facing IoT devices, typically over services such as Telnet and sending default manufacturer authentication credentials.

The release of the source code for the IoT botnet 'Mirai' has contributed to the sheer volume of compromise traffic as well as the record-level throughput of recent DDoS attacks that have notably affected marquee names such as GitHub, Twitter, Reddit, Netflix and Airbnb following the multiple attacks reported against Network Services giant, Dyn.

Mirai was also reportedly responsible for the recent attacks on both Brian Krebs website as well as the French Service Provider OVH, marking record DDoS throughput levels previously unseen in the history of these attack types.

Bruce Schneier recently warned that escalating attack magnitudes were being actively tested and suggested that the scale of this type of interference could only serve a military purpose.

But where does this leave our home users? Recently, security researchers at Invincea Labs in Virginia discovered SQLi vulnerabilities in Belkin's WeMO home automation firmware that was used in all of their devices including light switches, light bulbs, coffee-makers, air-purifiers, heaters and even slow cookers.

The research also detailed that the attack could be leveraged to pivot to the Android devices running the WeMo control application, according to Scott Tenaglia at Invincea, “This is the first time anyone has discovered a way for IoT devices to hack your phone”.

The compromised WeMo devices allowed for “downloading Mirai-type malware” for creating a botnet.

Immediately we have insecure devices within the home, which assist in our every day running of appliances, and power and affect our utilities, that we almost take for granted and rely on as essential parts of our house and home. These are open to malicious threat actors who have the ability to easily compromise and utilize for whatever they desire be that as part of a DoS botnet or as a nuisance and inconvenience to ourselves and our families security both online and in the real world.

If manufacturers want us to buy in to their products and integrate them into our homes and daily lives, then it is essential that they themselves adopt even the most basic levels of security.

It's essential that they stop using what would be considered as insecure protocols on internet-facing devices, enforce password change policies in their start-up configuration wizards, check all input fields for unsanitized data and perform full security reviews before these products make it to market.

It's ironic that the Japanese translation for the IoT botnet name 'Mirai' means future, because without keeping one eye on security, the future of the Internet of Things within our homes remains very much undecided.

What’s hot on Infosecurity Magazine?