The Internet of Insecure Things
From home appliances to health applications and security solutions, everything we use at home – and outside of it, is getting connected to the Internet, becoming the Internet of Things (IoT). Think about how many connected devices you have at home: tablets, laptops, e-readers, fitness devices, smart TVs – how about your thermostat, light bulbs, refrigerator and security system? Our home has effectively become a connected home, with an average of 12 things connecting to our home Wi-Fi network, transmitting data and delivering added value. But as connected home appliances continue to grow, so too will the cybersecurity risks.
Consumers have been fast to adopt IoT devices on the promise that they can improve our lifestyles. These things track and optimize our energy consumption, facilitate our daily tasks, improve our health and wellness, keep us secure and empower us with the freedom and data to do other things better. But from a security point of view, this unregulated, insecure and fragmented market represents a clear and present danger to individuals and society as a whole, from the cyber to the physical realm.
To protect connected homes, a multi-faceted approach is recommended, combining a firewall blocking mechanism with machine learning and artificial intelligence to detect network anomalies. Millions of IoT devices are already compromised and we recommend communication service providers (CSPs) to initiate deployment of cybersecurity solutions today in parallel to their own R&D plans. By providing cybersecurity solutions through partnerships, they can begin to protect their vulnerable clients today and establish a market leadership position.
The declining costs to manufacture chips that can store and transmit data through a network connection have enabled thousands of organizations and startups to bring IoT products to market. But the current lack of standards and security certifications, coupled with fierce market competition to deliver affordable IoT products, have made cybersecurity an expense that manufacturers prefer others to deal with.
The lack of experience and incentives in the IoT supply chain to provide secure devices has created a tremendously vulnerable IoT landscape. In fact, according to recent findings by Symantec, IoT devices can become compromised within two minutes of connecting to the Internet1. Legislation has been too slow to deal with the current threat, and although there are public initiatives to drive cyber awareness among consumers, we do not expect any tangible changes soon.
There are many attack vectors and vulnerabilities to worry about in the Connected Home. From poor design decisions and hard-coded passwords to coding flaws, everything with an IP address is a potential backdoor to cyber crimes. Traditional cybersecurity companies reacted slowly and failed to provide defense solutions to the expanding universe of IoT devices. However, novel approaches with Artificial Intelligence and Machine Learning – such as analyzing and understanding network behaviors to detect anomalies, are now available to defend against these new threats.
With all its challenges and opportunities, consumer IoT is destined to disrupt long-established industries, making it a space one cannot afford to ignore. One such long-established industry is precisely the one powering the revolution: the CSPs providing the broadband. By and large, telecommunication companies have failed to monetize the data running through their home gateways, missing out in big opportunities. We believe that the connected home, especially cybersecurity, is a low-hanging fruit that communication service providers can and should pick before it’s too late.
Home security and safety-related appliances are top revenue drivers in the connected home landscape, and telecom companies are well positioned to enter this market and rebrand themselves as innovative and secure companies interested in the well-being and privacy of their customers. By leveraging their existing assets, such as the home router, telecoms can provide holistic solutions that include cybersecurity, data management and customer support – giving them a unique advantage over their competitors. Consumers would much rather trust their CSPs to continue managing their data than giving it away to foreign or unknown companies. It is time for Internet Service Providers to reclaim their value as a Service Provider, else they risk missing out in this revolution as broadband continues to become commoditized.
Stories of hacked IoT devices abound, a quick search online will lead you to scary stories, from spying Barbie dolls2, to TV sets monitoring you3 and creeps accessing baby cameras4. Most ironic and worrying of all are the security threats inherent in best-selling security systems, which can allow hackers to control the whole system, due to lack of encryption and sufficient cybersecurity standards5.
The cyber and physical risks intensify the more devices we connect: The volume of granular data that all these connected things generate when combined can provide a very detailed profile of the user, which can be used for identity theft and blackmail.
Once an unprotected IoT device gets hacked, a skilled hacker can proceed to infect other devices in the network via “lateral movement”. By jumping from one device to another, a hacker can gain complete control of a connected home. Because this threat comes from within the network, it is important to have a security solution that provides network visibility, creates device profiles and detects anomalies through machine learning and artificial intelligence.
There have been enough stories in the news for the average consumer to be aware of cyber threats, they know security is important and that they don’t have it, but they lack the resources to properly protect themselves. IoT manufacturers should be held accountable to prioritize security, but until that happens, the responsibility and opportunity falls on CSPs to protect the consumers.
What makes the IoT ecosystem a potentially deadly cyber threat is the combined computing and networking power of thousands of devices which, when operated together as a botnet, can execute massive Distributed Denial of Service (DDoS) attacks and shut down large swaths of the Internet through a fire hose of junk traffic. The IoT ecosystem represents a totally different level of complexity and scale in terms of security and privacy.
In October 2016, we got a taste of this structural risk when the infamous Mirai botnet attacked the DNS company Dyn with the biggest DDoS attack ever reported: more than 1 terabit per second (Tbps) flooded the service, temporarily blocking access to Netflix, Twitter, Amazon, PayPal, SoundCloud, New York Times and others. The Mirai botnet used enslaved IoT devices -nearly 150,000 hacked cameras, routers and smart appliances, to inadvertently do its criminal bidding, and most of the infected devices remain out there, with their users oblivious to the fact.
The way Mirai malware spreads and attacks is well known: it scans the web for open Telnet and SSH ports, browsing for vulnerable devices using factory default or hard-coded usernames and passwords, then uses an encrypted tunnel to communicate between the devices and command and control (C&C) servers that send instructions to them. Since Mirai uses encrypted traffic, it prevents security researchers from monitoring the command and data traffic.
The source code for Mirai was posted soon after on the Hackforums site6, enabling other criminals to create their own strains of the malware. It is not necessary to have an “army” of thousands of infected devices to cause harm. Mini-DDoS botnets, with hundreds of compromised nodes, are sufficient to cause temporary structural damage and reduce the chances of getting caught -expect more of these attacks in the future.
Capturing vulnerable devices to turn them into botnets has become a cyber crime gold rush, with an estimated 4000 vulnerable IoT devices becoming active each day7, and criminals selling and renting botnets in the dark net at competitive prices to cause harm. Although simple to understand, this sort of malware is hard to detect because it does not generally affect device performance, so the average user cannot know if their device is part of a botnet – and even if they did, it’s often difficult to interact with IoT devices without a user interface.
Stakeholders should take proactive steps that can prevent future incidents by addressing the lack of security-by-design in the IoT landscape. The Mirai malware was a warning shot, and organizations must be prepared for larger and potentially more devastating attacks. Because of market failures at play, regulation seems like the only way forward to incentivize device manufacturers to implement security in their design, but doing so could stifle innovation and prove disastrous to the ecosystem. It is because of this delicate balance that we believe service providers are perfectly positioned to seize this problem as an opportunity to become market leaders in the emerging field of IoT cybersecurity.
The frequency of cyber threats is increasing as the IoT landscape continues to expand. Gartner predicts that by 2020, addressing compromises in IoT security will have increased security costs to 20% of annual security budgets, from less than one percent in 20158. The threats to consumers and society are numerous, but joint cybersecurity and cyber-hygiene efforts by manufacturers, legislators, service providers and end users, will mitigate the inherent risks discussed in this paper.
Until that happens, service providers are uniquely positioned and encouraged to begin offering cybersecurity services to their consumers through their home gateways: the main door of the home network. Communication Service Providers that provide home network security and management solutions today can become the preferred brand for Smart Home solutions and appliances, leading IoT market adoption while preventing the cyber risks associated with it.
Netonomy has developed a solution that is available today for service providers interested in providing a layer of security to their consumers and become a trusted market leader in the emerging IoT landscape. Because it is cloud-based, this solution can be instantly deployed across thousands of routers at a low cost and bring immediate peace of mind to consumers.
Netonomy provides a simple, reliable and secure network for the connected home. Through a minimal-footprint agent installed on the home router, we provide a holistic solution to manage the connected home network and protect it from internal and external security threats. Our unique technology can be deployed on virtually all the existing home gateways quickly and at a minimal cost, providing ISPs and router manufacturers with better visibility into home networks and a premium service that can be sold to customers to make their connected future simple, reliable and secure.