|Ring home security cameras have been at the center of several high-profile cyber attacks. But they highlight an issue among many different smart home devices. (Image source: Ring)|
Cybercriminals are attacking IoT devices, including smart home devices, with very little technical resistance. Far too many devices are easy targets – lacking basic, fundamental security solutions.
Smart home devices, from Ring doorbells and cameras to smart refrigerators and TVs, and now even Smart Toilets, have emerged as a rapidly expanding multi-hundred billion dollar/year worldwide market. With IoT devices now present in approximately a third of U.S. homes, cybersecurity risks are growing for the average consumer.
Such risks are not just theoretical. Recently, Ring doorbells and cameras have suffered from several high-profile cyber attacks, including, in one case, a Ring camera in the bedroom of an 8-year-old girl that was accessed by a hacker who instructed the girl to mess up her room and to call her mother by racial slurs. In another case, a hacker told a young girl that he was Santa Claus and taunted her through the camera.
Stories of hackers harassing children are shocking and, as such, quickly gain headlines. These attacks show how vulnerable our privacy has become with the growth in smart home devices in contrast to their failing security measures.
And the concerns even go beyond privacy. IoT botnets frequently conscript smart home devices, weaponizing them into DDoS attacks, using them to send massive amounts of spam emails or to perform crypto mining. Other attacks have resulted in loss of personal data including financial information and WiFi passwords. Worse still, cyber attacks can escalate into physical threats. Criminals can monitor security cameras to determine when homeowners are absent and hacked door locks could allow easy entry for someone looking to steal more than just data.
Ring doorbells and home security cameras are far from the only smart-home device to have suffered from a cyber attack. Appliances are vulnerable as well. One of the first recorded botnet-infected appliance incidents occurred during the holiday season in late 2013 when, according to Business Insider and Proofpoint, a refrigerator-based botnet was used to attack businesses. Unlike most malware attacks, this Botnet did not attack the host it infected but instead served to out waves of DDoS attacks that were used to cripple businesses.
A slew of smart-home devices have been found to be vulnerable, including smart light-bulbs, smart locks, smart toilets, and baby-monitors. Despite waves of recent legislation that mandate higher levels of security, it does not seem likely that these security problems will be resolved any time soon.
These breaches show that devices require higher levels of security and that the use of static credentials is inherently flawed.
The Never-ending Battle of IoT Security
The Ring breach is not the first example of weak static credentials resulting in an IoT hack. The Mirai botnet, which used default passwords to access a variety of IoT devices, is the poster child of IoT hacks exploiting weak credentials. Static credentials (usernames and passwords) place undue burden on device users and are increasingly inadequate when advanced authentication technologies, available today, would inherently prevent such hacks.
We have moved beyond the introductory days of the IoT to mass deployments. It is no longer acceptable to sell and deploy connected devices, from cars to smart doorbells, with weak or nonexistent security. In light of damaged consumer confidence and increasing safety risks, it is critical that IoT device manufacturers begin taking security seriously and build comprehensive security technologies into their devices.
The state of California and the European Union have already enacted legislation requiring greater levels of security for IoT devices, and many other jurisdictions have pending legislation. In addition, industry consortiums and government regulatory bodies, such as the FDA, have begun to define cybersecurity requirements for IoT devices in specific vertical markets.
Keeping IoT devices and information safeguarded from cyber attack is not simple and will never be perfect. It’s an ongoing evolutionary battle. Cyber criminals are always improving their methods and developing new, even more clever attack tactics. However, staying current with cybersecurity best-practices and using proven security solutions provides a strong foundation for protecting devices from cyber attacks.
Home Security In The Age of IoT
To protect homes and businesses from cyber attacks, any and all connected devices must include a range of security features that protect the device from a variety of attacks, protect the integrity of the device, and enable “device identity “—so that any connected things can be authenticated to safely communicate via the internet using encryption. There are a variety of industry proven and tested IoT identity and integrity solutions that provide IoT manufacturers with highly effective techniques and protocols for authenticating and securing connected devices.
They can include:
Secure Boot. Provides embedded software APIs that ensure software has not been tampered with from the initial “power on” to application execution. It also lets developers securely code sign bootloaders, microkernels, operating systems, application code, and data.
Secure Remote Updates. It’s important to validate that device firmware has not been modified before installation. Secure remote updates ensure components are not modified and are authenticated modules from the OEM.
Secure Communication. The use of security protocols like TLS, DTLS, and IPSec adds authentication and data-in-motion protection to IoT devices. By eliminating sending data in the clear, it is much more difficult for hackers to eavesdrop on communications and discover passwords, device configuration, or other sensitive information.
Embedded Firewalls. By working with real-time operating systems (RTOS) and Linux to configure and enforce filtering rules, embedded firewalls prevent communication with unauthorized devices and blocking malicious messages.
Secure Elements. OEMs and medical device manufacturers should use a secure element, such as a trusted platform module (TPM) compliant secure element, or an embedded secure element for secure key storage. Secure key storage enables secure boot, PKI enrollment using key pairs generated within the secure element, providing very high levels of protection from attacks.
Device Identity Certificates. Adding digital certificates to devices during manufacturing ensures that devices are authenticated when installed on a network, as well as before communicating with other devices in the network—protecting against counterfeit devices being introduced into the network.
Alan Grau has 30 years of experience in telecommunications and the embedded software marketplace. Alan joined Sectigo, a leading Certificate Authority and provider of purpose-built PKI management solutions, in May 2019 as part of the company’s acquisition of Icon Labs, where he was CTO and co-founder, as well as the architect of Icon Labs' award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security. More info about cybersecurity and protecting the cloud can be found at https://www.sectigo.com.