The list of consumer devices which are intended to be connected to a local network and thus to the Internet grows every few days. They include the iconic ‘smart’ fridges, thermostats to control your heating, washing machines and driers, video monitors, smoke and gas detectors, dishwashers, power plugs, lighting, door locks, fans, garden sprinklers, garage doors, ovens, and more. Previously very unusual, sales of smart thermostats alone totalled over 3 million in 2014, in the US and Europe, and are growing exponentially.
Grounds for distrust
Yesterday I drew attention to the lack of security standards covering such consumer products. Browse even the more informative sites such as Nest’s and there is remarkably little information offered. Clearly as consumers we are expected to place complete trust in the vendor, that there are and never will be any security issues.
Rapid7’s recent analysis of baby monitors is a valuable reality check here: it states “Not all IoT devices suffer from all of these software, firmware, and hardware issues, but it is rare to find an IoT device that doesn’t exhibit at least one critical failing.” That report then proceeds to detail ten newly-discovered security vulnerabilities in seven different baby monitors from six different vendors.
As I will discuss later, one of the critical links in most ‘smart’ devices is that which enables you to inspect or control a remote device via the Internet. Currently this step usually involves the device connecting to the vendor’s servers, and the user connecting to those servers to obtain information or change settings. This is how Nest users can increase the setting on their thermostat when they are on their way home, for instance.
From a potential attacker’s point of view, a single consumer IoT system or network is not particularly attractive, compared with the millions of systems which could be attacked through the servers. Yet Rapid7 found that three of the six vendors’ websites contained vulnerabilities that could be exploited by an attacker to gain access to the information from devices, or even devices themselves. A fourth vendor appeared to be uncontactable via the web at all.
Exposing consumer systems via web servers is an open invitation to attackers. To date, the industry record on the security of exposed servers is appalling. If you have any doubts, think of the two words “Ashley Madison”. Or the US Office of Personnel Management, Anthem, Sony, Staples, Home Depot, Adobe… Those are just the largest and most recent, too.
Even if you are fortunate enough to find a vendor whose own security is faultless, and whose devices are robust and never hacked, installing and using a ‘smart’ device may force you to compromise your own network security. Few such devices rely on wired connections to your network; most use WiFi to connect to a standard WiFi router.
However even established and mature products are likely to require that your WiFi network advertises its presence by broadcasting the SSID, and will not work with Enterprise WPA2 security as implemented by a RADIUS server, for example. If you have read my introduction to wireless security, you will understand the dangers inherent in the first, even though very few consumers are ever likely to use Enterprise WPA2.
So perhaps it is best to leave these ‘smart’ devices well alone, and keep technology, economy, and convenience out of the home, until the issues are addressed? The fact that you are reading this is good enough evidence that you are not going to be content with that.
A better option, if you can afford it, is to put domestic ‘smart’ devices on a completely separate network, and connect them through a separate router to the Internet. This would limit the damage resulting from an intrusion: if an attacker managed to gain control of that network, they would still be unable to gain access to your computers. Unless you already have two Internet connections, that is unlikely to be feasible.
It is possible to operate two virtual networks, sharing the same Internet connection, but the fact that they would be physically connected means that this might slow but not stop an intruder. It is probably not worth the additional complexity.
So you are most likely to put your ‘smart’ devices on the same network as your computers, and for them all to share the same Internet connection. Using that model, the questions that you need to ask of any vendor offering you a ‘smart device’ include:
- Which operating system does it run? Are security and other updates pushed out to it, and how? How long will that OS be supported?
- How does it communicate within the local network? Does it only connect with a WiFi base station, or does it operate its own mesh network with other smart devices? What security standards apply to local communications?
- How does it communicate with the Internet? What security standards apply to remote connections? Does its use open up any part of your firewall or other potential point of vulnerability?
- How secure is the remote server?
- How secure are the apps provided to enable you to access the smart device remotely?
- What vulnerabilities have been discovered and how has the vendor responded?
These may seem excessive, but are all issues which we (should!) consider before allowing any new device to connect to our networks. Any vendor who is unable to provide that sort of information – or patronises us by glossing the whole issue over – should make you most reluctant to buy their products.
In the light of recent product announcements, there is an additional question which you should always ask: what does the product actually do, and is it limited to just those features? If there is intention to add features and functions in the future, then you should know what sort of thing is involved. Or the smart device could be nothing less than a smart Trojan horse.
If you think this is scaremongering, visit BuildItSecure.ly, a site aimed at helping product developers to produce more secure products. Although there is little here to directly help the consumer – no information about which products are more or less secure, for example – it is worrying how bad the situation seems to be among vendors.
Rapid7’s report is here, and well worth reading in full.