Security of the Internet of Things in the home

Published in

Keylogged

11 min readFeb 15, 2017

Written by: Matt Lewis

By now we’re pretty familiar with the term ‘Internet of Things’ (IoT) and can’t escape its prevalence within technology and even mainstream news.

There are various estimates on the projected growth of IoT devices over the coming years, with Gartner suggesting there will be a possible 25 billion devices by 2020 [1].

Many of these will be in our homes, performing a myriad of different functions aimed at automating, enhancing or rendering more efficient aspects of our daily lives.

In this post we set out the current state of play with regards to IoT in the home, looking at the current security threats and touching on real-world examples to show how and where things can go wrong.

More importantly, we look at emerging standards and best practices in this sector and how these might help improve the security of IoT in the home.

We finish with pragmatic advice for IoT home device manufacturers on what they can and should do to maximise security assurance in their products.

We also provide advice to the consumer on what security assurances they should seek when buying IoT and what actions they can take to minimise the risk to their homes, personal safety and privacy.

IoT in the home — potential threats

Depending on the IoT device, the nature of what it does and the information that it processes, there are a number of different potential threats to the home and its occupants

Threats to physical safety

Many IoT devices in the home take part in so-called ‘home automation’ activities and interact with physical world components to make life ‘easier’.

However, depending on the nature of the physical world interaction there could be the potential for actual physical safety threats.

For example:

IoT kettles & coffee machines — the ability to turn these devices on remotely, perhaps when they don’t have water in them might result in the heating element becoming too hot with the potential to start a fire
IoT smart meters & thermostats — depending on the level of integration of smart meters with the gas/electricity supply in a household, remote access to these might give a hacker the opportunity to tamper with temperature levels to dangerously low or high values that could, for example, affect the health of elderly or unwell occupants, or in extreme cases start a fire or gas leak
IoT lightbulbs — remote access to these devices might allow for on/off switching which could affect the personal safety of occupants suffering from poor eyesight for example
IoT washing machine — the ability to remotely overload the spin or door control of these devices could cause flooding and/or physical eruption of the machine, which could be dangerous to occupants in its vicinity
IoT oven — the ability to remotely tamper with oven controls might result in a dangerous gas leak
IoT door lock — the ability to tamper with IoT door locks could affect the safety of occupants living in dangerous neighbourhoods or might be used to deliberately lock them in their own homes/rooms for nefarious purposes. Previous research by others has shown the potential issues with such devices [2]

While the examples above may seem extreme, under certain conditions, these seemingly harmless types of IoT device, if compromised, might put personal safety at risk.

Threats to privacy

Many devices designed for use in the home collect and process data, often in the cloud. Depending on the nature of data captured and how it is processed, there could be serious privacy implications.

For example:

Smart TVs & toys that capture human speech for some sort of control or interaction with the underlying device — Internet-connected TVs were deemed to be breaching consumer privacy rights by recording private conversations without consent [3]. Similarly, some toy manufacturers might also be in breach of privacy laws due to their recording, processing and possible storage of children’s conversations [4]
Terms of Use — Many IoT home devices require initial registration of an account by the end-user, and acceptance of some sort of End User License Agreement (EULA). Often these EULAs are long and in small print and not scrutinised by the consumer before acceptance, yet in many cases they set out the possible personal nature of data that their devices and systems intend to collect, process and store
Health monitoring & tracking devices — While not strictly for the home, many IoT health tracking devices record health data and GPS location if used as part of exercise regimes, e.g. fitness trackers [5]. Any exposure of an individual’s GPS location could have privacy implications for that individual
IoT home image/video recording devices such as CCTV cameras –There is a real-world example of where a simple plug-and-play home CCTV Internet-connected camera was actually part of a global P2P network, while the P2P functionality couldn’t be disabled [6]. The potential privacy impacts with devices that work in this way are huge where imagery/video of people’s private, personal space is concerned.

Threats to availability (of home IoT devices and the Internet at large)

The increase in IoT devices will inevitably increase our dependence on those devices and should we find such equipment unavailable due to security compromise, then the issue of availability is very apparent.

We’ve seen a growing rise in ransomware affecting laptops and servers over the past few years; it is possibly only a matter of time before we see similar ransomware attacks targeting IoT devices in the home.

If we’re truly dependent on many IoT devices and have no alternatives, are we likely to pay the ransom demanded?

A larger issue around availability of the Internet at large is also relevant here. The reader may recall the Mirai botnet Distributed Denial of Service (DDoS) attacks at the tail end of 2016 [7] which affected many core Internet services.

Simply, the attacks were leveraging compromised access to over 100,000 IoT devices such as security cameras in order to overload DNS (and other website) services.

Since the attacks the Mirai botnet source code has also been released on the Internet, making it likely that future attacks in this domain will present themselves.

Why are IoT Home devices commonly vulnerable?

It is useful to understand the reasons for how and why security issues and vulnerabilities manifest themselves in IoT devices intended for use in the home. Non-exhaustively these reasons include:

Manufacturers often need to be quick to market — Security is often an afterthought and so when timescales are tight, products are commonly released having undergone little to no security assurance testing
Ease of use — Many IoT home devices lack the luxury of a full screen and keyboard interface for interaction, requiring intuitive use of minimal buttons or actions for operation. Embedding security into such restricted interfaces can be difficult and is often seen as a barrier to ease-of-use, and so is commonly omitted
Small form factors and limited capability components — Many IoT home devices are designed to be as small as possible and often comprise components with limited capability. For example, chipsets and memory that have weak upper limits on the strength of encryption that they can support. These upper limits may not (and commonly are not) in line with current best practice and are exploitable through known and existing vulnerabilities
‘Out of the box’ does not mean ‘secure out of the box’ — It is not easy to ship tens or hundreds of thousands of the same device with unique, default passwords. Most IoT home devices that employ some level of authentication tend to ship with the same default credentials, which are often easily guessable and seldom changed by the end-user. If the process of changing the credentials is either impossible or non-obvious then the credentials typically remain in their default state, potentially exposing the underlying device to unauthorised access when connected to the Internet. This is indeed one of the reasons why the Mirai botnet grew so large and so quickly
Lack of, or vulnerable, secure update mechanism — If/when security vulnerabilities are identified in home IoT devices, fixing the vulnerability and ensuring successful update to all affected Internet-connected devices may not be an easy task. Entrusting the end-user to periodically check for and install updates on their myriad of IoT lightbulbs and home automation devices is not really feasible, so some level of periodic automatic checking and update mechanism is required, yet how, and when to notify the user? I.e. updating the firmware of a household full of Internet-connected lightbulbs would likely require the lights to be turned off for a period of time. Should this happen automatically, or should the home occupants be somehow informed — if so, how, by email? Additionally, many firmware update functions in IoT home devices have been shown to be exploitable in ways that allow attackers to upload modified, possibly back-doored or malicious versions of the firmware. Again using connected lightbulbs as an example, how might an end-user ever know that their IoT lightbulb was back-doored or compromised and being used to take part in a global DDoS attack against critical Internet systems?

The points above are echoed in the findings and presentations from the DEFCON 24 security conference in 2016.

Some 47 new vulnerabilities affecting 23 devices from 21 manufacturers were disclosed during the IoT security talks, workshops and onsite hacking contests.

“The types of vulnerabilities found ranged from poor design decisions like the use of plaintext and hard-coded passwords to coding flaws like buffer overflows and command injection [8]

Recommended manufacturer actions

Despite reasons for the security issues mentioned above, there is still much that IoT home device manufacturers can do to reduce risk, improve the safety, security and availability for end-users and assure their privacy.

The core recommended actions for IoT home device manufacturers are:

Engage in ‘Privacy by Design’ for IoT products designed for use in the home that process personal information. This includes performing Privacy Impact Assessments (PIAs) which are used to identify and reduce privacy risks in projects. PIAs help design more efficient and effective processes for handling personal data [9]. Such engagement will also support GDPR compliance
Implement a Secure Software Development Lifecycle (S-SDLC) — this essentially involves baking security into products by design, and challenging/testing/validating security assumptions and functions throughout the product lifecycle. It starts with threat modeling of a system to understand all of its data flows and potential vulnerability areas; from this model it is then possible to understand mitigations to be built into products to address the security threats identified
As part of an S-SDLC and post-product release, engage in regular security testing and make sure there is an incident response plan detailing the process for handling and addressing any incoming vulnerability reports pertaining to the underlying device
Adopt existing and/or develop in-house secure standards. Currently, standardisation across IoT is still in its infancy and without any mandate, intervention or incentive to engage [10], standardisation in this realm may take some time. Nevertheless, manufacturers should seek to follow secure guidelines for consistency and general best practice. Examples of existing standards and guidance can be found in [11], [12], [13] and [14]

All of the above will help manufacturers truly use security as a differentiator for their products and will help build consumer confidence in the security of the underlying device or ‘thing’.

Recommended consumer actions

The consumer also has a role in protecting themselves when using IoT home devices. While certain security features or configuration options in IoT home devices might not be obvious or intuitive, consumers should take the time to fully understand the products that they’re using and the functions available for maximising security. To minimise risk, non-exhaustively, consumer should:

Purchase IoT home devices from well-known, reputable manufacturers and stores — there are many IoT home device manufacturers globally, some more well-known that others. While an unknown manufacturer is not necessarily indicative of a producer of vulnerable devices, it is more the case that a well-known vendor is likely to have a more proven track record of security functionality in their products and/or at least the capability to react to and remediate security vulnerabilities reported in their products. I.e. buying an unbranded CCTV IoT camera manufactured by an unknown entity may not be the most secure choice
Be careful when registering accounts to use with IoT home products. Many IoT home products require some form of account creation to tie the device to an identity and to allow for some form of cloud-based login to view data associated with the IoT home device. Consumers should choose strong and unique passwords for these accounts, and should read carefully the terms of use and licensing agreements (including the small print). Quite often the small print will reveal how any captured data (personal or otherwise) will be processed by the manufacturer/vendor; any privacy concerns at this point should be addressed with the manufacturer before proceeding
Read all documentation that comes with the device to understand security configurations — this might include understanding how to change default passwords to more secure, unique passwords, and possible additional security controls that aren’t enabled by default, but would provide enhanced security and privacy if enabled
Ensure the home Wi-Fi router is secure. Any compromise of a home router might suddenly provide attackers with a foothold onto the entire home IoT network, therefore securing the home router is paramount. This includes setting a strong pre-shared key for authenticating devices to the network and ensuring that the default router administration web page is protected by a strong, unique password, and not the typical admin/admin username/password combination that home routers often ship with. Modern home routers often provide other security configurations such as MAC address filtering to register known devices on the network and also firewalling. While a lot of this might seem complicated to the non-technical, it is recommended to utilise these security features where possible
Turn off any IoT devices when not in use. While many IoT home devices may legitimately need 24/7 online access, many won’t. As such, turning off devices that are not in common use is an easy way to minimise possible exposure to attack (if it’s not on, it can’t be hacked) in addition to minimising energy use thus supporting green initiatives
Understand how IoT home devices might be periodically updated to cater for security fixes. Perhaps there are web interfaces to the home devices that allow for forcing software update checks and download. Where feasible, consumers should aim to do this on a fairly regular basis

How NCC Group can help

NCC Group has a wealth of experience in IoT security. We work with IoT manufacturers at all stages of development, from secure product design through to security testing of final products.

We have published guidance in this domain [11] and regularly speak at international conferences and seminars on IoT security and best practice.

Our IoT consultancy and testing spans all aspects of the IoT ecosystem, from low-level hardware secure design and testing via our specialised hardware lab [15], to cloud-based testing of web services that consume and process hundreds of thousands, to millions of IoT device events, and everything in-between.

We also work with manufacturers on implementing and/or improving their Secure Development Lifecycles, while we also work with those needing assistance with incident response and how to triage and remediate incoming reported vulnerabilities in IoT products and systems.

If you’d like more information about the security of IoT devices in the home, our experts will be on hand at Mobile World Congress 2017: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/events/2017/february/mobile-world-congress-2017/