Sometimes it takes a monumental event for an industry to change. The Target hack during the holiday season of 2013 – in which some 40 million credit card numbers were stolen – changed people's attitudes about security forever. And the same holds true with the attack on DNS provider Dyn last October: Internet of Things (IoT) devices were compromised and turned into bots that slowed access and, in some cases, shut down frequently visited websites such as Amazon, Twitter and PayPal.
What was different about the Dyn attack was that for the first time the general public finally understood what IoT meant and why securing home networks and connected devices was important. Many people now understand that hackers can hijack their home networks to launch more sinister attacks on the internet, taking down websites or disabling their home control systems.
Worse still, with more people using work and home devices interchangeably, a compromised home network can infect an office network as easily as a compromised corporate network can damage a home network. So now, everyone – from security managers and large companies to casual home users – must come to grips with the reality that security holes in connected devices can take down entire office buildings, factories and even the smart grid.
The Z-Wave Alliance has been focused on IoT security since connected devices started running on home networks a decade or more ago.
And while the general media continues to publish such scare stories, behind the scenes a broad cross-section of industry has taken some serious steps to secure connected devices.
“There's no question that everyone in the chain – manufacturers, retailers and consumers – have to do a better job securing connected devices,” says Craig Spiezle, executive director of the Online Trust Alliance.
“After all, Graco or Fisher-Price wouldn't sell a baby crib that would hurt a baby's head,” he says. “The same holds true for manufacturers of connected devices. They have to do a better job building security into their products. Some major retailers are now looking at how to promote security and privacy as benefits to consumers. And the National Association of Realtors (NAR) is working on efforts to educate realtors, homeowners and home builders of the security issues inherent in connected devices.”
Mark Lesswing, SVP and CTO of the NAR, says the trade group now works closely with manufacturers as they develop connected devices. IoT manufacturers send their products to the NAR's Center for Realtor Technology in Chicago where they test devices and look for potential security flaws.
The NAR also offers continuing education courses on home security for realtors who have passed their state real estate exams. The courses are mainly security designations and certifications.
“So much of what we need to do is to get this information about securing smart homes into the hands of consumers,” Lesswing says. “While we deal with existing housing stock, we do hope to work more closely with the National Association of Home Builders to spread security information to new homeowners.”
Been there all along
The general narrative around the time of the Dyn attack was that manufacturers by and large didn't build security into their products and that too many producers of connected devices didn't offer even basic password protection or instructions on how to secure these devices. Another problem surrounding IoT security was that many of these connected devices, such as light bulbs or webcams, were installed five to 10 years ago, long before concerns over IoT security became more widely expressed.
While all that's somewhat true, some manufacturers have built security into connected devices for the better part of five years or more.
George Yianni, (right) head of technology for home systems at Philips Lighting, says the company's Philips Hue line sets up a secure tunnel to the Philips cloud right from a bridge that's placed in the home.
“We don't even use default passwords because we don't want consumers to modify the system and we also don't open any ports,” Yianni says. He explains that when ports are opened up, the settings can be changed and opened up to the internet. That's what happened in the Dyn attacks.
“The recent attack has made everyone a lot more aware of how consumers keep home networks safe,” Yianni says. “With our Hue products, the traffic runs from our bridge directly to the cloud, so the home network's exposure is minimal. There's no possible way an attacker can get in to run a DDoS attack.”
Brad Hintze, (left) senior director for product marketing at home control company Control4, says the company's products have been running a secure tunnel from a home controller to the Control4 cloud for more than five years. Control4 is a platform for controlling multiple connected devices in the home – including lighting, HVAC, audio/video and security. Today, more than 300,000 homes run Control4, the vast majority of these being new homes.
Hintze says Control4 starts by telling all its integrators to change the default password and not to do port forwarding. “An early practice in home networking was to open a port so the router would forward the traffic to a connected device,” Hintze explains. “The problem with that is that hackers would scan for open ports and connect to those ports. As technology has evolved, more secure approaches have become widely available, replacing port forwarding.” Control4 also instructs its integrators to keep the firmware up to date.
Jeremy Fitch, a programmer at Beyond HiFi, a Control4 integrator in Bellevue, Wash., says they his firm does annual milestone updates for customers, as well as two to three support updates a year. “We set the passwords and explain all the login information to the homeowners,” Fitch says. “We also offer remote access where we can remotely manage devices for the customers.”
The enterprise angle
While much of the discussion around IoT security revolves around home networks, concern about connected devices has come to the enterprise. That's why some vendors are starting to respond to the need of companies to manage connected devices more effectively.
Cloud security provider Panda Security and data analytics company Logtrust have integrated their products in a way that lets security managers visualize all the executables a connected device brings on to the network. The new product, Adaptive Defense, also only sends out alerts to confirm an incident as opposed to sending alerts every time a suspicious event takes place.
“If something looks suspicious, Adaptive Defense and the Panda Security analysts will resolve it and will only notify the security manager to confirm that some bad code was found,” says Josu Franco, strategy and technology advisor for Panda Security. “This is a really important point because so many companies can't find enough people to handle all the incidents. So, by automating and offloading the investigation of suspicious files, it goes a long way to lightening the load for the security staff.”
Franco adds that with all the devices people use today there's no way security managers can keep track of all the executables on the network. Without a solution like Adaptive Defense or something similar, companies are likely to be overwhelmed by all the devices they have to manage today, he says.
So, whether it's for the home or at the workplace, people need to look at the connected devices they are using and consider how they are being secured. For all types of consumers, they need to ask to what extent security was built in and if the manufacturer has left instructions on how to update default passwords or even if they use default passwords in the first place. On the home front, consumers need to, at minimum, change the default password on their router. And at the office, security managers must seek out tools that can help them more effectively manage all the connected devices – whether they are used at work during office hours or at a worker's home – where the IT staff has less control.Moving forward, users need to ask more questions about their connected devices, deploying only the most trusted of brands. And, above all, device owners must stay vigilant, because it's just plain scary that offices and homes can be used as a launching pad for an attack that can take down important websites, factories or transportation facilities.