By: Gagan Singh, Senior VP & General Manager Mobile, Avast.
The number of smart devices entering people’s homes is expected to grow to 38.5 billion by 2020, according to Juniper Research, and include everything from smart speakers to smart washing machines, designed to make lives more convenient. Smart devices, unfortunately, also come with potential security vulnerabilities that can put their owners’ data and homes unknowingly at risk, as well as harm businesses. Securing the individual Internet of Things (IoT) devices is challenging, due to the diversity of devices and systems they run on. There is a central point in the home controlling the flow of data transmitted by any device connected to it: that central point is the home router. According to research conducted by IHS Markit, the percentage of Wi-Fi home gateways or routers provided by broadband providers is expected to rise to nearly 90% by 2019. A collaboration between broadband providers and security vendors, therefore, forms a powerful relationship giving control back to consumers, so they can secure their smart homes and devices in a simple and efficient way.
Risks consumers face
Attackers can penetrate any smart device through the home network if its entry point, the router, is not properly secured, which can result in a wide variety of attacks.
IoT is an example where cybersecurity weaknesses can give way to physical security threats. Case in point, physically, hacked IoT devices can give attackers insight to when someone is home or not, depending on the devices used. If a home’s smart thermostat or lightbulbs are programmed to behave differently for a week or two, attackers can suspect the owners are on vacation or at work and, for example, burglarize the home. Another way criminals can abuse smart devices to physically break into a home is through a Amazon Alexa or Google Home device. Criminals can easily give a vulnerable smart speaker the order to open the front door, for example, and if the front door’s lock is based on smart technology, it could open the door for the criminal.
An often neglected risk when it comes to IoT devices is the possibility of personal data leakage, as well as the tracking of movement of devices. Consider how much information an IoT device can collect: webcams can see whatever they are pointed at, smart TVs and personal assistants can pick up sound, and smart light bulbs and thermostats can give clues to whether or not someone is home.
Hackers don’t need to hack a company’s server to gather information, instead they can go directly to the consumer’s device. IoT search engines listing vulnerable devices that can be tapped into are freely available on the internet. If a hacker gained access to all or most of the IoT devices in someone’s home, they can track their movement, listen in on private conversations and then potentially carry out a targeted attack against this person, or sell the information they collect, such as personal data or financial information like bank account details or credit card information for others to abuse.
Risks telecommunications providers and others face
One of the most common threats currently targeting IoT devices goes largely unnoticed by the consumer, but can have considerable negative impact on broadband providers and other companies. The enslaving of smart devices to act as bots in a botnet, allows cybercriminals to use infected devices to perform various attacks, including distributed denial of service (DDoS) attacks that take down servers.
Cybercriminals use DDoS attacks to make a network unavailable by overwhelming the targeted machine with massive amounts of requests sent from multiple devices. This overloads the target, clogging its bandwidth and thus making legitimate connections impossible. For the user, DDoS attacks can easily go unnoticed as they run in the background. However, they can cause enormous damage to companies. An example of this is the botnet that targeted Dyn servers and took popular sites like Twitter and Reddit offline in 2016.
Just a few months after the DDoS attack on Dyn, German telecommunications company, Deutsche Telekom, was targeted with a DDoS attack. The attack took down routers belonging to 1.25 million users, cutting off their internet connection for several hours.
Solving the smart device security threat challenge
Device manufacturers are under pressure to produce smart devices and deliver them to market quickly, at an affordable price. They either don’t view security as a priority or are not sufficiently familiar with security, which means they ship weakly secured and vulnerable devices that often cannot be updated by the consumer. A toaster manufacturer, for example, who may now be producing smart toasters, never had to think about securing them from hackers before.
Adding security solutions on top of smart devices, like refrigerators or thermostats is complex. Due to the high diversity of devices, security vendors need to develop a solution for each platform. Furthermore, IoT device resources are limited and these resources are already fine-tuned to perform a specific task. Adding a security solution to smart devices would therefore potentially ruin device performance and negatively impact the customer experience. As most smart device data is streamed over the network, network-level protection is the most sensible solution to protecting IoT devices.
The current approach to securing IoT devices is more ‘do it yourself’ than a properly architected approach – a massive gap which is creating a huge opportunity for cybercriminals. Consumers, for example, can take basic measures to secure their smart devices, but there simply aren’t enough options available to give them full protection at the moment. Additionally, when it comes to implementing the available manual security options, from thirty years of experience in the security industry, we know that the majority of users are inconsistent at taking the basic steps such as updating their firmware or default passwords. If users do choose to take them, the measures they can take are often limited.
Regulators can enforce industry standards and laws which manufacturers have to abide by, yet, even if laws are created, they are often not enough to protect consumers. With today’s speed of evolution in technology, it is nearly impossible for regulators to keep up with the creation of new laws in the practical sense.
Telecommunications providers and security vendors are the two players that have an important role in IoT security. Working together they can solve the consumer’s challenge of how to easily secure their home network and devices. Broadband providers are in a strong position to provide security as they often provide the router, the networks carrying user data, and power the connection on the user’s everyday devices. Furthermore, they have the power to build safe infrastructure and networks, enabling users to trust the security of their connection.
Security vendors, on the other hand, can look at data streaming through the network, and use machine learning technology and artificial intelligence to understand the data, to identify anomalies and block them. Solutions built on AI technology can constantly learn typical behaviour and usage patterns of smart devices. As a result, security solutions can identify hacks as they happen and take action in real time, when anomalies occur in a smart home’s traffic. The key to successfully doing this lies within big data, so the more data and insights a security vendor has from their customer base, the better their solutions can detect never before seen threats.
As telecommunications providers work together with security vendors, they can build trust with their subscribers and provide them with a fundamental security platform built on the router to keep connected homes secure from attacks. This type of solution provides subscribers with transparency of activity on their homes’ network, giving them remote control of home devices to, for example, allow them to switch off the stove or thermostat. This can be enhanced with parental control features, ensuring kids can only access content appropriate for them, monitoring and managing their mobile device usage behavior.
With the number of IoT devices growing exponentially along with the threats targeting them, it is imperative broadband providers and security vendors work together to provide customers a simple and robust solution protecting their digital life.