Securing the smart and connected home

Billions of smart devices have at least one external connectivity interface which potentially becomes the entry point for cyber attackers to bring down the entire system.

Smart devices including mobile terminals, wearables and all kinds of sensors, smart nodes and platforms with connectivity and critical information processing capabilities are fast growing into billions of pieces. (File Photo)

Smart devices including mobile terminals, wearables and all kinds of sensors, smart nodes and platforms with connectivity and critical information processing capabilities are fast growing into billions of pieces. These billions of smart devices have at least one external connectivity interface which potentially becomes the entry point for attackers to bring down the entire system. Smart home is one such example of a connected system with intelligence.

To prevent attacks, a robust, market proven and certifiable hardware security solution becomes a key ingredient of such systems that communicate and process critical or sensitive information. Here we look into the various security threats in connected smart home devices and discuss the necessary security measures that should be utilised, in particular leveraging on the values of hardware trust anchors. We will also present specific use cases on Smart home environment as a good reference for the audience to gain a better understanding.

With the fast growth of IoT applications, our home network environment has changed dramatically in recent years. A typical home network setup five years ago consists of a wireless/wired router with ADSL/cable connection to the internet, and the devices are connected to the router are mainly desktop computers, laptops and smartphones. These devices have one commonality, which is that they are operated by human beings, and they are not powered up 24/7 in many cases except the smartphone.

Today, the home network setup is undergoing a complete revolution. A typical home network environment can be described as in below diagram:

Today, the home network setup is undergoing a complete revolution. (File Photo)

There are a few important new characteristics of a smart home network environment
First, there are more devices in the home today that are becoming smarter and connected. For instance, smart sensors like thermostats need to be connected to the internet for data logging and remote control. IP cameras need to be connected to internet for real time monitoring. Even door locks have evolved to include connectivity options to allow remote monitoring and to allow opening of the door remotely.

The dramatic increase of smart devices in the network increases the potential entry point of attacks from a security point of view. And all these smart devices have very minimal direct human operations. They all have built-in intelligence to collect data and information, make decisions based on the programmed algorithms and in many cases they need to have data communication capability with either the home gateway or the cloud server. End users mainly control or monitor these devices via external consoles or smart phones. Therefore in case of an occurrence of a security breach, end users have very minimum way to detect, prevent the issue and make corrective actions because these devices operate on their own.

Major security threats in smart home

We can broadly categorise security threats for smart home applications into 4 main categories. These security threats are identified and discussed as follows:

1.      Fake Identity of Devices: Most of the smart home devices possess some form of device identifiers as a unique ID or certificate. However, unique identifier without cryptographic protection can be easily cloned as soon as the attackers gain the knowledge of the generation process. Once the unique identifier can be cloned without authorization, the attacker is able to gain immediate access to the network via the cloned device, and from there subsequent attacks can be deployed. E.g. critical information can be stolen, bandwidth of the network can be misused, or malware and virus can be injected. On the other hand, validation of the server identity is equally important. If a home device is connected to a malicious server, critical user data can be stolen or in a very worst case, entire home network can be attacked.

2.      Eavesdropping of Data: Most of the communication interfaces used in smart home environment are based on wireless technologies, e.g. Bluetooth, ZigBee, Wi-Fi etc. Although most of the wireless technologies have some form of security protection mechanisms, they are not robust enough due to the constraints of the use cases. For instance, Bluetooth typically relies on simple passphrase to do pairing. It increases the risk of eavesdropping of the critical and sensitive user data over the communication interfaces. It is also common to employ encryption of the communication data using cryptographic keys to protect the confidentiality and integrity, however, the protection of the cryptographic keys against stealing and extraction are then of great importance.

As an illustration of a real life attack, three years ago, experts from Context Security demonstrated the security weaknesses of certain smart-bulbs. These LED bulbs were connected to a Wi-Fi___33 enabled circuit board and the experts found that when the bulbs “talked” to each other across a mesh network (6LoWPAN powered), the messages contained a username and password. As the underlying pre-shared key was never changed, all the white-hat guys had to do to gain access was to set up a similar circuit board simulating one of the smart bulbs asking to join the network. That allowed them to steal credentials and eventually gain control of all the lights on the network. They reported that a potential attacker could have easily gained access in private homes or businesses if they could have gotten as close as 30 meters to the bulbs. Even worse they note also that such a attack would have gone undetected by the owner of the network.

3.      Manipulation of Data: Besides the risk of eavesdropping, there is possibility of critical data being manipulated/changed by malicious attacks, therefore data integrity protection is another important aspect of security in Smart home environments. Critical information like billing information, sensitive configuration data or resource usage cannot be communicated and stored as manipulated value.

4.      Malware Infection: One typical attack after gaining access to the network is to install malware so that the affected device becomes the source of next level attack. The recent cases happened in some of the major telecommunication networks are typical examples of such attacks. Once the connected home devices are breached with malware installed, such devices could be added to a botnet and start issuing DDoS attack. As a result many smart home devices – not only computers – become potential source of DDoS attacks. The amount of such smart home devices (e.g. smart cameras, home routers etc.) is much more than the amount of computers connected to the net, therefore the scale and speed of damage due to botnet DDoS attack can be also much more significant.

Secondly, wireless connectivity solutions are not only limited to Wi-Fi in today’s smart home environment. Connectivity solutions, such as Bluetooth, ZigBee and Z-Wave have evolved and are adopted quickly. With the increase of the connected devices via different wireless connectivity solutions, the attack surfaces of smart home devices have greatly increased and the number of attacks has been rising steadily. Additional protection at system level is thus strongly needed.

Last but not least, most of these smart devices run on various microcontrollers with proprietary Real-Time Operating System (RTOS). The security level of such implementations can vary from vendor to vendor. Also, very often there is a need for field firmware upgrade for these devices which opens up another highly potential attacking entry point because malware can be injected during firmware upgrade without sufficient protection mechanisms in place. The recent distributed denial of service (DDoS) attack from connected devices in US and Germany are very good examples of the importance of firmware protection in connected home devices.

Basic Security Cornerstones
The above mentioned security threats in the smart home environment can be addressed by 3 basic security aspects: “Confidentiality” by encrypting the sensitive data; “Integrity” by protecting data with cryptographic Message Authentication Code function or digital signature; “Authenticity” by using strong cryptographic authentication schemes.
At the center of these 3 security cornerstones are the cryptographic keys which are used for the encryption/decryption, calculation of the CMACs and supporting the strong cryptographic authentication schemes. If an attacker manages to steal or clone these cryptographic keys, then these security cornerstones (“Confidentiality”, “Integrity” and “Authenticity”) can no longer be enforced since the attacker is now able to successfully eavesdrop and/or modify the communication data and fake itself as the real device. Therefore, it is of paramount importance to protect these cryptographic keys by using a tamper-resistant hardware trust anchors.

Hardware based trust anchors for Smart Home Security
Secured identities are established using secret keys and cryptographic processes that utilize secret keys. Secret keys are fundamental root of trust for the entire chain of security measures required to protect smart home systems. Hardware-based security solutions provide the robust levels of security required to protect secured identities and deliver a greater level of trust than pure software based implementation.

Software-only solutions often have common weaknesses such as software bugs or malware attack. Typically, it is also relatively simple to read and overwrite software, which, in turn, makes it easy for attackers to extract secret keys. In contrast, hardware based security solutions can be used to store access data and keys on the same level as a safe is used to store confidential documents.

Software-only solutions often have common weaknesses such as software bugs or malware attack. (File Photo)

There is no one-size-fits all solution when it comes to cyber-security and very often the effective approach is to adopt a defense-in-depth approach where the security countermeasures are built into various layers such as devices, software and application, processes and user education.
On the device and hardware level, the best-of-both-worlds can be achieved by adopting tamper-resistant hardware trust anchors to complement the software security implementations. The hardware trust anchors can be used to provide a secured storage of cryptographic keys and provide a strong level of trust to support the software implementations. By achieving the spatial separation of the software applications and cryptographic keys, this provides a cost-efficient and highly effective barrier against the leakage of the keys and certificates in the event of malware infections.

With the advent of the Internet of Things and Smart Home technology, more and more devices are becoming connected. (File Photo)

Conclusion
With the advent of the Internet of Things and Smart Home technology, more and more devices are becoming connected. Attacks are made possible as these smart devices are able to run source codes for applications and that they are mostly connected to the internet without any secured connection. These can potentially become entry points for malicious hackers to break into the system to steal, manipulate confidential information (e.g. passwords) or even to inject malware.

In most of these cases, the users are unaware of the vulnerabilities and potential security exposure (e.g. ref the DDOS attack) of the products they purchase. Hence it is imperative that device makers include security measures from the design of their products.

In addition to other security measures in the operating system or software, a hardware trust anchor provides the secured basis for the system. By relying on such a specialized device, the manufacturers of embedded devices can reduce their efforts for creating a secured basis while still getting a strongly secured system.

Source : indianexpress

Read More

11 Internet of Things Stats That Will Blow You Away

The Internet of Things (or IoT) sounds like one of those futuristic buzzwords that's still just a little too far off to think much about. But the IoT -- where once-unconnected things like watches, cars, healthcare equipment, etc. will be connected to the Internet -- is already here, and it's changing our health, how we build things, and how we get around, and creating billions of dollars in value across multiple sectors.

So let's take a look at some of the most mind-blowing IoT stats and why all of it matters for investors.

1. Research firm Gartner says that IoT devices have increased 31% from 2016 to 2017, hitting 8.4 billion connected "things" this year, and that the number will surge to 20.4 billion by 2020.

2. To help put the amount of IoT devices into context, consider that Ericsson predicts that the amount of IoT devices will surpass mobile devices by next year.

3. Spending on IoT devices and services will reach nearly $2 trillion this year. That spending will mostly be spread across North America, China, and Western Europe, where  about 67% of IoT devices exist.

4. Consumers are still driving IoT device growth right now, and will account for 5.2 billion IoT devices this year, which represents 63% of the market.

5. Wearable devices like Apple's (NASDAQ:AAPL) Apple Watch and Fitbit's (NYSE:FIT) fitness trackers are growing in popularity, and wearable until sales will reach 82.5 million in 2020, according to IDC. The competition is already heating up in this segment, with China-based Xiaomi's wearable devices leapfrogging shipments of Apple's wearables and Fitibit's devices for the first time last quarter.

6. Consumers may be the early adopters for IoT devices, but business are spending more on the IoT market overall. Companies will spend $964 billion on IoT hardware this year, compared to consumer spending of $725 billion. And in just three years the combined consumer and business markets will spend $3 trillion on IoT hardware.

7. According to a PTC report, manufacturing will be the biggest IoT platform by 2021, reaching $438 million as the Industrial Internet of Things (or IIoT) increases efficiency and decreases downtime for manufacturing companies. A separate study by Accenture says the IIoT could help reduce machinery breakdowns by 70% and reduce overall maintenance costs by 30%.

 8. The surge from industrial companies using IoT devices should have very positive results for economies around the world. Accenture estimates the the IIoT will add $14.2 trillion to the global economy by 2030. That's great news for IoT pure plays like CalAmp (NASDAQ:CAMP), which sells hardware, software, and services that connect industrial equipment to the Internet. CalAmp made about 86% of its total 2016 revenue from its mobile resource management (MRM) technologies and machine-to-machine (M2M) communications tech.

9. IDC expects 80% of consumer service interactions in the healthcare industry (like meeting with your doctor) to use IoT and other analytics services by 2020. Alphabet's (NASDAQ:GOOG) (NASDAQ:GOOGL) Google recently relaunched its Google Glass device and found that that using it allowed doctors to easily access patient information and decrease the amount of time it took them to take notes -- both of which resulted in more time spent with patients.

10. The Internet of Things also has the ability to improve our quality of life beyond the doctor's office. Bosch estimates that Internet-connected cars will reduce traffic accident injuries by 350,000 every year by 2025, and save 11,000 lives each year.

11. According to BI Intelligence research, agricultural IoT device shipments will jump from 43 million this year to 75 million in 2020. Agricultural companies are investing in technology that helps them to know where, when, and how much seed to plant using sensors, pre-planned seeding maps, and GPS-connected equipment. This precision farming and smart agriculture will make growing food more efficient and help farmers keep up with rising food production needs.

What investors should remember

The IoT will transform many different industries, but investors should remember that not all companies are betting on the IoT at the same scale. For example, the Apple Watch leads the smartwatch pack, but Apple brings in just 6% of its total revenue from sales of its "other products" (which include the Watch, Apple TV, Beats headphones, and other accessories). Apple could eventually become a bigger player in the wearable devices space if it launches its rumored augmented reality glasses, but at this point the iPhone maker doesn't have tons of IoT exposure. A better bet may be CalAmp, with its its industrial IoT equipment and services, which makes nearly all of its revenue from the IoT.

Additionally, the IoT faces some serious security risks. The Mirai botnet attack in 2016 targeted IoT devices and used them to make a Distributed Denial of Service (DDOS) attack (when a server is flooded with so much traffic that it crashes). That resulted in Netflix, Shopify, Twitter, and other sites going offline for a while. The cost of adding connectivity to devices and other things continues to come down, which is great for IoT device expansion -- but it has also made it easy for smaller players to release devices that aren't secure.

All of this means that IoT investors should look for solid businesses in established markets, and bet on them over the long-term. The Internet of Things is growing quickly, but it will still take years for it it to mature and for some companies to see the benefits.

Source: Fool

Read More

73% People Agreed that IoT Has Improved Their Businesses

These and many other insights are from the recently published Cisco Internet of Things (IoT) study, The Journey to IoT Value: Challenges, Breakthroughs, and Best Practices published on SlideShare last month. The study is based on a survey of 1,845 IT and business decision-makers in the United States, UK, and India. Industries included in the analysis include manufacturing, local government, retail/hospitality/sports, energy (utilities/oil & gas/mining), transportation, and health care. All respondents worked for organizations that are implementing or have completed IoT initiatives. 56% of all respondents are from enterprises. 

Key takeaways from the study include the following:

73% Are Using Internet Of Things Data To Improve Their Business. The data and insights gained from IoT are most often used for improving product quality or performance (47%), improving decision-making (46%) and lowering operational costs (45%). Improving or creating new customer relationships (44%) and reducing maintenance or downtime (42%) are also strategic areas where IoT is making a contribution today according to the Cisco study.

IT executives often see IoT initiatives as more successful (35%) than their line-of-business counterparts (15%). With IT concentrating on technologies and line-of-business users focused on strategy and business cases, the potential exists for differences of opinion regarding IoT initiatives’ value. The following graphic provides an overview of how stark these differences are.

Engaging with the IoT partner ecosystem in every phase of a project or initiative improves the probability of success. The most valuable phases to engage with ecosystem partners include strategic planning (60%), implementation and deployment (58%) and technical consulting or support (58%). The following graphic provides an overview of most and less successful organizations by their level of involvement in the IoT partner ecosystem.

Only 26% of all companies are successful with their IoT initiatives. The three best practices that lead to a successful IoT implementations include collaboration between IT and business, the availability of internal and external partnerships to gain IoT expertise; and a strong technology-focused culture.

60% of companies believe IoT projects look good on paper but prove more complex that expected. This finding underscores how critical it is for IT and line-of-business executives to have the same goals and objectives going into an IoT project. Being selective about which integration, technology, and professional services partners are chosen needs to be a shared priority between both IT and line-of-business executives.

Source: Forbes

Read More