What is Going on with Residential IoT
For sure you have heard about the recent DDoS attacks that occurred last October 21st on Dyn’s DNS service. The news broke out reporting that many well-known Internet services were not available. According to Hacker News Twitter, Etsy, Spotify and other sites were affected. Up to this point, there’s nothing new, just another DDoS attack. Large company outage means big news, but there is still a point that is key in this equation and that has not been addressed.
- Was Residential or Consumer IoT affected?
According to Dyn’s report, “the attack come from 100,000 malicious endpoints”.
On the second last paragraph they quote: “Not only has it highlighted vulnerabilities in the security of “Internet of Things” (IOT) devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet.”
Put both quotes together: 100,000 IoT devices have been Hacked. This is astonishing and outstanding!
There has been no news about how the 100,000 IoT device customers have been affected or supported:
- Do they still have the Bot inside their device?
- Do the devices work correctly?
- Do they know they have been hacked?
- Do they know they are at risk?
- Will the Bots change and do other things?
- Will the Bots leave backdoors in their home networks?
- How long will it take for another Bot to hack their IoT device?
- What are Consumer Protection Agencies doing about this?
- What are Governments doing?
This is no joke, we are talking about 100,000 devices (IoT Customers), and therefore, has to be addressed very seriously.
Dyn and the Internet community will address the issue. That’s fine! But how and when will they solve the Residential IoT vulnerability problem. Residential IoT needs to be Secured, Monitored and its software Updated. Enterprise IoT already contemplates this, but Residential IoT does not. Individual devices are sold with no security, and in the best case, if they are well developed and secured they still need to be monitored because software always has vulnerabilities, no matter how well and secure it has been developed.
All the questions, above cannot be solved using secure policies inside IoT or in the Internet itself. More has to be done! This is a Game Changer; Home Networks have to be monitored and secured to prevent Malware and Attacks. If not, the Internet will soon be like Hell.
The Residential IoT Avalanche
Gartner estimates that by 2020 there will be 25 billion IoT devices, of these, 13 billion will be Residential Home Devices, more than 50% of the total. Imagine if only 1% of these devices are vulnerable, there will be 13 million devices to hack.
- Are the Internet Home Users aware of the risk they are taking?
- Are their Home Networks and GateWays (GW/Router) secure?
- Will the Internet itself be reliable and secure?
How to Secure Home Networks
Twenty years ago, Home Networks only had PCs, with well-developed software, for examples Windows, but many vulnerabilities were used to Hack Residential and Enterprise PCs. This problem brought up many Anti Malware (AM) Software Companies to safeguard Windows PCs. The same is happening right now with Residential IoT.
IoT devices don’t have the possibility or suppliers are not interested in incorporating AM software to their IoT. They are generally too small and only have specific dedicated software, i.e.: they cannot be easily protected with AM Software embedded in their devices:
- This is a big problem. How can it be solved?
- Where and how can AM software safeguard Home Networks, GWs and IoT?
Every Home Network connects to the Internet through the GW, which is the main door into our Home. As with Houses, shouldn’t an armored door be used to prevent thieves from coming in? The GW is the door to the Internet and it is also another device with CPU and Memory, a processing unit that can do the job. Why not use it to block hackers before they even get in? Thanks to FTTH and IoT itself, Gateways have become more powerful. If a GW does not have the power to cope with AM Security, then a security appliance should be connected to it. Using a secure GW, the entire Home Network will be protected from Malware and Attacks.
Many Security Providers and new startups have already foreseen the Secure GW solution.
Current Residential IoT/GW Security Innovation Trends
As described before, the most effective scenario to protect your Home IoT is to Safeguard the Home Network using the GW, this is currently being done with two innovative solutions:
Solution #1. Attach a physical AM Security Appliance to the Home GW.
Solution #2. Embedding AM Security software directly into the Home GW.
Solution #1 Is an interesting and effective approach, another device with more CPU and Memory means more processing power, but it adds another gadget to the end-user and it has to be physically connect to the Home GW’s 1Gbit Port.
The Pros: The Appliance adds an extra device to manage security, leaving the GW as it is. The customers will manage alerts and/or security configurations through a simple app on their smartphones.
The Cons: All the traffic will bypass the appliance through a 1Gbit port, which needs a cable connected to the GW. Customers want to reduce physical gadgets, they already have many, such as the GW itself, IPTV DVB Decoder, the ONT, Game Station, Printers, cables, etc. Another device is not a bad solution but the current trend is to reduce home devices and cables, this solution will work but in a few years Solution #2 will make Solution #1 obsolete.
Solution #2. The Security Software will come within the GW device or it will remotely be installed.
The Pros: The customer will only manage alerts and/or security configurations, with a simple mobile app, that’s all. Simple, no physical appliance, no wires.
The Cons: Many of the current GW hardware devices don’t have sufficient physical CPU and/or Memory capacity to manage security software, but with the FTTH and the IoT boom, Gateways are becoming more and more powerful and in a few years, most of them, if not all, will have the power to manage AM software.
Make it Simple, Intelligent and Economically Viable for Retail
Both solutions have their pros and cons, and both should, at least, address basic security surveillance. There are many threats that can be addressed using Cloud Intelligent Processing, analyzing Home Network Metadata (GW CPU will be liberated from many security tasks). But, most important of all is the combined Residential Cloud Intelligence, for example; if a new threat is detected and blocked on a provider’s vulnerable IoT device, the solution will automatically be propagated to all of the security providers’ customers, avoiding mass propagation and hacking damage.
Residential Device “Internet Use Patterns” will be supervised and any mismatch will be reported to the customer or automatically be blocked if a malicious attacker is detected.
Customers don’t or cannot give proper maintenance to their Home IoT. The solution should or will control possible problems like vulnerable firmware, recommend changing easy or default passwords, block dangerous port access, grant or deny access, etc. Most of these simple actions will be prompted on the users’ smartphone, and the problem will easily be solved using a simple one click menu.
And finally, and probably most important, customers don’t want and can’t pay for a highly sophisticated solution. A next generation firewall type solution is way out of scope and expensive, the solution has to be smart and economically viable or sales will draw back.
There is no need to drill down into what can be done and what cannot, both solutions are effective. Solution #1 is good but #2 is in the core of the Home Network, the GW, and simpler for the end user, but it may take some time before all the GWs have sufficient power and capacity.
- There are millions of Residential IoT Devices being hacked, but most users are unaware and the press doesn’t really talk about it.
- Residential IoT is in general insecure and with the predicted IoT Avalanche, hackers will take advantage of the situation to make the Internet be like Hell.
- Residential IoT must be Secured, Monitored and its software Updated using the Home GW Router.
- Make it Simple, Intelligent and Economically Viable for Retail.
- IoT Residential Customers must be 100% aware of the Security risks, this must be strongly driven by Consumer Agencies, Governments, The Press, IoT Suppliers and Security Vendors.
If the security actions described in this publication are not addressed correctly, the Internet and all of us will have to learn the hard way.
Juan Mora Zamorano
Independent Security Contractor