Smart home security teardown: why VPN, firewall, and antivirus don't cut it
The number of devices in homes is exploding, and service providers are feeling the impact. The “smart home” is a fun term for progressive consumers, but in this moment, it might be best translated to “widened attack surface” to ISPs. (Not as fun.)
Let’s explore why and how Minim is tackling this growing, complex problem.
Growing attack surfaces
According to Pew Research, “nearly one-in-five American households (18%) are “hyper-connected” – meaning they contain 10 or more [connected] devices.” As the total number of consumer connected devices is expected to triple between now and 2020 to 13.5 billion, this number is growing, rapidly, and the U.S. is leading the way.
While the number of devices in homes grows, so does their attack surface, a phrase that software security specialists use the sum of different points of vulnerability. Plus, many connected devices, especially single-purpose devices, are vulnerable to attack as they do not have sophisticated security software— and here are a few reasons why:
- Security is not a core discipline for device makers
- Device computing power limitations
- Many device makers outsource component and software development, making it difficult to track device security measures all the way down the supply chain
- Device makers commonly share a code base across devices, making it difficult and expensive to make changes and test them
Here’s where one might ask, well, what about homes who’ve implemented firewall, VPN, or antivirus protection? Aren’t they okay? While those are all fine technologies, they aren’t up to the massive problem we have before us.
Virtual Private Network (VPN)
A Virtual Private Network (VPN) creates a private network of devices across the public internet. A common use is for employees to securely connect to their corporate intranet from home or on-the-go.
A VPN works by creating an encrypted point-to-point tunnel so data can be securely shared. For example, let’s say you work at a personal investments company and decide to work from a coffee shop on one sunny afternoon (hey, 55% of over 15,000 consumers surveyed by Symantec in 2017 said they couldn’t resist a strong public WiFi signal). As you access sensitive information about your clients from your company systems, you wouldn’t want that data floating, unencrypted, around the coffee shop’s WiFi, where it could be intercepted by anyone. So, you connect over a VPN to your corporate network over your steaming cup of coffee.
In a typical setup, a remote worker will use VPN to route encrypted traffic from a work device to a VPN controller. This means only the traffic sent from that device is protected— and most typically, this is only partial work-related traffic. Due to the heavy cost of hauling all that traffic back to a controller, web browsing and access to cloud platforms like Salesforce, Google Drive, and Dropbox are not protected.
But let's say for the sake of argument that all the traffic sent from the work device is sent via a VPN controller. Even still:
- The VPN will not protect the incoming traffic to devices on the network.
- The VPN will not prevent the home network devices from exchanging traffic on the home network itself. So, if a smart speaker is infected, it may laterally attack the work device.
- If a phishing email is received and opened on the home network, the VPN does nothing to stop the malware from bad action, such as stealing credentials when accessing cloud services.
- The VPN won't protect against vulnerabilities in the router itself, which is the main attack vector in homes to date.
Finally, a very tech-savvy home might attempt to setup a VPN to funnel all traffic from the home router. In this case, there are some significant adoption hurdles for VPN service in the home— namely, that connected devices must be able to function over VPN, which is not always the case, out of the box. (See this blog where a network-savvy blogger accomplished this using a Raspberry Pi.)
A firewall is a layer of security on a network to monitor and control inbound/outbound traffic with a set of security rules. Many routers today come with pretty lax firewall settings, allowing all traffic out.
Beyond the lax default settings, the key reason that today’s firewall solutions cannot act as a magic solution for smart homes is that they put too much responsibility on the homeowner. Logistically, the homeowner needs to review their connected devices, identify the ports the applications listen on and connect to, and configure their firewall accordingly with nuanced understanding (e.g. the differences between hardware and software-based host and network firewalls— why use one over the other, why use multiple?) Furthermore, as devices receive firmware updates, the owner must keep up with how this might affect their firewall.
Antivirus software (PC)
Most consumers are likely aware of antivirus software, software that can be installed on a PC to protect it from virus, spam, spyware, and malware; Norton and McAfee have become household names. As previously mentioned, most IoT devices do not come with inherent antivirus software, and there is no way to install such a layer. So, it’s easy to see how these traditional antivirus software solutions won’t protect the connected home at large.
The future of smart home security
If you’re still not convinced that the above solutions aren’t “good enough” to protect the connected home, read about chained exploits to see how a hacker might bob and weave around these technologies with basic Linux knowledge. Furthermore, here’s a real-life example of hackers’ creativity, using a casino’s fish tank to steal their data.
So what does the future hold? Let’s identify some characteristics of a solution that can help. Below are some vital principles by which Minim has built its platform to secure the smart home:
- Automatically identify devices in the home (fingerprinting)
- Develop a behavior model for all connected devices— know how they should behave
- Monitor traffic in real-time
- Stop a connected device when it’s acting out of the norm
- Identify when a device’s firmware needs updating; alert the device owner and automatically update when possible
- Alert the home when a new device joins the network
- Make network management simple, for every home
… and we’re adding to them every day.