Is “Smart” Really Smart?

Giovanni Perrone and Massimo Vecchio
July 17, 2017

 

Even if numbers change between different reports, there is consensus that we are on the edge of a turning point regarding the diffusion of IoT devices. The Ericsson Mobility Report November 2016 [1] in its IoT chapter, presents data saying that, by 2022, there will be a total of 18.1 billion short and long-range IoT devices active and inter-connected. Nevertheless, even without looking at 5 years from now, IoT is becoming more present in our daily lives, with cars and several other mundane equipment already supplied with Internet connection.

Introduction

As IoT is diffusing in our houses as well, it’s no surprise that data recently presented at CES 2017 (Consumer Electronic Show, one of the biggest trade show in the consumer electronics market) say that 15% of the houses (presumably in the United States) already host smart devices of some kind [2].

At the same time, the month of October 2016 has seen the largest (in terms of bandwidth of data used) Distributed Denial of Service (DDoS) attack taking place in the history of computer security, with previously unseen volumes of data used to knock-down various Internet services, both in the United States and in Europe. The attack has been carried out using a malware named Mirai that is specifically designed to attack and hijack IoT devices, transforming them into bots that can be later used to carry out coordinated attacks [3]. Two key aspects of what happened are definitely worth of attention:

  1. Mirai has been designed to hijack “smart” devices, kidnapping them and using them not only as hostile bots (controlled by an external control center) but also as infective vectors to propagate the virus to other devices;
  2. Mirai exploited the vulnerabilities present not only in the devices to be infected, but also in the installation environment: it gains root access by trying a hard-coded sequence of 66 typical user id/password pairs (e.g. “admin/admin”, “user/password”, etc.). Considering that more than 100 thousand devices were infected, it’s easy to infer that basic security prevention measures like changing the default administrator password were not taken into account when these devices have been installed

Thinking in terms of lessons learnt, there are some fundamental warnings that have to be understood and taken into account for the future:

  • IoT is vulnerable;
  • Low-cost smart devices often are more vulnerable than an average PC;
  • Even if the large public may now be more educated and conscious about PC security, there is no wide spread understanding in the typical user that smart devices are actually small computers and, as such, need to be managed and maintained from a security standpoint.

When “smart” may not be so smart

Surely, IoT will bring significant improvements to our quality of life. Applications like smart power grids, with self-adjusting power distribution and availability based on almost real-time demands, are already having a significant positive impact both on the economics and on environmental performances of the power distribution facilities [4]. On smaller scale, intelligent systems for finer regulation of the heating temperature in our houses can bring up to 20% [5] savings in energy consumption, reducing therefore pollution and heat dispersion. IoT penetration is also becoming a key differentiating factor in the automotive domain, where, just to mention a not-so-typical example, implementing connectivity between traffic lights and cars may help reducing fuel consumption and pollution [6].

The above are just a few examples of applications that exploit, in different ways, the various concepts that are behind the vision of IoT and that can reasonably be defined as “useful”.

However, the explosive short and mid-term growth of IoT is obviously a powerful attractive for all businesses, from small start-ups to giants like Google, Apple or Amazon, and the race for transforming every possible thing that surrounds us in a smart device is ramping up. The already mentioned CES 2017 was a good showcase for this trend and the audience had the possibility of watching live demonstrations of smart door bells and locks, smart sun shades and, last but not least, smart and internet-connected hair brushes [7].

Doubts about the real usefulness of such devices may be, to say the very least, legitimate but at the end of the day, the market will decide if there is a real need for an intelligent brush that suggests you how to comb your hair and gives hints about complementary luxury treatments most suitable for your specific wig.

However, in this race for “smartening” typical day-by-day objects, the crucial point is that, while a huge emphasis is put on the incredible benefits that technology will bring to everybody’s life (think about how envious your friends will be when you will be proudly showing your new smart hairstyle), the security risks that an explosive dissemination of connected devices may represent is completely neglected.

Hacking a connected world

We have already mentioned Mirai and the massive attacks perpetrated using it. But even on smaller scales, the hackers’ world is looking more and more actively towards IoT and its weaknesses. And the more the penetration of smart devices increases, the more also the impact of possible attacks amplifies.

The hacking conference Defcon 24 [8], held in Las Vegas on August 2016, hosted several sessions on IoT and its applications. Topics for these sessions ranged from highlighting possible fraud and prevention schemes in smart traffic applications to an analysis on how to attack high-security electronic safe locks (like the ones used for guns safes). While the contents of this type of conferences may not be characterized by their scientific rigor in their proceedings and methods, a look at the presented material reveals that the apparently safe and protected world of the connected devices is actually very permeable to malevolent actions, and that interfering or taking control of these devices do not necessarily require exceptional knowledge nor expensive devices.

Combine this scenario with the expected massive penetration of smart devices and it is not difficult to imagine the threats that this very transformation could bring.

Without taking in consideration the possibility already exploited by Mirai to use IoT agents to carry out attacks in the virtual world, the physical dimension of the smart devices we will live with will inevitably bring the dangers in the real world.

Think about, for instance, a smart house with a central control hub (a design layout typical for most smart houses applications). The house is provided with a smart door lock, video cameras and a smart thermostat. A pretty basic design after all.

In this scenario, suppose the hackers gain access to the central hub: not only they will be connected in the private WiFi or LAN network internal to the house (exposing therefore all devices to potential intrusion) but once with control over the hub the door lock could be opened remotely giving thieves possibility of entering into the house without efforts. The same thieves could know in advance when house owners are not in the house since they will have access to the WiFi cameras and to the thermostat (that will be set to “Away” mode). Using the cameras they may also know where the most precious objects are located, further reducing the time required to do the job. Once inside, with dedicated (and cheap) equipment they could easily open the high-security electronic lock used for the safe. And of course before leaving they could delete all pictures from all cameras leaving no trace behind. And lock the door.

Privacy and confidentiality are areas of serious concerns as well. Already in 2014 researchers proved that hacking popular smart devices like intelligent thermostat could be easily done and could represent a threat to users’ privacy and confidentiality [9]. And things are not going to improve with personal assistants like Amazon Echo or Google Home, devices aware of your physical location and equipped with microphones constantly listening to the environment to detect their “activation word” [10] and that can interact with other devices in your house (thermostats, cameras, bulbs, etc.): convenient for sure, but with a possible price tag on security and privacy [11].

Conclusions

The lack of clear (and compulsory) standards on IoT security has been and still is a matter of debate and concern. Many proposals have been made and even if the EU is funding projects on IoT security platforms but we’re still far away from having the situation under control where each new smart device can be considered “reasonably” safe to be installed and used.

At the same time, more and more smart (or not-so-smart) applications and devices are spreading, making the boundary between the virtual and physical world thinner and thinner, giving to the end user the illusion of being part of a safe, seamless, connected nest where nothing can go wrong and we are protected by the new technology we are introducing in our lives.

The need for implementing security by design is therefore becoming a matter of urgency and we may be well already late in this race. In the meantime, perhaps a more cautious and conscious approach to the IoT transformation should be transmitted to the wide public, letting everyone more aware of the risks brought by a smart world.

References

[1]           https://www.ericsson.com/assets/local/mobility-report/documents/2016/ericsson-mobility-report-november-2016.pdf
[2]           http://www.ces.tech/show-floor/marketplaces/smart-home
[3]           https://www.us-cert.gov/ncas/alerts/TA16-288A
[4]           http://smartgridcc.org/wp-content/uploads/2013/10/SGCC-Econ-and-Environ-Benefits-Full-Report.pdf
[5]           https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/447144/6.656_DECC_JG_Annual_Report_2014-15_AW_WEB.pdf
[6]           http://www.ijicic.org/ijicic-11-06076.pdf
[7]           http://www.cnbc.com/2017/01/04/loreals-smart-brush-listens-to-hair-recommends-luxury-treatments.html
[8]           https://www.defcon.org/html/defcon-24/dc-24-index.html
[9]           http://www.blackhat.com/docs/us-14/materials/us-14-Jin-Smart-Nest-Thermostat-A-Smart-Spy-In-Your-Home.pdf
[10]         https://www.theguardian.com/technology/2015/nov/21/amazon-echo-alexa-home-robot-privacy-cloud
[11]         https://www.linkedin.com/pulse/5-awesome-illegal-uses-alexa-shelly-palmer?trk=hp-feed-article-title-hpm


Giovanni PerroneGiovanni Perrone has been working in the mobile and Telco domain for more than 12 years, coming from another 10 years spent in the design of digital solutions for renewable energy and industrial automation applications. In the last 10 years he has been working in the post-sales area, specializing in project and program management, earning a PMP certification in 2007 and a CSM one in 2012 and has more than 10 years of experience in project and program management in Telecom, IT and Hi-Tech domains. In parallel to his working activities, he is currently cooperating with the "SMART Engineering Solutions & Technologies (SMARTEST)" Research Centre of the eCampus University (Italy), where he is completing his Master degree in Informatics and Control Automation. He has a Degree in Electronics Engineering and he is currently engaged in activities ranging from research to business development and leadership and project management seminars and workshops through the PMI CIC chapter.

 

Massimo VecchioMassimo Vecchio received the Laurea degree in Computer Engineering (Magna cum Laude) from the University of Pisa and the Ph.D. degree in Computer Science and Engineering (with Doctor Europaeus mention) from IMT Lucca Institute for Advanced Studies in 2005 and 2009, respectively. His research background is on computational and artificial intelligence techniques, such as metaheuristics for global optimization and fuzzy logic. During his Ph.D. degree, however, his research interests moved towards power-efficient engineering and application designs for pervasive systems and devices. From October 2008 to March 2010, he worked as a research engineer at INRIA-Saclay (France). Then, he joined the Signal Processing in Communications group at the University of Vigo (Spain) as a post-doctoral researcher. Upon his return to Italy (October 2012), he worked as a senior researcher at CREATE-NET (an ICT research center) within the "Smart Internet of Things (RIoT)" research unit, mainly in the field of Internet of Things devices and resources virtualization. Starting from May 2015, he is an associate professor at the eCampus University (Italy), holding also a course on mobile and embedded systems and heading the "Everything Connected (EC)" research unit of the "SMART Engineering Solutions & Technologies (SMARTEST)" Research Centre. He is the author of one book monograph and co-author of two book chapters, as well as several journal and conference papers.