Riding and Surviving the IoT Rodeo: Helping Users Stay in Control

 

There is little doubt that more devices are becoming smart. Major electronics retailers are marketing the smart home to consumers, with items on sale from connected door locks, through to baby monitoring systems and plant growth monitoring solutions. Product vendors and retailers are actively encouraging users to open up their homes to the internet.

Users buying home IoT equipment now are pitting themselves as helpless victims in a rodeo with a beast which could give them one hell of a ride. At some point they’re probably going to get thrown off and it might hurt a bit more than just their credit card being hit by fraudsters. The scary thing is – the real cowboys in this world are often the product vendors, who are quite willing to create and sell insecure products whilst just taking data from people.

Is that plant moving? IoT is even being extended to houseplants

At the Blackhat and DEF CON hacking conferences in Las Vegas in 2014 there was a huge amount of interest from the security research and hacking community in many different types of connected devices. Shodan, a tool for searching for devices open to the internet is regularly used to expose different business sectors for leaving sensitive things such as webcams and even medical equipment open to remote access. Hackers are now also moving into the automotive IoT space too, exploring what could be attacked in the connected car. The car industry has a lot to learn; only Tesla seem to be proactive in reaching out to the security research community and engaging them. One car manufacturer even threatened legal action against university researchers who uncovered security holes. The positive engagement approach is likely to be more successful for driver security.

Tesla at DEF CON 22 - they are the only car company proactively reaching out to security researchers. IoT vendors could learn from their lead

Some of the most popular home connected devices for parents are internet-enabled baby monitors. These can either be purpose-built or simply use a webcam. The problem with such solutions is that users either leave webcams open on the internet with default admin passwords and/or the webcam is not designed securely such that it can be brute-forced remotely. People buying the cheapest devices are often purchasing fake versions of real webcams, with even less security than the original. This has resulted in media stories of breaches, including people hearing voices talking to their babies through their webcams. It brings a stark realisation to parents about the risks of such technologies.

Product vendors, retailers and members of standards bodies often deliberately make decisions that put profits ahead of security. In hindsight, these organisations may state that they made risk-based decisions, but the reality is that there is likely to have been no risk or threat analysis at all. They’re not likely to have the in-house skills either – security engineering is difficult and costly and unfortunately security is not a mandatory component of all engineering degrees (it should be). Even in some standards and industry recommendations bodies, security is often an after-thought or not formally considered at all. In the end, it is the purchaser that gets hit the hardest, whether they are an end user or a business owner.

In the IoT space, there is often no concept of permission whatsoever, it’s all or nothing. With little to no user interface, some devices are completely ‘headless’ so it is also difficult for users to scrutinise in any way what might be happening or know when data is leaving the device.

The huge numbers of connected devices that are entering our homes means that it is no longer sufficient to rely on a home router provided by our ISPs. The security within routers is rudimentary and offers only limited, generic protection against a small set of threats. The administration interfaces are difficult to use, leaving most users with a standard, basic configuration. On top of this, software updates are either non-existent or difficult to install, leaving many devices vulnerable for years. Users need help, but it doesn’t seem like there’s any on the horizon.

Some solutions to help users stay in control

There are many things that can be done to help users, including the broader aspects of software updates and security usability. Here are some things that could help address key security design problems with IoT devices that affect users.

Micro-policy on IoT devices Even with very low-powered, low-memory devices, it is possible to create client-side policies that a user can control. Bounding of values – for example temperature limits can easily be set and prevent deliberate attacks aimed at sending equipment out of limits. Even access governance can be described in very little memory space. Designing APIs such that a user can return an explicit denial of access would help developers to degrade the user experience gracefully.

Just turn it off! Partly through design engineering mentality and partly through treating users with contempt, companies are not designing products that just allow the user to physically turn off features. There is a strong argument for a hardware switch to turn off network and location functions. The advantages are:

a) visible indication of the physical state of the IoT device, even with no user interface;
b) Local, hardware controlled security which cannot be overridden remotely.

This puts the balance of control firmly in favour of the user and that is how it should be, the user has purchased a physical thing and it belongs to them. Companies should not have free reign over a user’s surroundings or data.

Establishing the right to introspection If we are to see widespread adoption of IoT devices and user trust in such devices, users should be able to know exactly what data leaves a device and their own home.

Users are now frequently signing up to privacy agreements and end user licence agreements that are not in their best interests. Companies rely on two things:

1) That the agreements are too long to read and understand;
2) That there is no other choice – if the user declines the agreement, they can’t use the equipment.

This is not an acceptable situation.

Smart TVs are an example where users sign up to allow any-time access to the TV’s webcam and microphone, as well as for all their viewing habits to be taken and sold. The only protection the user has is some basic level of trust that a big brand would be damaged considerably if this data were abused, so the company is incentivised not to abuse it. This is misplaced trust.

Companies are finally waking up to the need to secure data in transit properly using SSL and TLS or IPSec encrypted pipes, however this is also an area of temptation – if the user cannot see what is in the pipe they can’t see what data is leaving their home. Establishing the ‘Right to Introspection’ as a fundamental principle of home IoT is, in the author’s view, a way to put the user firmly back in control. This principle in itself would serve as a deterrent to the temptation to grab ever more and to be intrusive. Data should be accessible for the data owner before it enters the pipe – in theory this is hard to do securely, but it doesn’t mean that it’s impossible.

Surviving the Rodeo

It is possible for users to take control and come out of the IoT rodeo ride intact, but they’re going to need a bit of help. Users not only need to defend themselves from remote hacking, they need to be able to put themselves in a position of control over commercial entities who are playing fast and loose with data that they don’t and shouldn’t own. It’s time for engineers to step up their game.

 

---

 

David Rogers (@drogersuk) is a mobile phone security expert who runs Copper Horse Solutions Ltd, a software and security company based in Windsor, UK. He also chairs the Device Security Steering Group at the GSM Association and teaches the Mobile Systems Security course at the University of Oxford. He has worked in the mobile industry for over 15 years in security and engineering roles. Prior to this he worked in the semiconductor industry.

David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside. He can be contacted at david.rogers@copperhorse.co.uk and blogs from http://blog.mobilephonesecurity.org