It has been estimated that there are over 100 billion internet-connected devices worldwide. The variety of IoT smart home devices is diverse, but there is a strong demand for sound, TV, heating/temperature, lighting and home security. The surge in growth opens up a new range of security vulnerabilities to individuals if the device has been compromised.
What is happening now?
In October 2016, smart home devices were used as a part of a mass cyber-attack on websites. Hackers exploited devices such as CCTV cameras, IoT-connected home devices and printers. The attacks were generated by creating DDoS attacks to websites such as Spotify, Twitter and Reddit of sufficient magnitude to have them taken temporarily offline.
At the time, analysts and researchers expressed their frustration at the security gap, its simplicity and the fact that it was exacerbated by the ease with which cheap, relatively poor devices can be manufactured and distributed (BBC, 2016).
In a review of the same incident, Cobb (2016), publishing on the ESET security community website, noted that there was nothing new in malicious code infecting routers, but that the massive scale of DDoS attacks, made possible by unsecured IoT devices, is new and increasing.
What is the user’s view?
A further point in Cobb’s article states that a recent survey found 40 per cent of Americans weren’t confident that IoT devices are safe and secure, and over half of those surveyed had concerns over cybersecurity that discouraged them from purchasing such devices. Inspired by the 2016 attack, we undertook a small survey with follow-up interviews to see whether UK-based users held similar views.
We found that the majority of participants owned an IoT home-based device with an average of one to two devices. However, in general, the majority of these devices were using connection technology such as Bluetooth or Wi-Fi and users were unaware of the security implications of using either connection method for the home.
Regarding device trends, in both our survey and interviews we found that participants were principally interested in devices for audio and TV, heating and temperature control, home security and controlling lighting, these being the key trends driving the high growth of IoT smart home technology.
Another key finding was that over half of those surveyed were intending to further purchase or increase the amount of IoT devices in the home and while some still stated they were unaware of security issues associated with IoT smart home devices, nearly three quarters of respondents felt that their device could be compromised or used as a part of a wider attack.
This demonstrates a broad lack of trust in device manufacturers. In the interviews conducted, our sample of users showed that they were more likely to purchase more established smart home device brands than the cheap generics mentioned in the BBC article.
Alongside this, nearly half of respondents felt that insufficient privacy controls had been implemented on their device and more than one in three suggested that they were unsure if privacy controls currently implemented were adequate enough. Wider studies also suggest users are unaware if their data is being transferred to a large corporate organisation or a third-party organisation (Wong and Leung, 2016).
Organisations are facing further scrutiny with the collection and storage of personal information since the GDPR regulation came into force in May 2018, and the same applies to IoT device manufacturers.
What can be done?
For manufacturers, there will always be competing commercial agendas as well as the need to balance flexibility of use against locked-down security. An opportunity to develop support services that can be trusted now exists, and businesses such as Amazon and Best Buy have already launched consultation services as they recognise that the strong growth in smart devices has triggered this need for technical support and customer trust through loyalty to known brands (Wolf, 2017).
Underlying technology could be improved: protocols such as IPV6 could significantly benefit IoT devices, not only from a security standpoint but from a growth and sustainability stance for all IoT devices. However, there appears to be a lack of urgency for manufacturers and governments to assist and force implementation of this new network technology.
When IPV4 was released it had no implementation considerations for security. IPV6 was built with security in mind, such as the integration of IPSEC at the network layer as an encryption standard. IPV6 can also run more efficiently on mobile devices and has the ability for routers to handle requests more efficiently which may eliminate risks associated with data transfer.
IPV4 can also only cater for 4.3 billion possible addresses whereas IPV6 accommodates for up to 340 undecillion address combinations (Bischoff, 2016), this is likely to help slow the device scanning rate for attackers. However, these issues will become more apparent in the future, and IoT devices which are specifically programmed to use only IPV4 may encounter security issues as this network protocol is slowly phased out by internet service providers.
As with other areas of security, the underlying vulnerability that is always being exploited is user awareness and knowledge about the technologies they own. We believe that there are several key areas where improvements can be made. First, users may not be aware of the types of products that they can purchase to help improve the security of devices and inform them if their device security is inadequate.
The questionnaire results showed a number of individuals owning one or more device, with the potential to extend the number of devices in the home in future. Users who are security conscious or feel their devices can be later compromised or used as part of a wider network attack can also purchase routers which replace conventional ISP provider routers.
Second, users may have also been unaware that the majority of DDoS attacks conducted in October 2016 were a result of manufacturer usernames and passwords being leaked on the internet. Users can strengthen the security of their device by changing their default username or password, therefore making it harder for an outside attacker to gain access to personal data. Generic devices sometimes have usernames and passwords hardcoded, which opens up further vulnerabilities.
Third, users may be unaware that their wireless transmission device may be more vulnerable if a particular transmission type or the wrong type for their home environment is selected. The different wireless transmission types used by device manufacturers may need to be communicated effectively to help aid the decision-making process when purchasing a device.
Fourth, security patches and updates can be difficult to manage if the user has multiple devices requiring multiple connection methods. Making this process simpler, or just educating on the how and why may have significant security benefits.
References
- Bischoff, Paul. (2016). ‘IPV6 vs IPV4: what are they, what’s the difference, which is most secure?’ Available from: https://www.comparitech.com/blog/vpn-privacy/ipv6-vs-ipv4/
- BBC (2016). ‘“Smart” home devices used as weapons in website attack.’ Available from: http://www.bbc.co.uk/news/technology-37738823
- Cobb, S. (2016). ‘10 things to know about the October 21 IoT DDoS attacks.’ Available from: http://www.welivesecurity.com/2016/10/24/10-things-know-october-21-iot-ddos-attacks/
- Wolf, A. (2017). ‘Amazon Offering Free In-Home IoT Consults. TWICE: This Week in Consumer Electronics.’ 32 (3), p40.
- Wong, J. and Leung, J. (2016). ‘Modelling factors influencing the adoption of smart-home technologies.’ Facilities. 34 (1), p906-923.