Last April, I shared information about a multistakeholder process that CIRA is part of, which seeks to identify and guide the development of policy around the Internet of Things (IoT), putting security at the heart of internet innovations in Canada.
Since the formation of this process, we've made quite a bit of progress and I'm pleased to share some of that with you. In particular, we've taken solid steps forward in CIRA's IoT Secure Home Gateway project.
Before I begin, I want to stress, once again, the threats that IoT devices pose. There are cheaply made devices, growing in popularity, which share similar software and features. Their users have little to no ability to secure or update these devices. Wondering what types of devices I'm referring to? Think baby monitors, smart light bulbs and that internet-connected singing puppy your nephew is so fond of.
IoT devices like these are a security and privacy risk to individual users. This can include bad people taking control of your Wi-Fi enabled webcams or internet-connected children's toys. However, the greater concern for me is when these insecure devices are taken over for the purposes of a distributed denial-of-service attack (DDoS) whereby hundreds or thousands of devices are used to attack core internet infrastructure or services. The multistakeholder group I'm part of called this a potential IoT Zombie Apocalypse. With the scale and growth of these devices, and the threat that entails, that feels like an apt description.
The Network Resiliency Group: Three defence approaches
As part of the larger multistakeholder approach in Canada for IoT security, I'm part of the Network Resiliency Group. We're primarily concerned with the weaponization of IoT devices whereby a device can become compromised from the internet or from other internet-connected devices and used to attack or take down major internet infrastructure.
Our work has identified three approaches to defence.
- Scale existing DDoS mitigation mechanisms.
- Directly address the insecurity of IoT devices through improved security design and lifecycle management practices, encouraged via standards, awareness, examples and regulation.
- Network-based defences for IoT for the home and small business.
There is a Network Resiliency Working Group final report available, for those who want to dig into our work a little deeper and into each of these approaches. It's quite comprehensive and worth a read.
In the meantime, I'll focus in on one part, which falls into the third approach and is near and dear to my heart: CIRA's IoT Secure Home Gateway project.
CIRA's IoT Secure Home Gateway: Innovation in securing IoT devices
CIRA has an innovation hub, called CIRA Labs. It's where ideas are sparked, brought to life and tested. Some projects turn into products and services, or become integrated into CIRA's work. Others don't. As the lead on CIRA Labs, I'm excited about a current project I'm working on all around securing IoT devices in Canadian homes.
CIRA Labs is developing a functional prototype, open source software and new standards for a next-generation secure home gateway and a home registry solution that protects IoT devices and the internet from each other through security controls.
This project started as an idea in late 2016 after the Mirai Dyn attack. We knew we had to do something around mitigating the risk of home-based large-scale DDoS attacks. We decided to embark on a project focused on bringing the current home gateways into secure home gateways.
The hypothesis we are testing is whether we can implement an enterprise-type security framework to home and small business networks, while keeping it simple to use.
We did a quick assessment of the current state of home networks and concluded there are no standard home network security frameworks, especially to onboard the upcoming wave of new IoT devices.
Then we looked at the state of IoT and its security landscape. The major observation is when we add a new IoT device to the home network, it is granted full access to the entire internet, at full speed, with full access to the internal network as well, with sufficient access to the Wi-Fi keys that it can impersonate other devices. Once an IoT device is compromised, there are no facilities to detect anomalous traffic patterns and quarantine the device.
Another important aspect of today's IoT is their dependence on the cloud to provide their services. A requirement of the secure home gateway is to provide the users of the home network with secure access to its home network. Therefore, a secure home gateway needs a domain name to be internet reachable, and the devices within the home can benefit from being named. With this, a secure connection to the home network is possible.
Having the IoT vendor sending all your internal home video feed, audio feed and personal information to a cloud in a foreign country where Canadians have no privacy rights (U.S. or wherever the IoT vendor servers are located) is an unnecessary privacy risk. If someone knocks on your door, the camera should stream the video directly to your mobile phone encrypted. Not via another jurisdiction.
CIRA is working with multiple local and international partners to develop this secure home gateway solution. As the steward of the .CA ccTLD, we are the experts who can provide names as part of that solution. Our goal is to have a functional prototype and application that you can download by end of March 2019. It's worthwhile noting that over the course of the last year we found many IoT security and home gateway initiatives that complement our work. We tried to ensure there is no overlap and to integrate the available solutions into the secure home gateway project.
From a technology standpoint we are betting on the market adoption of MUD, based on the Internet Engineering Taskforce (IETF) Manufacturer Usage Description (MUD) standard internet draft.
We're in phase two of this project, which will include a greater focus on building a user-friendly app so that everyone, no matter their level of technical ability, can use it. We're also looking to standardize the API between the app, the home gateway and MUD servers.
There are several other steps underway, which I encourage you to look at our via our CIRA Labs Github, including the many challenges we're trying to address. If we're successful, we will significantly decrease the threat of IoT devices, but we've got a lot of work left to do. You can also learn more about this project and others on the CIRA Labs webpage.
Getting MUD-dy in March
MUD is an authoritative identifier of IoT devices, which allows manufactuers to expose the identity and intended use of their devices using an IETF-approved standard. These standards are key to our gateway project because they provide the instructions that say who or what can communicate with that device. For example, if you have a smart refrigerator MUD will help ensure that the only communication occurring is between your fridge and you, and your fridge and its manufacturer. This will cut out any sort of additional traffic to or from your smart fridge that you don't want.
From March 23-29 the IETF will meet in Prague, and IoT security and MUD are on the agenda. I look forward to this discussion, as the biggest brains in internet engineering convene to tackle what is one of the greatest internet threats of our time. The latest report from the multistakeholder working group was released last week on enhancing IoT security. I look forward to sharing further updates as we progress with this project and our work to make IoT devices safer. Stay tuned!