Securing the Connected Home from IoT-based attacks
As the Internet of Things (IoT) continues on its upward growth trajectory, security remains a major concern for businesses, governments, consumers, and IoT vendors. Today, the large number of poorly secured IoT devices on the market poses significant risks to consumers. Attackers can steal private data, send spam, and introduce destructive malware into their home networks by exploiting security vulnerabilities in these devices.
These vulnerabilities can have even greater consequences for the Internet at large. Millions of common IoT devices can be weaponized and used to launch crippling distributed denial of service (DDos) attacks on corporate, media and consumers sites, as was the case with the Mirai attack in 2016.
But it’s not only consumers who are vulnerable. IoT vendors who fail to properly secure their products face their own risks, including negative PR, lost sales and declining revenue. On the other hand, IoT vendors who offer strong protection from cyber threats have an opportunity to create differentiation for their products in a fast-growing and increasingly lucrative market.
What is the CIRA Secure Home Gateway Project?
Recognizing the lack of a standard security framework for home networks, CIRA Labs has developed a new functional prototype to protect consumers—and the Internet—from the rise of IoT-based cyberattacks. Called the Secure Home Gateway project, this prototype is intended to address the numerous security limitations of home gateway products and IoT solutions currently available on the market.
For example, when a consumer connects a new IoT device to the network today, the home gateway typically gives the device access to the entire network by default. It also gives it full-speed access to the Internet. Unlike smart phones, tablets and personal computers, the vast majority of consumer IoT devices do not require this level of privileged access to provide services. And when combined with weak security controls and limited technical know-how on the part of users, it exposes the network to various forms of cyberattack.
In addition, when a compromised device is identified in the network, the home gateway does not provide a method for monitoring outbound traffic from the device or a process for quarantining it so that it does not spread throughout the home network and beyond.
With the Secure Home Gateway initiative, CIRA, along with its industry partners, is tackling these limitations head on with a secure solution that enables consumers and small businesses to enjoy enterprise-like security in their networks.
Secure Home Gateway Features
The CIRA Secure Home Gateway project consists of a functional prototype, open source software and the implementation of new standards. Its major components are the Turris Omnia Home Gateway from CZ.NIC, which is a secure home gateway that leverages the OpenWRT operating system; IoT device provisioning based on the IETF Manufacturer Usage Description (MUD) standard; and a Home Gateway smart phone app that runs on Android and iOS.
The Secure Home Gateway secures the IoT devices in the network using a Per Device Access Policy (PDAP). The device onboarding process includes three steps. First, the home gateway identifies any new IoT device that’s been added to the network. Then it places a policy around the IoT device restricting it to performing a specific function. Finally, while the device is in operation, the home gateway constantly monitors and quarantines it at the first sign of any behavioural changes.
About the MUD Standard
The Manufacturer Usage Description (MUD) is an IETF standard which provides IoT manufacturers with a standard method for communicating the identity and intended use of their IoT products to the home gateway. A device’s MUD file is critical to securing the home network because it defines who or what can communicate with it and enables the gateway to prevent any unauthorized access.
Home Gateway Smartphone App
The Secure Home Gateway also includes an intuitive smartphone app that makes it simple for non-technical users to onboard new IoT devices. Using the app, the user scans the QR code of each device, which allows the home gateway to discover the MUD profile for the device, transfer the unique Wi-Fi credentials and assign the appropriate Device Access Policy. When a new device joins the network, the app notifies the user so the device can be onboarded securely.
Secure Remote Access to the Home Gateway
Each secure home gateway comes bundled with a DNSSEC signed third-level .CA domain. This provides a method for users to securely access and manage their home gateways remotely.
CIRA Can Help You Secure Your IoT Solution
As part of the Secure Home Gateway project, CIRA has made it possible for IoT vendors to create a MUD profile quickly and easily to secure their devices. To create a MUD profile for your device, visit the Secure Home Gateway Project GitHub repository:
https://github.com/CIRALabs/Secure-IoT-Home-Gateway
Get involved: Participate in the Secure Home Gateway Project
CIRA Labs and our network of partners on the Secure Home Gateway Project are looking to connect with other organizations interested in participating in the project. For more information, including the Functional Specification, project overview and open source code, visit the project GitHub repository.
CIRA is grateful for funding from the Internet Society that supports this important research on IoT security. Internet Society’s kind sponsorship of $10,000 helps support this project aimed at protecting homes with internet-connected IoT devices.