Part 1: IoT, When my Home Thermostat Becomes a Weapon
This will be a multi-segment series that takes a look at security surrounding the Internet of Things (IoT), where we’ll explore existing threats and delve into a few new ones. Of course, we’ll close out the series with some helpful pragmatic steps you can take for both your home and your business to not only embrace IoT, but to do so with confidence and peace of mind regarding your security posture.
The Smart Thermostat
My home’s thermostat is smart and connected to the Internet. This gadget is a wonderful innovation among the virally expanding portfolio of Internet of Things (or IoT) devices. You all know about these, and likely have one or many in your own home or apartment. In fact, industry studies suggest that each person on the planet will own at least five IoT gadgets by 2020. That’s in excess of 35 billion devices. And, this doesn’t count the broad range of industrial IoT devices controlling critical infrastructures.
My thermostat allows me to alter my home’s temperature and check the current settings from the convenience of my cell phone. All cool (pun intended), right? Well, this convenience raises secondary concerns and a completely new set questions. But, hold this particular thought for a minute. A smart thermostat is technically a system, complete with an operating system, a wireless network interface, ability to control another system, and it offers configurable settings (schedule, override, notifications, etc).
- With any operating system; one must safeguard the OS against unauthorized access, root kits, and malware infiltration which can infect the system and alter its intended behavior.
- With a wireless network interface; one must deny access to outsiders or bad actors. In the case of a wireless network, let us not forget that a bad actor could hijack your thermostat from the seat of their car parked outside your house. However, a bad actor would more likely gain access via the internet, either through a poorly configured firewall (or no firewall), or via open insecure ports on an internet router.
- Quick question: When was the last time you logged into your Internet Router and checked its settings? Thought so. Regardless of the method a bad-guy may use to get into your local area network (LAN), he or she being there is not good. Once on your LAN the bad actor can and will discover every vulnerable device and shared file on the LAN including any VPN connections to your employer, for which the latter raises some distinct risks for both the employee and their employer.
- With a device that can control another device; one must understand the downstream devices that can be controlled by the IoT device (aka, the furnace/AC controlled by the thermostat) and that compromising the controlling device (aka, the thermostat) gains immediate access to control any downstream controlled-device (aka, the furnace/AC system).
- With a device that has alterable settings (a configuration table, so to speak); one must safeguard the table from unauthorized alteration. But there’s one challenge with safeguarding these settings on many IoT devices. The last time I checked my thermostat there was no password protection. Thus once I connect to the thermostat, I can change any setting without challenge.
Now, let’s come back to that point I asked you to hold onto: the cell phone app that allows me to control my thermostat from afar. Yes, there is a third-party involved between me (my cellphone) and my thermostat. It’s the thermostat manufacturer’s service that connects us in the Cloud. In principle, my thermostat connects to the manufacturer, and my cell phone app connects to the same place, and we’re matched by a lookup code that joins us.
So, what about the thermostat’s manufacturer?
The manufacturer’s security infrastructure surrounding this “meeting place” becomes one of the most critical components in the mix. I guess, I really need to trust my thermostat manufacturer, right? Have they designed reasonable security into the product? Do they have security personnel dedicated to the job and constantly monitoring and testing the environment? Have they secured their product development networks and customer-portal networks? Lots of questions, few answers come to mind.
A commercial product manufacturer’s network will likely be more secure than most home wireless networks. But, it’s important you know that we as consumers become completely and immediately reliant upon the security that the manufacturer has designed their products, and that they implemented and applied appropriate layers of security within their networks to protect their thermostat (or whatever product) from being infiltrated by an outsider.
I don’t think very many consumers pay much attention to this aspect of certain IoT devices, likely because coolness sometimes overrides the messy topic of security. If you think about how rapidly brand new IoT technologies and start-ups come onto the scene, you have to wonder: have they really implemented a secure infrastructure and hardened their new products and services to adequately protect your data and your network? I don’t know about you, but this makes me wonder.
In upcoming segments, we’ll do a deep dive on attack surfaces presented by unsecured IoT devices (carrying forward with the thermostat example), we’ll expose some potential risks to data and safety, we’ll look at some industrial/commercial examples of risk, and we’ll close by suggesting some helpful steps you can take to protect your home and your business in order to safely leverage the innovative benefits of IoT devices.