The Internet of Things (IoT) means adding network connectivity and some form of “intelligence” to everything. Everyday items are now connected to each other and the Internet. We are seeing an accelerating trend of smart devices flooding personal spaces, creating smart homes.
Nearly all home goods can be bought with Internet connectivity. It doesn’t stop there: Security cameras, baby monitors, televisions, thermostats and heating systems are all connecting to the Wi-Fi network inside your house. The network is only protected from all the accumulated evil on the Internet by the firewall built into the broadband router, which you were given for free by your supplier.
Network Connectivity Brings Risks
That network is being used more and more by the physical controls and security systems for our home. Burglar alarms and even door locks can be connected to the Internet. That may be very useful for remotely giving your next-door neighbor access, but it’s an issue if they can be hacked. Even environmental control systems can pose a risk.
Imagine a scenario in which would-be burglars no longer have to walk around looking for opportunities. All they have to do is monitor your alarm or CCTV to identify your daily pattern, then they arrive while you are away, turn the security systems off and tell the environment systems to open a window — assuming they don’t just tell the front door to unlock itself.
Surely the developers behind all this new IoT equipment must be thinking long and hard about security, right? Wrong. In the race to be first to market and meet the need for zero-setup equipment, security on many IoT devices is woefully inadequate. As Bruce Schneier wrote in Wired, “These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.”
Smart Homes, Meet Smart Security
So your home network is no longer full of just laptops, tablets, smartphones and printers, but also all these other devices trying to make lives easier and more connected. The security capabilities of these devices, however, are not great. Many cannot be updated, and even fewer will be. Ask yourself, when was the last time you upgraded the firmware of your connected printer or broadband router?
Smart homes are here and are only going to get smarter. In effect, they are no different from a small corporate network, and as such, they need similar levels of security, especially considering the growing trend of working from home. However, most people don’t have the skills or the desire to run them securely — imagine having to enter a password to boil a kettle! The concept of anti-malware and secure configuration does not fit in a small, function-specific IoT device.
What is necessary for the smart home or office is a smart security device. For example, a customized security information and event manager (SIEM) can spot when devices are added to the home network, identify them, note what they should or should not be doing, correlate events and look for patterns. It learns what is normal for users and then provides alerts when something is wrong.
I would like my smart security device to work with the firewall in my broadband router, dynamically generating rules to keep my system safe. You could also consider a form of vulnerability or patch management. If smart security knows what is on your network, it could query manufacturer websites, find out if there is an update available and notify you if there is.
There are many corporate SIEM solutions available today that could do this, but the challenge is to produce something that is practically maintenance- and setup-free — and at a price people are willing to pay. However, with the march of technology turning our houses into smart homes, it’s time we rose to that challenge.
To truly enjoy the promise of the Internet of Things, we need to defend our homes and offices from cyberattacks. Similar to the lessons learned from corporate security systems, this security needs to be delivered in a package that does not need a dedicated team. It has to be automated, self-maintaining, adaptable and maybe even cognitive. You need smart security.
Associate Partner, IBM Security
Gavin has 20 years of experience dealing with Security and Information Assurance within both the Government & Private sectors. He has worked on issues in...