The recent global distributed denial of service (DDoS) attacks against large chunks of the global internet used consumer IP cams as a part of the bot net that generated the network traffic. The massive growth in the use of cameras for home security, nature watching and so on means that there are millions of such devices attached to home networks, creating part of the ‘consumer’ internet of things (IoT). These are generally far from being dumb devices, however – the majority come with a version of Linux as an operating system. Anyone getting access to that base operating system can do a lot with such devices.
And herein lies the problem. Many devices come with a default administrator username and password. A simple search on the internet will provide anyone with such details. All they then need to do is carry out an open port sweep of a consumer IP address and try to connect to these open ports as an http client. If the right screen comes up, then input the default details, and there you go – a massive proportion of these devices will be freely available to be used by the dark side.
With low-end devices costing as little as £30 (or even less), there is little room for investment in advanced security. However, forcing the user to change the default password is a no-cost move, and should be adopted by any vendor of consumer IoT devices.
The problem runs deeper than just IP cams, though. Many consumer gateway/routers still ship with default admin/password combinations as well – with many of them allowing remote access from the internet.
And there is more. Heating and lighting controls, smart kitchen devices, connected TVs and other audio/visual (A/V) systems, along with smart watches and other wearables means that there will be a mix of different embedded operating systems with different data send and receive capabilities. It cannot be left as incumbent on the consumer to secure their total IoT environment.
It may be that a central IoT hub in the home is a better way of operating a consumer IoT network. Acting as a two-way controller, it can stop IoT devices from talking directly to the wider internet, while ensuring that all interactions between the outside world and the consumer’s IoT is controlled via the hub. However, this could still be a problem if the hub is badly designed and set up.
For example, consider if such a hub is compromised – the person who has managed to compromise the device now has unfettered access to every device within the user’s IoT network. The chaos that could be caused is enormous – both to the individual, but also to the general internet as all these devices could now be recruited to be part of a bot net.
Also, such a focus of data around a consumer IoT network can offer other seams of gold to those with a nefarious bent.
If a range of different data streams can be captured and analysed, patterns can be quickly built up. Lights not used between 9am and 4pm, and heating switched down to 15 C during the same hours? Could well be that there is no one at home during those hours. The same, but movement detected intermittently on security devices during that time – maybe a dog or a cat in the property. Movement detected at specific times on specific days? Possibly a cleaner.
A very nice way to build up a picture of activity around a property for a burglar to use with minimal effort. Yet, building this up from a set of disparate streams, while still possible, would involve more effort – and, as the police will always tell you – burglars, unless highly targeted, are opportunistic. If it is harder to do one thing than another, they will generally go for the easier option.
So, a home IoT hub needs to have enterprise-grade security. Data streams need to be secured as if they were dealing with military-grade data. Encryption of data at rest and on the move will be required. Client dashboards that interact with the hub need to ensure that they do so through https, secure socket layer (SSL) or other secured means. The hub needs to be able to take any IoT data stream and normalise it so that such dedicated, secure dashboards can present and use it – the use of the low-quality consumer access means provided with each individual IoT device (generally just a direct http connection with simple challenge and response security) must be avoided.
This is a massive opportunity in the consumer market – those vendors trying to push all-in-one IoT systems, with every device being from one vendor, will struggle. Consumers are fickle – they will choose between Nest, Hive and others for their heating controls; Sony, Panasonic, LG and so on for their smart TVs; Sony, Pioneer, Onkyo and so on for their connected A/V systems; newer central systems such as Amazon Alexa. Then there are smart lighting systems; the range of connected white goods coming through; smart meters – the list will keep on growing; no one supplier can cover these areas successfully.
A highly intelligent hub is the answer – but it must be the place where money is invested in getting the IoT right. The embracing of a full range of IoT devices and the normalisation of their different data streams into data that can be more intelligently analysed and acted upon by secure clients are givens. Encryption, intrusion detection, defaulting to using a wizard to take the user through setting up better security through multi-factor remote access and so on should be table stakes. Being able to easily and effectively block the hub itself should there be any suspicion that it has been compromised, along with customer services to help get it back up and running in a secure mode should make the marketing of such appliances quite effective.
Even with such investment in such an appliance, it should be possible to provide these at the price of a low-end PC – around £200 or less.
These intelligent hubs are needed now – the DDoS attacks on sites used by consumers should be the writing on the wall that galvanises the market into a suitable and effective response.