Innovation is an unstoppable force. The IoT is one such an example, with devices flying off shelves almost as fast as they’re being manufactured. In fact, the International Data Corporation (IDC) predicts that by 2025 there will be nearly 56 billion IoT devices globally.
Everywhere, consumers are filling their homes with Wi-Fi refrigerators, connected security cameras, home assistants and a myriad of smart home IoT products.
Unfortunately, they often don’t understand just how much risk they’re bringing through their doors.
The smart home – a concept defined by a collection of IoT devices that work together to automate a home environment – is an attractive proposition to many consumers. What they often don’t know is that it’s also a dangerous one.
The IoT devices that make up those smart homes are often insecure and a prime target for many attackers who see an easy opportunity to profit.
Smart homes are often “easy wins” for cyber-criminals. Many smart home IoT devices are consistently susceptible to simple attacks because the same vulnerabilities keep cropping up.
Many still come with default passwords; others can’t update their firmware; many don’t encrypt data at rest or in transit; some are built with highly insecure components or network services that broadcast crucial information about those devices on the open internet. These vulnerabilities exist because the same mistakes and oversights keep getting made in the engineering and manufacturing process.
As the old cybersecurity cliche goes, attackers will always choose the path of least resistance. Once attackers have exploited those common present vulnerabilities, they can serve as key entry points into otherwise secure network infrastructures.
Enslaved IoT devices commonly serve as foot soldiers in distributed denial-of-service (DDoS) botnets. The most famous example of this is Mirai, a malware that exploits IoT devices by scanning for them and then simply guessing their passwords from a small library of commonly used ones. Once it has successfully enslaved a device, it scans again for other potential targets in the vicinity.
Preying upon the reliably-present vulnerabilities of IoT devices has allowed Mirai botnets to launch devastating DDoS attacks against popular websites, major pieces of internet infrastructure and even an entire country. It’s done so with an army of insecure routers, thermostats and doorbells and continues to successfully rope smart home devices into its control.
IoT security is a problem that urgently needs to be fixed – but it can’t be solved by looking only at individual devices.
The true source of IoT insecurity lies along the extensive and complex supply chain that takes them from conception to release. IoT development is not a closed loop – it involves multiple parties intersecting at different stages of design and manufacture. It’s here where vulnerabilities and questionable design decisions are made on the way to the consumer’s hands.
Smart home attacks seize upon these supply chain weaknesses and are a huge target for attack. UK-based consumer advocate Which? attempted to test this in 2021 with the assistance of the Global Cyber Alliance and UK-based penetration testers, the NCC group. They set up their own model smart home with a variety of different consumer devices including smart kettles, thermostats and security systems. They quickly saw as many as 12,000 unique hacking or scanning attempts on their smart home in one week, peaking at 14 hacking attempts per hour.
Unfortunately, the connected doorbells, cameras, routers, lightbulbs and other devices that make up smart homes are often some of the most vulnerable on the market. By placing vulnerable devices like these in their own home, consumers are literally inviting risk to their personal privacy and safety through the front door.
To make matters worse, they’re also often proprietarily siloed, meaning that a home assistant such as Amazon’s Alexa cannot speak to another company’s devices – thus introducing redundant application stacks and multiplying the attack vectors in a smart home.
Risk also lies outside of individual device vulnerabilities. The underlying technologies on which they run can also pose threats. The Wi-Fi that connects those smart home devices, for example, can be used to exploit the smart home. That can be due to weak passwords, insecure service set identifier (SSIDs) or vulnerabilities within underlying standards in routers such as WPA or WEP.
There is currently one notable attempt to help secure the supply chain that carries smart home products to market. “Matter” is a new standard from the Connectivity Standards Alliance (CSA) that has brought together a collection of tech giants to produce a standard for smart home devices that is inclusive of a security strategy.
It’s a single internet protocol-based standard that will allow certified devices to speak to one another, without proprietary restrictions. It’s described by the CSA as “an industry-unifying standard to deliver reliable, seamless and secure connectivity.”
However, in order to certify for this standard, devices will have to meet certain minimum security requirements.
What’s important about Matter is that it demands devices be developed with some crucial security features and offers guidance on how to design them that way.
To qualify for certification, devices must use some of the strongest cryptographic protocols available to make sure that data is encrypted in transit or at rest. Qualification requires that devices be crypto-agile, so that encryption algorithms can be updated as new threats emerge.
They will also have to ensure the confidentiality, integrity and availability of transactions between smart homes systems and devices. This includes over-the-air updates, which have become a troublesome point of vulnerability for IoT devices. According to the standard, these provisions will be self-contained and thus not subject to the risks associated with underlying technologies like the Wi-Fi those devices use to connect.
While these are important steps to take in the manufacturing of a secure smart home device, Matter’s real strength lies in its ability to instill digital trust throughout the entire supply chain.
Matter devices will use public key infrastructures (PKIs) to embed each certified device with its own identity. In turn, this will help embed digital trust into the devices allowing them to interoperate between one another with mitigation of its security risk profile.
Crucially, however, it will also embed that same digital trust throughout the supply chain – in each stage of device development. Each Matter device will be given its own identity and their own device attestation certificate (DAC) – signed by an issuing certificate authority – which manufacturers will use to verify the identity of those devices.
That DAC is installed into the devices during manufacturing and when they’re commissioned, used to verify that they are Matter-compliant. It’s in this way that digital trust can be transmitted along each link of the smart home device supply chain.
Its reach extends to the very end of the supply chain too. Matter-certified devices will carry a logo on their packaging, meaning that consumers can make educated decisions about the security of the devices they want to invite into their homes.
Furthermore, Matter’s backers – who include Google, Amazon, Apple and over 400 device manufacturers – hold huge influence over the IoT supply chain. Marrying the standard to these companies’ influence gives Matter an unprecedented authority in this area.
While the IoT is often characterised as a home consumer technology, it will soon characterize not just smart homes, but intelligent buildings and smart cities. Smart homes will become intelligent buildings and help to manage the operations of entire apartment complexes, city administration facilities and other types of public infrastructure.
The enduring security problems which IoT devices and smart homes face are worrying. However, the same technologies are soon going to be asked to do a lot more and if those problems make their way into those larger use cases, then the public risk will expand in parallel.
IoT technologies will soon be responsible for much more than a connected lightbulb or a smartdoor lock. Innovation in this area will need a high level of digital trust if consumers and companies are to benefit. Many of these new use cases will be responsible for the very physical safety of their users and stakeholders. If these innovations can’t be secured against attack, then they risk catastrophe and disuse.
Tom Klein is the Senior Director of IoT Business Development at DigiCert. He has more than 40 years of experience in IT with a specialty in IoT Security. He has had extended tenure with IBM, Microsoft, AWS and security specialty organizations.
This article was originally published in the April edition of Security Journal Americas. To read your FREE digital edition, click here.