Cybersecurity might seem like the kind of thing you only need to worry about if you’re running a large enterprise or government network with hundreds or thousands of devices. When it comes to personal protection, most of us are content to slap some antivirus software on our laptops and hope for the best. But as we surround ourselves with more and more connected devices, our once-simple home networks are becoming complex tangles riddled with unfamiliar vulnerabilities.
In response, several digital security companies are taking on the challenge of providing the kind of robust protections that a home network needs when it scales up to join the Internet of Things — and doing so in a way that’s broadly accessible to users.
“Cybersecurity is one of the most complex domains in IT,” says Yossi Atias, the CEO and co-founder of Israeli startup Dojo. The company sells a device of the same name that promises to protect a home network by automatically blocking some threats, and helping users understand others by presenting simple, plain-language notifications.
F-Secure, a 28-year-old IT security firm based in Finland, is taking a similar approach with its Sense device. CTO Mika Stahlberg says that things are now much more complicated than the old image of a hacker using one computer to infiltrate another. Today’s attackers can pull the strings on botnets comprising thousands of compromised computers, serve malicious code from cloud services like Dropbox or Google Drive, or embed malware in the ads served on websites.
And, Stahlberg says, not all of the threats are external.
“Users need to be protected from their devices to an extent,” he explains. For instance: Because IoT devices often don’t have much computing power or storage, many data-intensive tasks will go to the cloud for processing — and for the most part, users have to blindly trust that their data is being handled responsibly.
“You really don’t have many options to verify where is your data being sent, how is it being sent, where is it being stored, is it being sold to somebody else, is that data secure from hackers or attackers,” Stahlberg says. “It’s very hard to say where privacy ends and security starts.”
In fact, users often don’t know that data is even being collected, much less sent out of the home. Several high-profile examples concern “always-on” audio sensors included in Barbie dolls, TV sets and game consoles.
Atias points out that once a manufacturer builds always-on surveillance into a device with a network connection, it opens up the possibility that anyone could compromise the device and use it as their own eyes and ears. “I would say it’s a brutal privacy breach, especially if you don’t know it’s doing it,” he says.
Some of these threats could be mitigated or avoided by better design in the products themselves. But mistakes will still happen, and some vulnerabilities can’t be solved at the device level at all. More importantly, no technology can fully prevent breaches in the human layers of the network, like a user who unwitting installs malicious software or succumbs to a phishing attack by divulging bank account info to a stranger — the kind of attacks security experts call “social engineering”.
Unless every one of us becomes a cybersecurity expert, the best we can hope for is to develop some tools to catch the obvious threats and help users understand and avoid the risks of the others. And the trick, according to both Atias and Stahlberg, is to look for patterns at the network level.
Devices like Sense and Dojo plug into a Wi-Fi router or modem and, with the help of each company’s cloud service, analyze all of the network traffic flowing into and out of the home. That doesn’t mean reading your emails or keeping lists of which YouTube videos you watch, but instead looking at patterns in the “metadata” — which servers each device is contacting, what kinds of messages they’re exchanging and how often, and so on.
Atias says that Dojo relies on “tens of thousands of rules” to identify the signature patterns of different types of malicious activity, and to define what’s normal and intended behavior for each type of device. Most IoT products are pretty predictable: Every Nest thermostat, for example, is going to contact the same set of IP addresses (the Nest cloud servers) and exchange similar types of data payloads. But a compromised device is likely to try things it has no business doing, in an effort to give the attackers access to even more of your network.
“If your TV is suddenly applying an attack vector on your camera, that’s an obvious hack,” says Atias.
Because Dojo and Sense act as gatekeepers for the entire home network, they can often shut down bad behavior automatically. But sometimes, traffic analysis reveals problems that can only be solved by users.
Often it’s just a matter of tweaking some settings — say, by making sure that your Wi-Fi baby monitor or security camera isn’t making a live stream available to anyone with a search engine. A device like Sense or Dojo can point out that the stream is public, but it’ll be up to you to lock it back down.
Stahlberg says part of the strategy is to capitalize on those “teachable moments” so that users can develop a better awareness of security and privacy. “It’s not just about prevention. It’s also about detecting that something bad is going on, and helping to remediate and prevent it in the future,” he says.
Despite the altruistic mission, consumers could be forgiven for looking askance at anyone asking for complete and total access to every bit of data flowing in and out of their homes. In the wake of revelations about mass data collection by governments, people are becoming more protective of their own digital privacy. The claim (made by both F-Secure and Dojo, among others) that “it’s only metadata” — and therefore can’t be used to violate your privacy — understandably rings a bit hollow.
But the frightening truth about the state of IoT security is that currently, much of the data generated by our devices and home networks is exposed to literally anyone who cares to look for it.
“Either you trust the whole world, or you pick someone to trust,” says Atias. (A third option, Stahlberg jokes, is to build your own Internet.)
“You trust a lot of security companies for your personal data now, otherwise you would have zero security in any domain,” Atias says, pointing to home security companies that install and monitor alarm systems, credit card processors that handle our account info, and antivirus companies that immunize our computers against the latest malware.
In fact, the only reason we might balk at having an all-access eye on our network is that it’s a layer of security that has so far been largely invisible to us. Personal computers get most of the protection they need from antivirus software, and smartphone/tablet software is insulated by the vetting process of app stores. But that’s not to say network-level threats have been a non-issue. Routers are notorious for spending years with bugs, out-of-date firmware, and default passwords, and Stahlberg says they get attacked pretty much constantly. That should be reason enough to consider beefing up the security of your home network.
And though most IoT devices are not being directly attacked in large numbers yet, the more connected devices we add to our homes, the harder it is to make sure each of them is secured with its own up-to-date firmware and other protections — and that means our networks are becoming even juicier targets.
“I’m always imagining the attackers thinking about return-on-investment,” Stahlberg says. As the population of IoT devices grows, he expects a tipping point where criminals will decide it’s more cost-effective to attack those emerging platforms.
“That moment won’t happen before the population at large goes to IoT and certain devices get high enough market share,” Stahlberg says. “We expect that time to be very soon, though.”
Want to learn more? Here’s a summary of how Dojo and Sense stack up.
Author: Ted Burnham