In the first half of our series about the cybersecurity community’s move toward fully automated defensive systems, we examined how the emerging Internet of Everything is upping the ante for solutions that can identify and mitigate risks in real-time. Traditional measures such as antivirus, while still important for curbing certain classes of threat, are increasingly unsuited to fend off advanced attacks without assistance from network security monitoring tools and other modern utilities. Full automation is the logical next step in cybersecurity.
The Pentagon’s Defense Advanced Research Project Agency has been notably keen to cultivate such human-free infrastructure. The reasoning is persuasive: Security teams often have to go to great lengths, at tremendous expense, to account for scores of potential vulnerabilities (even more so given how many endpoints could partake in the IoE), while attackers only have to succeed in exploiting a single one. Automated systems could finally tip the scales in the favor of defense.
The automated home of tomorrow: A microcosm of IoE security issues
It won’t be easy to get there, however. The IoE is widely perceived by both security professionals and the public to be inadequately secured, and its sheer scope – possibly 50 billion connected devices, according to Cisco’s predictions – definitely necessitates a new breed of cyber security, yet makes such a leap forward difficult to realize.
The smart home, a dream since at least the 1950s that may only now be getting the necessary technological underpinnings, illustrates the challenge that consumers, businesses and cyber security providers face in protecting growing amounts of data and infrastructure from sophisticated threats. DARPA has cited the rise of the IoE as an impetus for automated security; the home is likely the place where many individuals will first experience the benefits and pitfalls of the IoE. A 2014 study conducted by Fortinet and GMI, “Internet of Things: Connected Home,” surveyed 1,800 consumers and discovered that while many individuals felt that IP-enabled devices would continue to become more embedded in everyday life, security would lag general functionality:
- More than half (61 percent) of respondents in the U.S. and a solid majority (84 percent) in China believed that the IoE – more specifically the networked home – would become a reality within the next 5 years
- Fifty percent stated that they were likely to seek better Internet service to accommodate IoE functionalities, which can range from smart thermostats to refrigerators equipped with Wi-Fi.
- Seven in 10 were concerned about data breaches of IoE infrastructure that could compromise their personal data
- Almost 60 percent did not trust how data collected from IoE endpoints may be used. Certainly, with Google’s acquisition of Nest, there have been concerns elsewhere about information on users’ homes being used to refine advertising targeting.
Home automation is an old idea, but making house appliances and communications systems Internet-facing is novel, and it creates many potential new attack surfaces. A 2013 Trend Micro research paper, “Home Automation and Cybercrime,” advised against deep in-home Internet integration. However, seeming to realize that many users will do so anyway, the paper’s authors recommended using strong, unique passwords for each device and isolating them from the rest of the home network if possible.
What could go wrong with home automation?
Devices such as TVs, smoke detectors and thermostats have only recently been IP-enabled, and just a small subset of them at that. Accordingly, connectivity is usually straightforward, while overall design is geared for simplicity of operation rather than security. As more of these networked appliances and gadgets enter the home, people may be opening up their data, identities and financial assets to attack.
“What makes [theft of data and money] more alarming is that these Internet-enabled gadgets only have a basic IP configuration with few or no security options, making them very vulnerable,” explained Ranieri Romera, senior threat researcher at Trend Micro, in a blog post. “Also, people are unaware of the devices’ vulnerabilities, that they use these devices as they would their computers and put in information that can be considered critical. At this point, we’re talking no longer just the risk of unauthorized access, but information theft as well.”
Indeed, many of tomorrow’s IoE endpoints are, in a technical sense, just smartphones by other names, replete with high-speed connectivity and built-in software updating systems. Tech Insider editor Sam Volkering likened connected cars to “smartphones on wheels,” and similar comparisons can be made for home security cameras and LCD-equipped refrigerators, as demonstrated in the Trend Micro infographic “The Automated Home of Tomorrow: How Vulnerable is it to Cybercrime?” As such, these devices are open to attack, with serious consequences:
- Hijacked security cameras would let attackers know when someone was out of the house.
- Compromised cameras, along with smart TVs, could secretly record and post video to the public Internet.
- A connected car infected with malware would obviously be a safety hazard.
Moreover, there’s the issue of how device manufacturers and Web companies handle the massive amounts of data collected by sensors and endpoints. Writing for Wired, Cade Metz examined the case of Dropcam – recently snatched up by Nest – and argued that by getting into the IoE business, leading technology firms such as Google could turn into honey pots, from which government surveillance and cybercriminals could easily scrape sensitive information.
Securing the automated home with automated security systems
The sophistication of the connected home requires new approaches to cybersecurity. No longer are only a few discrete gadgets – a PC here, a smartphone there – connected to the Internet; instead, wide sections of infrastructure are linked by a common network.
Ensuring that an intruder doesn’t gain control over an in-home camera system or kitchen appliance will likely require measures different than just installing antivirus software on each endpoint. Trend Micro malware CTO Raimund Genes told ZDNet in 2008 that standalone blacklist-based malware was already nearing end of life on PCs, which he predicted wouldn’t have the space to store all the myriad threat signatures that security solutions were routinely identifying during scans. What more for tiny CCTV cameras and thermostats?
Fully automated security systems are a good bet for workable IoE security. While DARPA’s competition for a truly human-free solution is still two years away, organizations can already get started with endpoint and network security tools that keep tabs on activity and screen out threats.
