BLOG: How secure is my smart home?

‘Hey Siri, turn off the lights…’

Many of you will be familiar with this phrase. But have you ever stopped to ask… How secure is my smart home?

With more devices being connected to the Internet than ever before, we need to make sure that security and privacy are not put at risk. Our current method of distributing security updates is not going to fit the requirements for the Internet of Things (IoT – where every device will be connected to the Internet). Instead, we need a new method that ensures we can viably update the devices in our home when vulnerabilities are found, thereby protecting the user’s privacy.

The current paradigm of cyber security has been compared to a ‘cat and mouse’ game.[1] With the growing frequency of serious security issues being uncovered, such as the flaw in modern Wi-Fi communication,[2] it’s hard to argue that this isn’t the case. A flaw is found, fixed and a software update (know as a patch) distributed. This paradigm has only been somewhat successful with devices such as phones. For example, it was found that many phones would not receive vital security updates in 2017.[3]

The concept of patching becomes a lot harder when it comes to devices built for the IoT, as these devices are focused on being low powered. This results in many functions that we would usually dedicated software to, such as encryption, being given dedicated hardware[4] as this uses far less power than a software implementation.[1] However, this brings a fundamental flaw in their design.

To explain why this is the case, we will consider a smart fridge. Imagine that you have installed the latest smart fridge in your house, connected via Wi-Fi to an app on your phone. The fridge uses dedicated hardware to secure data over Wi-Fi. A few weeks later, a security flaw is discovered in the Wi-Fi standard[2] and all the information supplied by the fridge over Wi-Fi can now be intercepted by a hacker. Unlike devices such as our phones, we cannot patch the fridge because the vulnerability lies in the device’s hardware.

I hope this example feels familiar, because it describes the current state of smart homes. Smart fridges do exist [5]. The ‘security flaw in the Wi-Fi standard’ also exists,[2] and currently affects almost every connected device. Of the approximately 6.4 billion IoT devices shipped in 2017,[5] it is likely that most will never see an update to fix security flaws. For devices such as a fridge, which are not replaced very often, it is easy to see how these issues are going to propagate into our future homes.

So, where do we go from here? It is clear we need low-power, reprogrammable hardware in the devices that will be in our homes. One way of achieving this is using field-programmable gate arrays (FPGA).[1] At a high level, an FPGA is a reprogrammable piece of hardware, allowing us to change an electrical circuit after it has been manufactured. The design of an FPGA uses hardware description language,[6] which is a type of programming language that allows you to design circuits. Instead of having control over the software of a device, we can now have control over the hardware. We can therefore update or change this when required, such as during a patch. This approach would provide us with a viable way to patch our currently flawed smart fridge from the example.

The current alternatives for FPGA rely on software attempting to mask the underlying hardware issue. For example, it is recommended[7] that you include a firewall in a smart home. This firewall will prevent network traffic from unauthorised sources reaching your home, in the hope of preventing malicious connections.[8] While effective, these methods do not fix any vulnerabilities that may be present in a device, they simply try to stop a hacker from exploiting them. However, using FPGA has its own drawbacks compared with the alternatives. An FPGA will store their configuration in random access memory This has the downside of being volatile memory – all data contained within it is lost when the power is turned off. We must therefore find a place to store and load this configuration or our devices will no longer work after a power cut! Another possible downside of using FPGA already exists in current software patching modalities. There are an estimated 1 billion Android devices running out-of-date software.[9] This shows that, even when patching is possible, many manufacturers will forget about older devices due to the large cost of updating them. Why should FPGA be any different?

The importance of patching  these flaws cannot be underestimated, however. In the future, if smart-home devices are being patched, their usable lifetime will be increased. Users will therefore not be forced to buy the newer version of a product just to ensure that their home is secure. This is economical for the user, but will also reduce the amount of ‘e-waste’ produced each year, which is the fastest growing waste stream in the UK.[10]

As we have seen, the current approach to security patches will not be viable for the IoT. The use of FPGA shows a promising approach to patching future devices, but unfortunately won’t be available for any current devices. Finally, if these patches could be deployed wirelessly from manufacturers, a smart home would be able to auto update with no input from the user and always remain secure.

References

  1. To Secure the Internet of Things, We Must Build It Out of Patchable Hardware, IEEE. Accessed 19 November 2017.
  2. Key Reinstallation Attacks, M. Vanhoef. Accessed 19 November 2017.
  3. Only 42 Android models have been updated to a security patch from the last 2 months, A. Martonik. Accessed 19 November 2017.
  4. How to Secure the IoT? Lots and Lots of Math…, Mouse Electronics. Accessed 19 November 2017.
  5. Gartner Says 6.4 Billion Connected Things Will Be in Use in 2016, Up 30 Percent From 2015.
  6. Embedded Micro. Accessed 19 November 2017.
  7. How to Secure Your (Easily Hackable) Smart Home, F. Rashid. Accessed 19 November 2017.
  8. Firewall Definition, Search Security. Accessed 19 November 2017.
  9. How out of date are Android devices?, D. Luu. Accessed 19 November 2017.
  10. Top Facts: Recycling and the Environment, Recycle More. Accessed 19 November 2017.

Books

Jobs

Quality Officer at Minnesota Department of Human Services Recruitment
Expires: 01/29/2021 Employer: Minnesota Department of Human Services Recruitment
Intelligence Analyst at Minnesota Department of Human Services Recruitment
Expires: 01/21/2021 Employer: Minnesota Department of Human Services Recruitment
Plant Health Safeguarding Specialist, PPQ Technician, and various other entry-level positions at U.S. Department of Agriculture's Animal and Plant Health Inspection Service (APHIS)
Expires: 01/20/2021 Employer: U.S. Department of Agriculture's Animal and Plant Health Inspection Service (APHIS)
Behavioral Health Specialist - Qualified Mental Health Professional (QMHP) at Oregon Youth Authority
Expires: 01/29/2021 Employer: Oregon Youth Authority
Renewable Energy Engineer at California Public Utilities Commission
Expires: 01/24/2021 Employer: California Public Utilities Commission
Associate Toxicologist at California Department of Pesticide Regulation
Expires: 01/30/2021 Employer: California Department of Pesticide Regulation
Informatics Liaison & Public Health Informatician(Job Id 15513) at South Dakota State Government
Expires: 01/29/2021 Employer: South Dakota State Government - Department of Health
IC Design Engineer Internship at Power Integrations
Expires: 02/27/2021 Employer: Power Integrations
Physical Security Command Center Technician at Van Andel Institute
Expires: 02/14/2021 Employer: Van Andel Institute
Epidemiologist I(Job Id 15512) at South Dakota State Government
Expires: 01/22/2021 Employer: South Dakota State Government - Department of Health
Management Analyst I - Non-Merit at Baltimore County Government
Expires: 01/22/2021 Employer: Baltimore County Government
Assignment Assistant for Central Assignment Office - Non-Merit at Baltimore County Government
Expires: 01/27/2021 Employer: Baltimore County Government
Environmental Specialist - Science and Engineering Division at City of Tacoma
Expires: 02/02/2021 Employer: City of Tacoma
Probation Officer I - Adult Probation at Franklin County PA
Expires: 01/29/2021 Employer: Franklin County PA
Legal Secretary at California Department of Toxic Substances Control (DTSC)
Expires: 01/26/2021 Employer: California Department of Toxic Substances Control (DTSC)
IT Associate / Project Analyst at California Department of Toxic Substances Control (DTSC)
Expires: 01/22/2021 Employer: California Department of Toxic Substances Control (DTSC)
Manager Braille & Talking Book(Job Id 15491) at South Dakota State Government
Expires: 02/04/2021 Employer: South Dakota State Government - Department of Education
Assistant Electrical Chief (Operations & Policy Analyst 3) at Oregon Department of Consumer and Business Services
Expires: 01/27/2021 Employer: Oregon Department of Consumer and Business Services
Behavioral Health Senior Clinician at Fairfax County Government
Expires: 01/23/2021 Employer: Fairfax County Government - Fairfax County Human Resources
Behavioral Health Specialist II - Residential Treatment & Detox Services at Fairfax County Government
Expires: 01/23/2021 Employer: Fairfax County Government - Fairfax County Human Resources
Deputy Director Community Services Board / Administrative Operations at Fairfax County Government
Expires: 01/30/2021 Employer: Fairfax County Government - Fairfax County Human Resources
Occupational Safety Consultant (Occupational Safety Specialist 3) at Oregon Department of Consumer and Business Services
Expires: 02/02/2021 Employer: Oregon Department of Consumer and Business Services
Deputy Director, Department of Public Works and Environmental Services, Capital Facilities at Fairfax County Government
Expires: 01/30/2021 Employer: Fairfax County Government - Fairfax County Human Resources
Human Resources Intern at Virginia State Corporation Commission
Expires: 02/26/2021 Employer: Virginia State Corporation Commission
Member and Committee Vacancies at U.S. Congress
Expires: 01/27/2021 Employer: U.S. Congress
Grants and CJAB Coordinator at Franklin County PA
Expires: 01/28/2021 Employer: Franklin County PA
Engineering Technician I at City of Carlsbad
Expires: 02/09/2021 Employer: City of Carlsbad
Postdoctoral Fellow- Biologics Optimization: CHO Cell Engineering for Targeted Integration at Amgen
Expires: 02/26/2021 Employer: Amgen - Fulltime Recruiting
Associate, Data Strategy at Tempus, Inc.
Expires: 01/29/2021 Employer: Tempus, Inc.
Engineer I - II (Region Bridge Engineer) (Job Id 15468) at South Dakota State Government
Expires: 02/05/2021 Employer: South Dakota State Government - Department of Transporation
Trauma Program Manager/EMS Specialist (Registered Nurse)(Job Id 15477) at South Dakota State Government
Expires: 01/26/2021 Employer: South Dakota State Government - Department of Health
Electronic Industrial Controls Mechanic at U.S. Mint
Expires: 02/01/2021 Employer: U.S. Mint