An oft-repeated factoid about the Internet of Things is Cisco Systems’ estimate that 50 billion “smart” devices will be connected to the internet by 2020. It felt like all 50 billion were on display over this year’s Consumer Electronics Show, from smart pianos to connected water cups.
Yet while the tech-hungry hordes were kicking the tires on those 50 billion gizmos, the number of people concerned about the security of those devices and their effect on the greater internet was probably closer to 50.
You had to duck behind one of the drone booths or ignore the troves of Alexa-connected products to find a demo or a fireside chat where security was part of the discussion. CES is never going to be RSA, but those moments in the background last week in Las Vegas at least offered glimmers of hope that someone is paying attention to the security of all of these new IP addresses.
Routers can be smart, too
The week did not go by without a number of companies debuting new products to help combat all of the smart devices cropping up in homes. The ability to co-opt smart home devices into DDoS attacks has caught the eye of both big and small security companies, thanks in part to the attack barrage from the Mirai botnet late last year.
Symantec unveiled its Norton Core router, which leverages the company’s massive network to protect all of the insecure devices that people might connect at home.
“The idea is the ability to secure IoT devices for which there is no security,” said Jeff Greene, Symantec’s senior director, at the show’s cybersecurity forum. “Detect anomalous activity, say ‘Wait, that’s not right’ and shut down that device.”
Similar products from companies like BitDefender and Securifi were also on display, all sporting the same general idea: Buy the secure router, sign up for a $10-a-month subscription, and the router will shut down devices if it detects shady circumstances.
Yet a lot of these products seemed to offer an all-or-nothing scenario. What happens if, for instance, a router detects a smart thermostat being pulled into a botnet and turns off the heat in someone’s house during the middle of a blizzard? Users aren’t going to care about that DDoS attack aimed at some website they’ve never heard of if they’re suddenly freezing.
Enter Bullguard’s Dojo, which aims to prevent this scenario. The system gives users a little more control than its competitors: Users get an in-home “pebble” that issues a smartphone alert when it detects a security problem. The app, which is built like a chatbot, asks users if they recognize what’s going on. If they don’t, users have the option of either disconnecting devices from the internet or shutting them down altogether.
“Most people don’t know how to login into their own routers, and even if they do, they just see IP addresses or MAC addresses and it doesn’t mean anything to them,” said Yossi Atias, the general manager of IoT security at BullGuard. “We want to give peace of mind and comfort to adapt smart home technology without having to assume the associated risk that comes with it.”
What about the developers?
Instead of pushing the security problem onto users, one company is trying to bring IoT system developers to the idea that encrypting command data would be much better for the entire ecosystem.
Cruelly wedged between displays for an Internet-connected egg cooker and a smart spatula, Colorado Springs-based Eclypses demonstrated how their microtokenization software encrypts smart home commands. Their software, which sits on top of existing systems, scrambles anything that may contain the answers needed for hackers or thieves looking to manipulate various devices.
Eclypses Chief Innovation Officer David Schoenberger said most of the companies he’s talked to haven’t bothered with encryption, and those that have find the process to be a headache.
“I get two reactions,” he said. “People say ‘Oh we encrypt it, AES-256, AES-128, TLS.’ Okay, but what if your device can’t decrypt fast enough to keep up with the phones? They say ‘Well, we add more hardware,’ but then your prices go up. This token would be better.”
John Nachef, the company CEO, told CyberScoop his team has been working on the technology for two and a half years, applying it to everything from critical infrastructure to the consumer market.
“Any time that something has to be secure when you are talking about connected devices, we’re the answer for that,” he said. “We want to show all of these companies that security needs to be taken seriously, none of them have seriously built security into them.”
Policy over people
A number of security experts believe the approach Eclypses is taking — security engrained in the product over involving a user in the process — is the method more companies should be following as IoT continues to grow.
“We’ve got to take security decisions out of people’s hands,” said Philip Reitinger, President and CEO of the Global Cyber Alliance. “Not because they’re stupid, but because they have other things to do and they are exhausted already with the other decisions they have to make in their life. If you make the decisions for them and let them override them where it’s essential, then you are going to get a much better security and overall outcome.”
Reitinger pointed to efforts like the Online Trust Alliance’s IoT framework — which was released during the show — and some other projects his own organization is working on as ways companies can come together and figure out how to secure their devices before things pass the point of no return.
“With IoT, it’s not like phones where you replace them every two years,” he said. “Your thermostat is going to be connected for the life of the house. It’s a brave new world. In the short term, we need things like the framework, but we need to make it easier for consumers to understand the security devices.”
Yubico CEO Stina Ehrensvärd compared the current landscape to a time when cars weren’t forced to have seat belts.
“When cars came, there were no seat belts in cars and people died like flies on the highway. The car industry actually didn’t want to admit it was a problem until the figures were too bad,” she said during the show’s cybersecurity forum. “That’s what’s going to happen here in security.”
Speaking at the same forum, Department of Homeland Security Undersecretary Suzanne Spaulding said it’s time to act now before things mirror the early automotive industry.
“If we build this the right way, we have the opportunity to overwhelm our existing insecure internet with a far more secure internet of things,” she said. “It’s not just a massive attack surface, it’s an opportunity for us.”
An opportunity, Spaulding believes, is crucial for the tech world to recognize if people are going to fully enjoy the smart pianos, connected water cups and whatever other gadgets flood into CES shows in the future.
“At the end of the day, the goal is here is not cybersecurity,” Spaulding said. “Cybersecurity is a means to an end. The goal is to allow us to take full benefit of all of the wonderful things that our world can offer us, but we aren’t going to be able to do that if we haven’t made sure to build security from the get go.”