BLOG: How secure is my smart home?

‘Hey Siri, turn off the lights…’

Many of you will be familiar with this phrase. But have you ever stopped to ask… How secure is my smart home?

With more devices being connected to the Internet than ever before, we need to make sure that security and privacy are not put at risk. Our current method of distributing security updates is not going to fit the requirements for the Internet of Things (IoT – where every device will be connected to the Internet). Instead, we need a new method that ensures we can viably update the devices in our home when vulnerabilities are found, thereby protecting the user’s privacy.

The current paradigm of cyber security has been compared to a ‘cat and mouse’ game.[1] With the growing frequency of serious security issues being uncovered, such as the flaw in modern Wi-Fi communication,[2] it’s hard to argue that this isn’t the case. A flaw is found, fixed and a software update (know as a patch) distributed. This paradigm has only been somewhat successful with devices such as phones. For example, it was found that many phones would not receive vital security updates in 2017.[3]

The concept of patching becomes a lot harder when it comes to devices built for the IoT, as these devices are focused on being low powered. This results in many functions that we would usually dedicated software to, such as encryption, being given dedicated hardware[4] as this uses far less power than a software implementation.[1] However, this brings a fundamental flaw in their design.

To explain why this is the case, we will consider a smart fridge. Imagine that you have installed the latest smart fridge in your house, connected via Wi-Fi to an app on your phone. The fridge uses dedicated hardware to secure data over Wi-Fi. A few weeks later, a security flaw is discovered in the Wi-Fi standard[2] and all the information supplied by the fridge over Wi-Fi can now be intercepted by a hacker. Unlike devices such as our phones, we cannot patch the fridge because the vulnerability lies in the device’s hardware.

I hope this example feels familiar, because it describes the current state of smart homes. Smart fridges do exist [5]. The ‘security flaw in the Wi-Fi standard’ also exists,[2] and currently affects almost every connected device. Of the approximately 6.4 billion IoT devices shipped in 2017,[5] it is likely that most will never see an update to fix security flaws. For devices such as a fridge, which are not replaced very often, it is easy to see how these issues are going to propagate into our future homes.

So, where do we go from here? It is clear we need low-power, reprogrammable hardware in the devices that will be in our homes. One way of achieving this is using field-programmable gate arrays (FPGA).[1] At a high level, an FPGA is a reprogrammable piece of hardware, allowing us to change an electrical circuit after it has been manufactured. The design of an FPGA uses hardware description language,[6] which is a type of programming language that allows you to design circuits. Instead of having control over the software of a device, we can now have control over the hardware. We can therefore update or change this when required, such as during a patch. This approach would provide us with a viable way to patch our currently flawed smart fridge from the example.

The current alternatives for FPGA rely on software attempting to mask the underlying hardware issue. For example, it is recommended[7] that you include a firewall in a smart home. This firewall will prevent network traffic from unauthorised sources reaching your home, in the hope of preventing malicious connections.[8] While effective, these methods do not fix any vulnerabilities that may be present in a device, they simply try to stop a hacker from exploiting them. However, using FPGA has its own drawbacks compared with the alternatives. An FPGA will store their configuration in random access memory This has the downside of being volatile memory – all data contained within it is lost when the power is turned off. We must therefore find a place to store and load this configuration or our devices will no longer work after a power cut! Another possible downside of using FPGA already exists in current software patching modalities. There are an estimated 1 billion Android devices running out-of-date software.[9] This shows that, even when patching is possible, many manufacturers will forget about older devices due to the large cost of updating them. Why should FPGA be any different?

The importance of patching  these flaws cannot be underestimated, however. In the future, if smart-home devices are being patched, their usable lifetime will be increased. Users will therefore not be forced to buy the newer version of a product just to ensure that their home is secure. This is economical for the user, but will also reduce the amount of ‘e-waste’ produced each year, which is the fastest growing waste stream in the UK.[10]

As we have seen, the current approach to security patches will not be viable for the IoT. The use of FPGA shows a promising approach to patching future devices, but unfortunately won’t be available for any current devices. Finally, if these patches could be deployed wirelessly from manufacturers, a smart home would be able to auto update with no input from the user and always remain secure.

References

  1. To Secure the Internet of Things, We Must Build It Out of Patchable Hardware, IEEE. Accessed 19 November 2017.
  2. Key Reinstallation Attacks, M. Vanhoef. Accessed 19 November 2017.
  3. Only 42 Android models have been updated to a security patch from the last 2 months, A. Martonik. Accessed 19 November 2017.
  4. How to Secure the IoT? Lots and Lots of Math…, Mouse Electronics. Accessed 19 November 2017.
  5. Gartner Says 6.4 Billion Connected Things Will Be in Use in 2016, Up 30 Percent From 2015.
  6. Embedded Micro. Accessed 19 November 2017.
  7. How to Secure Your (Easily Hackable) Smart Home, F. Rashid. Accessed 19 November 2017.
  8. Firewall Definition, Search Security. Accessed 19 November 2017.
  9. How out of date are Android devices?, D. Luu. Accessed 19 November 2017.
  10. Top Facts: Recycling and the Environment, Recycle More. Accessed 19 November 2017.

Books