IoT security and privacy
Since the Mirai botnet attack on Dyn just over a year ago, the Internet of Things (IoT) has been receiving extra attention at SIDN Labs. Mainly because we ourselves operate an important global DNS infrastructure for the .nl domain, which might be targeted by a DDoS attack of the kind that thingbots get used for. 'Thingbots' – botnets of IoT devices – are a relatively new but significant internet threat. As well as the well-publicised Mirai, several new thingbots are now causing trouble, including Persirai and Reaper.
Smart hackers recruiting things to form botnets
Some of the new things coming onto the market are easily hacked and recruited into botnets. Others are guilty of leaking privacy-sensitive information. Although many of the things in question are very simple devices, they represent a serious threat because of the huge numbers being sold. In the Mirai attack, just 100,000 infected devices were able to mount an attack on an unprecedented scale. So it's frightening to think what a really big botnet could do.
New research project
With a view to reducing the risk of .nl or another important internet system being targeted by a thingbot-based DDoS attack, we started a new IoT research project at SIDN Labs earlier this year. It goes by the name of SPIN: Security and Privacy for Inhome Networks.
Automated temporary blocking of IoT devices
SPIN's goal is to come up with a way of temporarily blocking IoT devices automatically if they display suspicious behaviour. In other words, we're aiming to stop DDoS attacks at source (IoT devices in the home). SPIN will also give users more security and privacy control over their IoT devices by means of a graphical interface. So it represents an important contribution to the security and reliability of the internet.
Over the last few months, we've developed a prototype SPIN system, using our existing Valibox concept as the starting point. The SPIN software we've created is special open-source firmware for use on a small, convenient home router. The design is presented in a tech paper, which also sets out our thinking on the problems associated with the IoT.
Another major challenge facing the IoT is making sure that devices can work with one another. For that, all devices need to 'speak the same language', even if they are made by different companies.
Interoperability is important, because all sorts of smart devices and appliances ('things') from lots of different manufacturers are going to enter our homes, workplaces and vehicles in the years ahead. They're likely to include smart sensors, speakers, IP cameras, TVs, thermostats, vacuum cleaners, lights, locks, meters, wearables and much more besides. They'll all be directly or indirectly connected to our home or work networks. And they'll all leave their mark on the way we live our lives from day to day.
Wild growth in the product assortment
Because the IoT boom is only just beginning, manufacturers are currently falling over each other to grab a slice of what promises to be a lucrative market. In this phase, time to market and pricing are crucial for any company with the ambition to become a significant player. As a result, many products are being rushed into production and designed to operate on the basis of closed proprietary standards. For example, there are smart thermostats that will only work with the manufacturer's cloud server. In some cases, the security is modest and interaction with other network components is often poor. Yet the idea is for these products to spend a lot of time connected to our networks, unsupervised.
Unsustainable in the long term
The current situation clearly can't continue for long. Things need to improve, and there is no reason why they shouldn't. For instance, interoperability could be improved by the use of open standards. Then a smart TV of brand A can connect securely to any home network. And a home router of brand B can automatically set up a security profile specially tailored to that TV.
The succes of open standards
Much of the internet's enormous success is down to open standards and the interoperability they provide. If we want the current wave of smart innovation to bring us secure and reliable products, we need to transfer the internet's success formula to the IoT. Then the smart devices of the future can connect and integrate without difficulty. Open standards provide a framework for an IoT where the things are secure, maintainable and interchangeable.
IETF to the rescue
The Internet Engineering Taskforce (IETF), the community that develops many internet standards, recognises the importance of standardisation for the IoT. Along with various other standards developing organisations (SDOs), the IETF is already working hard to address the situation. And developments have recently started to gather real momentum.
Core dealt with first
First, the 'core' communication protocols needed to be adapted in line with the particular requirements of smart devices. Many are constrained, low-power devices, which frequently hibernate to save energy, for example. The need for specially adapted communication standards has led to the development of protocols such as 6LoWPAN.
From the Internet of Things to the Web of Things
The second phase of standardisation involved improvements to higher infrastructural layers: the stack. There was a particular need for change at the web level, to transform the IoT into a Web of Things (WoT). Standards that use RESTful as a basis for enabling communication with things represent one way of moving towards that goal. The Constrained Application Protocol (CoAP) being a good example. Product manufacturers are now making increasing use of the CoAP, e.g. in smart lamp hubs.
The lifecycle of a thing
More recent developments have related to the lifecycle of things. How can thousands of IoT devices (e.g. all the lights in a large building) easily and securely register with the network? How do we realise their continued maintainability and, for example, make sure they all get their firmware updated promptly? And what about a straightforward, scalable solution that would enable routers and firewalls to automatically define bespoke security profiles for individual things?
SIDN Labs and standardisation
Our SPIN research project and the experience we've gained with the prototype of the SPIN controller in our IoT lab have yielded a lot of insight and ideas. We're now looking to use that insight and those ideas to help push forward IoT security standardisation through the IETF. Further standardisation of security on the IoT – and especially in home networks – represents an opportunity to advance our mission of helping to make connected living easier and safer for everyone.
Lots of IoT topics are again on the agenda of the upcoming hundredth IETF meeting (11 to 17 November). We'll certainly be keeping a close eye on the T2TRG (Thing-To-Thing Research Group), the CoRE WG and the Homenet WG. And we'll keep abreast of what's happening in groups working on related topics as well. SIDN Labs has always worked closely with the IETF. We regularly contribute to internet standards and our ambition is to play a similar role in the development of the IoT.