People are looking into improved security practices for manufacturers, enhanced policies and laws on security and privacy on both national and international levels, as well as better ways to inform users about what their devices may be doing behind their backs. In order to keep the internet safe, we think we need all of these.
At SIDN Labs, we are of the opinion that there is no single silver bullet to increase the security of devices and the privacy of people in the internet of things (or the internet in general), so continuous improvement is needed on all the fronts mentioned above.
With that in mind, we have recently started a new research project to address one specific aspect of the issue: Security for In-home Networks (SPIN). The goal of the project is to design, prototype and evaluate the SPIN controller, a system for use in home networks that puts users back in the driving seat in terms of their security and privacy. The SPIN controller allows users to see and control how secure their connected IoT devices are and what they do on the internet. In its most basic form, this is similar to a personal firewall, but for a whole network of IoT devices rather than for, for instance, a local desktop system.
We chose to focus our work on home networks because it enables us to kill two birds with one stone in terms of security: we will help secure end-users’ home networks and we will reduce attackers’ abilities to misuse home IoT devices for attacks on the wider internet infrastructure. The latter is particularly important to operators of critical internet infrastructure, such as SIDN as the registry of the .nl TLD.
Of course, solutions for monitoring and controlling home networks are already available. There are quite a few traffic monitors and firewall implementations. But most of these tools abstract either too much or too little information. For example, traffic statistics tools generally show totals only, and router-based firewalls require users to carefully configure individual rules with a lot of low-level detail. Also, they are not tailored to the specific risks of IoT devices per se, and users often need to have in-depth knowledge to make effective use the software and understand the output.
Our objective is to research ways to find a good middle ground here, and to develop open-source prototypes that can be picked up and used elsewhere by third parties.
Our initial prototype of the SPIN controller focuses on privacy awareness and basic visualisation, emphasising the ‘chattiness’ of some IoT devices. The current version of the SPIN software shows the last ten minutes of network activity (see Figure 1). The screenshot shows internal devices in grey, recent connections in green, and older connections in blue. The small window on the left shows some additional information about any selected node or address.
Figure 1: SPIN visualiser prototype screenshot
Figure 2 shows a screencast of our initial version the SPIN software running in a network with a smart TV, a RIPE Atlas probe, as well as a few other devices. The smart TV actually connects to services that a user might not have expected or asked for (in this case, among other things, the smart TV connects to Facebook, see the video at 1:31).
Figure 2: SPIN visualiser prototype video
We made the SPIN software available as open-source software on Github. We’ll also bundle it with the Valibox software, an image for OpenWRT-based home routers that enables them to validate DNSSEC signatures and become a “validating box”. A working prototype is already available as Beta software for existing Valibox devices.
We are only in the early stages of our research. We foresee a number of additional modules for the SPIN controller, which will enable it to even better meet the goals of enhancing security and privacy in an in-home network and the increasing number of IoT devices connected to it.
One of the next steps, for example, will be to allow the user to intervene and block traffic they don't trust. Further enhancements will assist the user with the associated decision-making, by providing more insight and even recommendations. We also foresee intelligent modules that can scan an internal network for obvious loopholes such as default passwords or unintended open ports.