Growing number of smart devices
From smart lamps to Wi-Fi-enabled robot vacuum cleaners: all sorts of smart devices are now available, which can be connected to the internet to form part of the Internet of Things. And many consumers buy them without thinking much about the digital security implications. As a result, such devices are often connected directly to the internet, or used with the default passwords unchanged, or left to run outdated, vulnerable software.
Security is often neglected
Because not all manufacturers or consumers pay enough attention to security, an insecure IoT ecosystem is developing, where many smart devices are easy to hack. The implications of that were illustrated by the DDoS attacks mounted by the Mirai botnet at the end of 2016. Those attacks involved 1.2 Tbps and 600k IoT bots. However, as smart devices proliferate, future attacks could be even more serious. In order to head off the danger, various forms of intervention are needed, including government regulations requiring all devices to meet certain minimum cybersecurity standards. Another possibility is the active protection of home networks. And that is why we are developing SPIN.
What does SPIN do?
SPIN is our open-source security platform, which protects the internet and its users against insecure smart devices in home networks. SPIN analyses the traffic on a home network (IP addresses and domain names only) and temporarily isolates or restricts any device that exhibits abnormal network behaviour. The rationale being that abnormal behaviour may indicate that the device has been hacked. If a smart lamp with a Wi-Fi connection goes for months sending only occasional messages at night, then starts generating large message flows in the daytime, that would give cause for concern, for example. By isolating a device like that, we can prevent it playing an active role in a botnet-based DDoS attack on a DNS operator like Dyn or an organisation like ours.
SPIN blocks devices individually
The approach used by SPIN enables the precisely targeted blocking of insecure smart devices. That is in contrast to what normally happens at the moment: ISPs will typically quarantine an entire home network if a hacked device is detected within it. A non-selective approach of that kind will cease to be workable if it becomes commonplace for a home to have hundreds of smart devices, some of which the householder knows little or nothing about. Indeed, shutting down a whole home network could have serious consequences if, say, smart door locks or medical devices are prevented from accessing the net.
For the consumer of the future, our SPIN software offers a better way of preventing the remote hijacking of insecure devices. It does that by profiling every smart device on the home network. Each profile defines the device's permitted incoming and outgoing connections.
SPIN runs on OpenWRT, and ready-to-use images can be downloaded for several popular mini-routers.
Improvement #1: software redesign
After producing several proof-of-concept versions of SPIN in 2017, we undertook the first software redesign at the start of this year. That involved leaving behind the largely monolithic structure of the original SPIN software in favour of a modular design. Our aim was to enable the traffic capture, message broker and measurements/analyses to run on separate systems. Separation opens the way for data analysis that requires more processor power than home routers typically possess, or for the retention of longer data traffic histories, for example.
With the redesign now complete, we have started work on upgrading the individual components: (1) the SPIN agents; (2) the network measurement centre; and (3) the UI..
Improvement #2: SPIN agent
We have developed a new version of the SPIN agent. In the original software, data traffic capture was performed by a custom kernel module. We opted for a custom kernel because the alternatives were seen as having drawbacks: the limitations of typical router hardware are such that a TCP dump-based approach would require too much processor time, while the use of an off-the-shelf kernel would imply excessive data loss. However, recent developments with SPIN and OpenWRT mean that a ready-made method can now be adopted, enabling us to make the agent more flexible. One advantage of the new approach is that the SPIN agent is now easier to run on various platforms.
Improvement #3: network measurement centre
We've also developed the first version of the network measurement centre: a module that 'remembers' the traffic pattern associated with each device and uses it to build a real-time model. Having a traffic pattern history means that we can detect anomalies by comparing a device's current behaviour with its historical behaviour. So issues such as the one involving the smart lamp described above can be flagged up, for example. Whenever a serious anomaly is detected, the user can be alerted or the device can be isolated from the internet. With our new design, the network measurement centre can run on another network-connected device that has more computing power.
A specimen anomaly detection implementation has been developed as well. The idea is that third parties can take inspiration from our specimen and develop their own anomaly detection algorithms using data from the network measurement centre.
Improvement #4: UI, configuration and control
The SPIN software now also provides web APIs on the internal network, which can be used by other frontends besides the SPIN Traffic Visualiser. In addition, the SPIN Traffic Visualiser now allows advanced users to download all the data traffic associated with a particular device, facilitating the analysis of a smart device's internet behaviour by researchers, for example.
Other research with SPIN
Over the last year, we've used SPIN to carry out other research as well: Caspar Schutijser (then a final-year student and now a member of the SIDN Labs team) wrote a thesis on the use of MUD for automated DDoS protection. Using SPIN as the basis, we've also developed a prototype system that enables an ISP to alert a router to suspect traffic. The router (or the user) can then decide whether the network device in question should be blocked. That avoids the need to quarantine the entire network and opens the way for neutralising hacked devices on a targeted basis, without having to reveal network information to the ISP.
Plans for 2019
We plan to build on the improvements described above by doing further research. For example, we'll be studying a number of devices in detail, with a view to devising a more general method for analysing smart devices, so that other researchers can do similar studies of their own. For example, the internet services used by the device could be logged as a basis for identifying unexpected connections -- a smart TV that contacts Facebook, for example. To test that approach, we've already used SPIN in seminars as part of Security Services of the IoT (a university course that we deliver). For their practical, students were able to carry out small-scale measurements. We also want to investigate the modelling of IoT devices in collaboration with academic partners. In addition, we'll be continuing work on the development and standardisation of MUD. And, finally, we want to make SPIN easier to roll out. We'll keep you informed!