Redesigning SPIN to a reference platform for secure and privacy-enabled IoT home networks
We are redesigning SPIN, our open-source system for protecting the internet and end-users against insecure IoT devices in home networks. The objective of our new design is to increase the uptake of SPIN-like systems by turning SPIN into an open and flexible reference platform that developers can use as the basis for their in-home security applications, such as for a product or for research. In this blog, we explain what we’ll be changing, why, and how we’ll be moving forward in the next few months.
Update Jan 23, 2018: (1) added the research community as a target group that might benefit from SPIN’s new design, (2) updates after reviewing the Dutch translation.
Security and privacy in the IoT
The Internet of Things (IoT) is a much-hyped concept that we at SIDN Labs simply think of as a set-up where pretty much every device on the planet is connected to the internet. That includes devices that weren’t on line before, such as door locks, light bulbs, vacuum cleaners and baby monitors.
While we believe that the IoT will enable all kinds of new services that will help us in our daily lives, it also poses a potentially huge security threat, because IoT devices are often insecure. This is particularly true for home networks (check out this disturbing scenario), because their users are notoriously careless when it comes to updating software for security reasons. In addition, manufacturers of in-home IoT devices typically have little interest in securing their products, for instance because they want to deliver them to consumers quickly and cheaply and perhaps also because they’re increasingly not from the computer industry.
Major security risks
The result is an unhealthy ecosystem of vulnerable IoT devices, which pose two major types of threat. First of all, they’re a threat to the internet as a global communications infrastructure, because insecure IoT devices enable massive DDoS attacks. That was exemplified in late 2016 by the 1.2 Tbps Mirai botnet attack on DNS operator Dyn, which led to large-scale outages of popular services such as Spotify and Twitter. That event motivated our work on IoT security, because SIDN is the authoritative DNS operator for the .nl top-level domain and we’re obviously keen to avoid Dyn-like scenarios.
The second threat from insecure IoT devices is that they jeopardise the security, privacy, and perhaps even safety of end-users. For example, an adversary might compromise a device such as a baby monitor and reroute its video feed. Or the manufacturer of a smart fridge might collect data on the usage of the fridge and quietly sell it to interested third parties, thus revealing the home owner’s midnight-snacking behaviour or product choices. Another example is a remote adversary illegally increasing the temperature in a room, which might result in the house’s smart windows opening automatically.
We developed the SPIN (Security and Privacy for In-home Networks) system to address those two threats, with a particular focus on mitigating IoT-powered DDoS attacks. Our key challenge is to proactively block DDoS attacks as close as possible to their source in the home network. That is difficult, because such attacks are unlikely to be of interest to end-users, simply because they do not know the victims that are being DDoS’ed by the devices in their home. Also, when an IoT device is part of a botnet and participates in a DDoS attack, the owner of the device may not even notice the relatively low volume of DDoS data on their high-speed internet connection. The impact on the device owner is therefore minimal, but the impact on the target of the attack can be catastrophic. Good incentives are consequently needed to get end-users to take an interest in protecting their home networks, thus making the internet safer.
To protect the internet from IoT-powered DDoS attacks, SPIN introduces the concept of a reverse firewall, which blocks outgoing connections from IoT devices to the internet if they exhibit DDoS-like behaviour. SPIN does that by measuring and analysing the headers of all traffic flows and blocking the flows that it considers undesirable or harmful. In addition to blocking potential DDoS traffic, the reverse firewall also protects users, for instance against IoT devices quietly sending personally identifiable information to services on the internet. The reverse firewall therefore protects both the internet and end-users against insecure IoT devices.
SPIN also visualises traffic flows so that the user can see what is happening on the network.
We released the SPIN software as open source so that anyone can compile and install it on an OpenWRT device in their home network. We also publish our results so the community can benefit from our experiences.
Next step: reference platform
While we were developing SPIN, we realised two things: (1) we were working on a specific solution that would only work for a limited number of centralised deployment scenarios and (2) there seemed to be a demand for SPIN-like systems, because commercial solutions such as F-Secure’s Sense and the Bitdefender Box were hitting the market.
We therefore decided to change the focus of our efforts from developing a specific solution to developing a modular, open reference platform for all types of in-home security applications, with at its core an easy-to-use facility for device and network measurements. This for instance allows developers to build SPIN-based products, which consist of application software that makes use of SPIN’s core functions (such as SPIN’s measurement and reverse firewall functions). It also allows the researcher community to use SPIN to develop and evaluate new security mechanisms, such as botnet detection algorithms and new user interface concepts.
Additional design goals
To change the SPIN system to a reference platform, we set two additional design goals, aimed at increasing the uptake of SPIN-based systems: (1) to enhance SPIN’s added value for application developers by providing a high-level interface for in-home network measurements and (2) to support a wider range of deployment scenarios for SPIN-based systems, including interoperability with other SPIN-based systems in the same home.
We retained our initial design goals of making SPIN suitable to run on equipment in the home, making SPIN operate at the network level so that it works with any IoT device, and keeping the end-user in control (see our tech report for more details).
Figure 1 is an overview of the architecture of a SPIN-based system, featuring two distinct component groups: lightweight SPIN agents that measure network traffic and more intelligent controllers. The separation is new and enables us to use the system for a larger set of deployment scenarios.
An agent captures traffic flows, generates flow digests, and can block traffic flows. A controller receives digests from one or more agents, analyses them, and can order the agents to block the traffic flows from certain IoT devices. For example, a controller may detect that a device is generating traffic flows that match the Mirai botnet; the controller then orders the appropriate agent to quarantine (block) the infected device.
Controllers and agents may be hosted on the same device, but our new design also supports deployment scenarios with several agents and one or a few controllers elsewhere in the network. For example, there may be a separate Wi-Fi hotspot on each floor of a house, each with its own agent and all governed by a central controller that runs on a general-purpose, always-on device such as a network-attached storage (NAS) device.
Figure 1. Components of a SPIN-based system
Platform versus applications
Figure 1 shows that a SPIN-based system consists of platform components (blue boxes) and application components that make use of the SPIN platform (green boxes).
Application components provide added value by enabling end-users to use a SPIN-based system and access its functions via a user interface, such as a website or mobile app. Examples of such components are anomaly detection modules, device vulnerability analysers, and in-home device maps (showing which device is where). Application components can for instance be implemented by (commercial) organisations, by the SPIN community, or by the research community.
The SPIN platform components are: the SPIN agent (see above), the network measurement facility (NMF), and the SPIN reverse firewall. The NMF provides application developers with a high-level longitudinal model of the home network and its IoT devices through a well-defined API so developers don’t have to deal with the particularities of low-level measurements. The reverse firewall automatically blocks outgoing traffic from insecure devices on the network, for instance to prevent vulnerable IoT devices from distributing privacy-sensitive data, infecting other networks or transmitting outgoing DoS traffic.
Our work on anomaly detection will initially focus on checking device behaviour against the behaviour that device manufacturers specify. There are standardisation efforts, such as Manufacturer Usage Description (MUD), that allow manufacturers to specify what a device is allowed to do. SPIN’s reverse firewall will use MUD specifications in combination with the NMF to detect devices that are not behaving according to the specifications, with a view to identifying and blocking infected devices, for example. The approach will also enable us to push the deployment of new IoT security standards, such as the MUD draft.
In addition to making SPIN available as a reference platform for in-home IoT security systems, we will also be using SPIN as a vehicle for security research, for instance by allowing users to make and share device profiles with the SPIN community. We expect that SPIN as an open reference platform will be greatly beneficial for the IoT-security community, end-users and the internet at large.
In the next months, we will restructure the SPIN software to follow the reference framework shown in Figure 1. We will also look at ways of standardising the interfaces between components, so that software manufacturers can easily connect to (parts of) SPIN. Finally, we will make preparations for a pilot study with end-users.