SPIN: A User-centric Security Extension for In-home Networks

The internet of things (IoT) will connect billions of devices to the internet that we normally do not think of as computers, such as fridges, cameras, and light bulbs. At SIDN Labs, we are developing a system called SPIN (Security and Privacy for In-home Networks) that aims to reduce the security risks that these devices pose to core internet systems, service providers, and end-users. We discuss our ongoing work on the design and implementation of the system in a technical report, which we released today.

Threat to the DNS

While the internet of things (IoT) promises to enable many new types of services and applications, IoT devices are often poorly secured and as a result pose a threat to the security and stability of the core systems of the internet, such as to the Domain Name System (DNS). In October 2016, for example, DNS operator Dyn was hit by a Denial of Service (DoS) attack carried out through millions of IoT devices compromised with the Mirai botnet that allegedly reached an aggregate magnitude of 1.2 Tbps. Other potential targets of such attacks include operators of top-level domains (such as .nl, operated by SIDN), hosting providers, and application service providers.

Threat to end-users

Another consequence of poorly secured IoT devices is that they compromise the security and privacy of end-users, for instance because they allow attackers to send spam from a vulnerable fridge. This jeopardizes users’ trust in the internet and their home environment, in particular because the average end-user typically finds it hard to distinguish between well and poorly secured IoT devices and in many cases even lack the interest in these characteristics.

SPIN

These developments motivated us to design and implement the system for Security and Privacy for In-home Networks (SPIN), which provides network-level security functions that monitor and automatically block vulnerable IoT devices. The goal of the SPIN system is to protect (1) DNS infrastructure operators and other service providers on the internet from DDoS attacks and (2) to protect users’ security and privacy in their homes. SPIN focuses on home networks because they are typically not as well-managed as corporate ones. Our view is that SPIN is an element of a wider integrated approach to IoT security, which for instance also involves setting up a commonly applied security certification mark for IoT devices.

Users at the centre

SPIN takes a unique user-centric approach in that it (1) allows users to easily deploy the system through pluggable SPIN devices that automatically monitor and block traffic for groups of IoT devices in the home, (2) protects users’ privacy by keeping all processing and threat handling on the SPIN devices in their home, (3) allows users to configure the system with their security control preferences, for instance in term of the system’s traffic blocking behavior. SPIN is also unique because it enables the security community to provide traces of malicious traffic, thus extending the systems’ threat detection capabilities.

Prototype

We have developed a working prototype of the SPIN system, which focuses on visualizing and blocking traffic to and from IoT devices for privacy protection purposes. The source code is available in the form of an open source package for OpenWRT devices, but can also be built and run on other Linux-based systems. We bundled it with our Valibox firmware for DNSSEC validation. A screencast of the SPIN dashboard for a SPIN device running in an actual home network is available here.

Tech report

Our technical report discusses our ongoing work on the design and implementation of the SPIN system, which builds on the work we previously reported on in this blog.

Feedback welcome!

As usual, we welcome feedback on our work. If you would like to share your thoughts with us, then please drop us an e-mail at labs@sidn.nl or contact us via Twitter @sidnlabs.Download the full tech report.

Reacties

Cristian_Hesselman

Cristian Hesselman

Directeur SIDN Labs

+31 6 25 07 87 33

cristian.hesselman@sidn.nl

  • donderdag 21 december 2017

    Nieuws

    SIDN steunt 'Later als ik groot ben'

    Thumb-screenshot-devolendammerslager.nl

    RTL4-programma onderstreept belang van digitale vaardigheden

    Lees meer
  • donderdag 24 januari 2019

    Nieuws

    SIDN fonds: nieuwe call & nieuwe lichting projecten van start!

    Thumb+logo+SIDN+fonds

    De 1e call van 2019 opent op 28 januari

    Lees meer
  • woensdag 30 januari 2019

    Nieuws

    DNS software-ontwikkelaars willen code opschonen

    Thumb-software-developer-programming-code-on-computer

    "Bijna een kwart van de code is nu voor workarounds en corner cases"

    Lees meer

Sorry

De versie van de browser die je gebruikt is verouderd en wordt niet ondersteund.
Upgrade je browser om de website optimaal te gebruiken.