This article is by James Willison, Project & Engagement Manager, IoT Security Foundation
Few of us realize that our Internet connection relies on the strength of our router's security. So much of what we depend on in our modern day lives comes into our homes and businesses via that box sitting near the front door. We pay attention to our front door and try and ensure it is locked and bolted. but what about that box supplied by the broadband provider?
Well, I am sorry to warn you that it is the most targeted IoT device – if an attacker can control it, then it's really game over for the rest of your home and small business. Software company Symantec has advised that 75% of all IoT attacks are on infected routers, with 15% against webcams, so that’s a concern to some of us too! Of course, everything comes through the trusty box at the front door.
So, while your house might be built on solid ground and the physical foundations are firm, it is unlikely that the Internet connection is as strong as you think. There are people who are entering your home and you have opened it to them. In the words of the song, "Who are you? I really want to know!"
Our problem is that we don't ask this question on a regular basis regarding our networks because we assume our broadband provider is looking after that for us. While they will of course be doing security at various levels, there is much on our networks which is simply not secure and should be of concern to us.
I have been aware of IoT security issues in the home, small business and the enterprise for some time, as I have worked closely with my good friend and colleague Sarb Sembhi for many years. It was when I met Dr. Nick Allott in November 2018 that I became more aware of the severity of the problem, as he explained that most of the home routers we use today are not secure and that the devices they manage have little or no security either. This is not to mention other complications like wireless extenders, smart speakers, and applications on your network to add to the mix.
Join the Project to Help Protect Home Networks
The great news is that for over two years, Nick's company, Nquiringminds, has led an Innovate UK consortium of partners including the University of Oxford Cyber Security Centre, Cisco, the IoT Security Foundation and recently BT to develop a range of solutions to improve the situation. The project is called "manysecured" and its objectives are to detect and protect against IoT vulnerabilities on the router and the network. It is a truly international collaboration based on open source software and has gained the interest of NIST and US government's CISA. I was privileged to join the project in March this year, and we are seeking to involve other professional stakeholders such as IoT manufacturers and security professionals.
I am confident that given the collaborative nature of the various solutions which comprise the manysecured project that the prototype will be launched at the IoT Security Foundation’s conference on Oct. 5.
In essence, there are five functions within the project's special interest group.
- The first has produced a set of requirements for ISPs to ensure best practices for the router itself.
- The second has proposed a secure user Internet browser which will help when you log on and configure your router
- The third seeks to identify devices on your network. This includes describing what they are. We are looking for IoT manufacturers to help us with this. Many of our readers have been actively seeking to develop the cybersecurity of physical security devices and systems and so we appeal to you to join us to ensure we get this right.
- The fourth solution monitors the security events and raises alerts for the hub
- The fifth controls the threats
Most importantly, all these processes are interoperable such that the home network is protected. It seeks to address the principles of secure boot, storage, and secure processing. The place of AI is important because of the volume of data and the difficulty in knowing who and what is on your network. Hence concepts like "zero trust," which Nick has helpfully defined as "multifactor continuous verification," are foundational. Similarly, "cognitive security," which he summarizes as "AI based on human thought patterns to protect physical and digital devices and systems" is a cornerstone of the project.
As security convergence is a response to IoT risk, an area for all of us to improve is the security of the physical devices and systems in the supply chain and the business. If we can get the router, the front end of so many of our homes and small businesses and therefore 90% of the environment, into a better state than it is right now, then we will be on our way to rebuilding that wall which, at the moment, has a massive hole in it.
As J.R.R Tolkein wrote in The Lord of the Rings : "A gaping hole was blasted in the wall. A host of dark shapes poured in." The response required an alliance of several large armies for victory to be achieved. The same is needed today if we are to secure our internet gateways and devices.
This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.