A possible future for IoT security
There are many problems with Internet of Things devices, and security is one of the biggest ones.
To serve as an example of this important issue, two researchers from Princeton University have recently analyzed the network traffic to and from five currently very popular IoT devices: the Samsung SmartThings hub, the Sharx security IP camera, the PixStar digital photoframe, the Nest thermostat, and the Ubi Smart speaker.
One of the researchers, CS Ph.D. student Sarthak Grover, shared their results at PrivacyCon, held earlier this month.
In short, they found that some of these devices send and receive unencrypted traffic, which could lead to the leaking of sensitive information: passwords, chats, sensor readings, email addresses, information about the devices themselves, what the user is doing and how he is behaving, updates, etc.
The best of them, when it comes to security, are the Nest Thermostat and the Samsung SmartThings Hub (for more specific details about each of the devices check out the slides for the researchers’ talk).
Securing smart-home networks and the devices on them is going to be a hard task, they noted. The current market is full of different (mainly small) manufacturers (some of which are using novice programmers who don’t know much about security), the hardware has limited capabilities and resources, the solutions use non-standard protocols and ports, and most of the data that they send out goes to an an online server on the cloud.
Fixing current products might be a big problem, but Grover has hopes for the future, as people are working on securing the IoT, trying to build security in at the ground level.
Researchers should be encouraged to find and report bugs, but bug bounties may work for big companies and the IoT market is full of small ones – can this work for them?
“For example, in the case of a smart home, all our information is going to go through a gateway inside the house. The gateway might be provided to us through the ISP or might be our own, but maybe there are parts of security that we can implement at the gateway itself, maybe we can tell the gateway to enforce certain standards regarding the network protocols which are being used by the various devices, or at the very least this gateway could inform us that the devices are not using the right security standards,” he noted.