When the NSA is urging consumers to secure their digital homes, especially IoT devices, we really have to say it out loud: they usually can’t. The real IoT problem is the sluggish discovery-to-patching process by firmware vendors, leaving users exposed indefinitely.
In late February 2023, the US NSA issued a set of recommendations directed at homeowners or renters to secure their networks against cybersecurity threats with an updated set of “best practices.” Threats to home networks and devices that connect to and through them have been known for many years, and cybersecurity vendors are both raising awareness and providing remedies. However, an official security-minded government entity like the NSA, may have more gravitas than commercial vendors, so its warning might be received as a real call to action.
The NSA issued a similar warning in 2018 and one could assume that they felt a “reminder” was needed in response to a trend that started due to Covid restrictions, but which has now become a “standard practice” – that is, working from home, or “WFH.” In the WFH scenario, corporate employees could be sharing the same network with devices that are unsecured, which could potentially open the gate for hackers to reach a more lucrative goal: the organizations themselves.
An even more serious threat comes in the form of “nation-state” actors and their ability to take over devices in home networks and turn them into “zombie” devices for attacks against critical infrastructure and more.
Smart home, dumb devices
With regards to two specific NSA recommendations, namely, advising consumers to “secure and update their routing devices”, and “secure electronic devices and use the most updated version of the devices’ OS,” a review of the home network “ecosystem” will help put these recommendations in perspective:
Computational devices – Desktops and laptops, smartphones, tablets, smart hubs (like Google Nest and Amazon Echo) and the like.
Networking devices – Routers, Wi-Fi extenders, access points, switches, network-attached storage devices etc. – these devices are utilized to enable, manage and optimize the data traffic in, through and out of the home network. While they tend to run on a limited number of operating systems, there are many variants of these OSs used by many vendors.
IoT devices – Smart TVs, speakers, IP-based cameras, connected printers, smart alarms, etc. – these are task specific devices, built with low-to-medium performance hardware, with limited interfaces and usually installed, managed and operated via a smartphone.
Although devices from these three groups are vulnerable to cybersecurity, there are major differences between them when it comes to how vulnerable they are and what makes them vulnerable.
Computational devices are vulnerable, but once the vulnerability is discovered, the remedy is usually developed, delivered and deployed fast via an automatic OS, software or hardware device-specific update.
Networking devices and IoT devices are more vulnerable than computational devices due to the amount of time it takes to patch these vulnerabilities once they are discovered (although routers are by far the most vulnerable device group in the last few years, according to data collected by SAM Seamless Network).
Router vulnerabilities present an even bigger opportunity than other networked devices, since the router is the gateway to all the other devices on the home network, and the only path for these devices to connect to the Internet. This means that a router vulnerability has the potential to cause significant harm to all the devices within the home network, expose details about these devices and the traffic within and throughout the home network, disconnect the user from the Internet, and even use the router and the devices on the home network as part of a DDOS attack against the ISP or other destinations.
Consumers are reminded constantly to monitor and rectify the security posture of their home or small office devices by adhering to access permissions and downloading software updates. However, they are fully dependent on the device vendors when it comes to patching a discovered vulnerability in the devices they own. The problem is that device vendors react much slower than software vendors when it comes to deploying updates to their devices, even if these are critical updates needed to fix a security flaw.
This delay creates a significant window of opportunity for hackers who are well aware of these vulnerabilities and often have ample time to exploit them before the vendors issue a remedy, leaving end users vulnerable to attacks.
Even when the patch is ready for deployment, there is still the question of how it will be deployed onto the users’ devices. Some devices can be updated via the corresponding app. Others, however, need to be updated manually – a lengthy and complicated process for those who are less tech savvy.
All of this is assuming the device vendor can develop the needed remedy on their own. Sometimes, the vulnerability stems from one of the components within the device, such as the chipset, and the component provider first needs to update the embedded software that it initially shipped on its chipset. This would also require the device vendor to conduct its own tests, making sure whatever update the component vendor sent does not cause issues with other components within the device.
This is why it usually takes between 3 to 6 months for device vendors to issue a software patch after a vulnerability in their device was discovered. In some cases, it even takes more than a year. Some devices cannot be updated at all, so the only solution left for the owner is to discard them.
Therefore, one could conclude that the NSA’s advice to consumers to “secure their IoT networking devices” is theoretically on point, but practically useless, as even if the consumers execute a daily “check for latest version of the software in all my IoT devices” routine, they are still dependent on the slow discovery-to-patching process managed by the devices’ vendors.
And here’s where you – the ISP – can come to the rescue: by embedding (downloading) network traffic monitoring software directly within the router (whether you provided it or not). By doing this you will protect the devices by safeguarding the network that they reside in, rather than trying to fix vulnerabilities within individual devices, which, as described above, is very problematic indeed.
Such router based “agent” should be backed by an extensive database of known IoT and other devices and enhanced by AI and ML instruction sets to accomplishes three important tasks:
- Protect the router (and the network) from threats trying to enter from outside (you know, the Internets).
- Protect the devices by constantly monitoring the traffic between them and the router, and when the AI realizes that a device is acting in a way which raises suspicion (like suddenly communicating with another device on the network that it never communicated with, or sending packets of data to a server somewhere on the internet at odd times), the device is removed from the network so it will not infect or harm other devices. The issue should then be investigated further using automated processes aided by a constantly updated database of vulnerabilities and remedies from device vendors and other databases.
- Protect the ISP and other destinations outside the home network by preventing hacked devices within the network to be used for attacks outside of it.
To conclude, the slow discovery-to-patching process of IoT vulnerabilities remains a significant concern. However, by seeking network-level protection through their ISP, users can ensure the security of their IoT devices and benefit from real-time protection against emerging threats while enjoying the peace of mind of a seamlessly connected home.
