How to prevent breaches in complex, connected systems.
News outlets recently covered the new paper, “Security Analysis of Emerging Smart Home Applications,” and its findings about the security vulnerabilities in common “smart home” applications. Originally published in the 2016 IEEE Symposium on Security and Privacy, the paper describes the operation of, and potential issues with, the programming framework in smart home devices on the market. The programming framework is a common infrastructure for the entire ecosystem that spans individual devices, hubs, a cloud-based command and control service, and a smartphone app. It allows devices to be discovered, their capabilities to be advertised, services to be notified of device events, and responses to those events to be controlled. It also provides controls on who and what has access to the parts associated with any individual installation or home.
Security research often focuses on the sensational failures of particular device implementations and demonstrates the mayhem that can ensue to expose and thereby spur greater protection of some aspect of their operation. This latest research is notable because it concentrates on using the capabilities provided by the framework itself, in more or less the ways they are allowed, to compromise the privacy, integrity and even the physical security of users. While the specific ecosystem studied was Samsung’s SmartThings, many companies are developing and deploying similar smart home frameworks. The study demonstrates the difficulties inherent in finding simple ways to let consumers to join their devices together into a unified whole that does more than the sum of their parts, while also providing appropriate levels of security and control over the access that devices and services have to data.
The research found that many applications running on the cloud service had access to more data and capabilities than required to supply their function. In many cases, this was the result of the privilege system provided by the framework itself not defining sufficiently fine-grained access controls. In general, a device’s capabilities are all lumped together in a single access privilege, regardless of whether the device is only being monitored or controlled. In this particular programming framework, granting an application access to any one capability of the device, it actually granted access to all of them. The researchers give the example of an application to automatically lock a door remotely when requested by the homeowner. Although the application requires only access to the command to lock the door, it receives access to all of the lock’s state and controls, including the command to unlock the door (much more sensitive than the lock command), along with a list of the unlock codes that users enter on the lock’s keypad. If this application was malicious, it could use that information in ways that were never intended by the user.
The paper details a number of other problems found in the framework, including the ability for an application to send out information via SMS with apparently no limits on what that may be, and a way for arbitrary applications to subscribe to notifications that they should not be able to receive. It’s early days in the IoT, and we can expect many more exploits of this nature before the frameworks develop to the point that they provide reasonable controls on what parts of the ecosystem can and should communicate with what other parts, while still enabling the interesting applications that will develop with massive interconnection of devices cooperating on solving problems for their human masters. And all the while, the management of these controls needs to be simple and understandable to users who are not programmers or network administrators, and have no interest in becoming one.
One thing that certainly won’t work is to rely on the good will of companies and other smart home programmers not to exploit capabilities (planned or otherwise) in the frameworks that permit unintended and unwanted uses of that data. We’ve seen time and again how environments like Java and Flash can become vectors for all kinds of malware. The IoT will be orders of magnitude more complex, spanning small battery operated devices through massive remote cloud computing resources and multiple wired and wireless networking technologies. Vulnerabilities in all parts of those systems will be exploited for fun and for profit, and we can expect to see the emergence of malware designed precisely to take advantage these kinds of gaps.
Security considerations must be designed into these frameworks, supporting the small devices up to the networked services. All the connected products in the ecosystem must have base security functionality hardened in the SoC and enable the setup of a secure communication environment. Synopsys’ Security IP solutions can help secure the future of IoT technologies.