COMMUNITY BLOG - Simon Stahn - IOT device security for your home
The community blog posts are written by InfoSec professionals from diverse sectors who have kindly provided articles for free to support the demystifying of cyber.
Author: Simon Stahn
Position title: Director and Principal
So, you want a new IOT device in your home… how do you go about evaluating its risks to you and your environment?
Let’s reduce this to the questions you should be asking yourself to discover enough about the device / manufacturer / cloud-app before you let this 'thing' into your home?
When I approach new things, the first question I think about is:
Why do I need this device and what benefit(s) is it bringing me?
I think of the ’why’ as the key to my internal business case. This why determines both the benefit it (might) bring as well as qualifying what we are balancing the risk of having the device join our network and share in our data.
If we’ve established the why, we need to establish the risks of having the device in our lives and on our network. To get a feel for the risks, as yourself the following questions:
• Firstly, what data will the device actually be collecting and/or using to provide you a service? This is pretty crucial to the overall use case - if the device is measuring the temperature of your living room and that data gets out… 🤷♂️ well that’s likely not a big issue. But if it’s video and audio of the baby monitor and it’s being handled by a country that is not ‘legally friendly’ with Australia (I.e. any misdeeds with that data cannot be punished in any way) then it might be a bigger issue for you.
• What info does the device or corresponding app need about me (or my family/business/staff) in order to function, or even set it up? Is this device ‘personal info’ that, if it fell into the wrong hands, could be used against me in some way?
o As a sub-question, can I give the device false info and still achieve my objectives of having the device? I.e. it’s not a law enforcement, government or financial sector device or app where it might not be legal to provide false details.
• Where is my data stored? The answer to this will determine whether or not you could do anything about it if the organisation you, or your devices, gives the data to has a data breach.
• Can I delete my data? If your new device has a one-way flow of data out to some cloud service, can you ensure that data is removed/deleted from the service after a given time period?
• What is the likelihood of my data being breached? Evaluating this question as a “non techie” is very, very difficult. Even inside the info security industry, it is difficult to determine all the factors needed to make an educated guess at the probability of the data “getting out” to somewhere unintended. However, what I mean here is, for most people reading this, is that if you’ve heard of the big name (think Microsoft, Google, Amazon Web Services) then there is an inherent safety factor in that most of those companies spend a lot of money to protect themselves and their client data within their systems - because they will be held accountable when something goes wrong. On the other hand “Mom & Pop’s Corner Data Mart” that are based in a different country may have little to no repercussions for them.
• How does the device connect to the internet/cloud? Is it through your wifi or a built-in mobile data service?
• Can I use a unique email address for sign-up in order to provide some traceability if the gathering party misuses my data? e.g. with Gmail you can setup an email with a ‘+’ in it, to provide you some easy tracking if your email address is used for something other than what you gave consent to.
• If the software (device or cloud app) isn't updated or 'patched' regularly, what does this do for the my risks?
The term 'risk' used here is combination of the likelihood of something happening (usually untoward or it would be an opportunity, not a risk!) and the impact of that something happening. There are usually also mitigations that help reduce the overall risk.
A brief, simplistic example would be of a baking tray in a hot oven. If you open the oven and take out the tray with your hand, the likelihood of your skin coming into contact with the tray is 'almost certain' and the impact of coming into contact with the hot tray may be 'major' (i.e. being burnt). Combining the likelihood and impact we might end up with a 'high' risk to your health and safety. However, a simple mitigation of wearing a heat-proof oven mitt would lower (i.e. 'mitigate') the likelihood of your skin coming into contact to 'very rare' and may decrease the impact slightly as well, to say 'minor' (by decreasing the possible surface area of skin that may be affected during contact). Thus, the resultant risk with the mitigating mitt would be 'low'.
For those of you still reading who like checklists, my thinking is along the lines of understanding the following:
Why do I need this device; what benefit does it bring me?
What data will the device be collecting/using?
What info does the device or corresponding app need about me? How could this info be used against me?
Where is my data stored? And can I delete my data if I want to?
What’s the likelihood of my data being breached, and what is the impact to me?
How does the device connect to the internet/cloud, and how does data get in/out of your environment?
How is the device maintained / patched, and how regularly?
Let’s put this into practice and weigh up a use case I have just gone through - getting an IOT device to check pool chemical levels. For those that don't own a pool, there are various chemical levels that need to be 'in balance' for a domestic swimming pool to stay clean, sanitary and nice to swim in. Typically, pool owners use either test strips bought from the local pool shop or hardware, they take water to a pool shop for testing, or they pay someone to come around regularly to maintain their pool. I've been in the 'test strips' group but with an interest in home automation and a bit of a data geek, I could see the point in something a little higher tech, more accurate, and less wasteful of those little chemical strips; i.e. more sustainable, reliable and consistent.
Context / aka 'use case': The test strips, and replacements I've been using, have provided unreliable, inconsistent data to me about the condition of the pool - namely pH, chlorine and salt levels. This has meant I've been treating the pool incorrectly (based on incorrect data) and have been spending too much money. The core problems are consistency and accuracy (within the limits of a pool testing device, but not a scientific tool for research) to cut financial losses in chemical costs. The pool is also inconveniently placed for me to do testing on a daily basis (i.e. I'm lazy and don't like going out in the cold and dark of a winter's morning!) to ensure I get my data.
Solution: a device that test for the core levels (pH, free chlorine, salinity) with enough accuracy that I can make decisions and see trends (like pH rising over a week). And being a techno geek of some sort, I would like that delivered to my smartphone or email.
What benefit(s) does it bring me?
The device + cloud app brings me the ability to know what my pool chemical levels are like, updated on an hourly basis. This allows me to make decisions (like adding pool acid) based on not only instantaneous data (like using a pool testing strip) but on historical data over the whole day or week. In turn, this drives down the cost of making pool chemical errors, lessens wastage of both chemicals and testing strips; leading in turn to more swimming time and less swearing at the state of the pool.
What info will the device be collecting?
The device I put on my short list detects and collects pH, free chlorine, salinity, and temperature. There's no location data, other than what I choose to tell the app so it can give me weather predictions.
For the purposes of a basic "can this data be used against me" analysis… well, you can tell how bad I am at managing our pool but in real terms, there is not much an attacker could do with this info. (Please get in touch if you think that the pH level of my pool could be used against me in something other than a public shaming of my pool maintenance because I'd legitimately love to hear another angle!).
All in all, I'm comfortable with what the device collects and sends away to be stored. (I am hopefully it will show that I will get better at pool maintenance… but that trend will only be visible with hindsight!)
Moving on - what info does the device need to operate?
It turns out that the setup of this device is app + bluetooth based (info I obtained from the website prior to purchase). I had made an unvalidated assumption that the device would then default to wifi connection, in order to upload its data to a cloud app.
It turns out I completely missed the fact it can use wifi but only does so when the Sigfox network is not available in the installed area. The what-fox-network!?! Standing there with the installer drilling holes in my pool piping, I realised I had never heard of the Sigfox network… I had a quick decision to make - do I let this install go ahead or stop it now?
I made a quick mental risk calculation - the device will be connected to 'some other network' but not mine and transfer minimal data (basically a few data points, every hour or so) to a cloud service. Thus, it should not be "a way in" to my network, so I let the install continue.
(As a side note - I actually have an IoT zone on my wifi network for such devices as this and had the details ready for the installer.)
Going back to answer the question though - the device only needs enough 'data' of mine to link/sync up with your account in the cloud app… so I'm happy enough with that.
Moving on from the shock of discovering a type of network I had not heard of yet that has coverage in my backyard…
What data does the corresponding app need?
When setting up the app, I created an email address unique for this install in the format of firstname.lastname@example.org which is simply delivered to the email@example.com mailbox I already use. However, if the cloud app provider ever has a data 'leak' (or sells the data) then I might find spam coming to that particular myname+devicename address, so I at least know where the leak happened.
Note that this is not 'protection' but it is a form of 'detection' in the language of security. I also used my password manager to generate a unique, long, complex passphrase that I'll never have to remember, because the password manager does that for me (topics for a different post, I'm sure!).
The app also wanted my location (via smartphone location/GPS) as a one-time set of location, to sync up weather patterns that may be helpful when determining pool conditions. I ‘corrected’ the app’s location data and set it for a park near my house - close enough for weather purposes - but not my actual home address.
So far, so good - nothing I wouldn't expect, given what the device needs to do to provide me with my benefits. It has asked for no credit card numbers, photos of my driver's license or requests for my mother's maiden name or birthday. 👍
As a side note, this lack of pumping me for information is refreshing but correlates nicely with the manufacturer being European and having to conform with GDPR. Having the manufacturer conforming to this privacy legislation provides me with comfort that they will uphold some basic privacy principles like not storing or using my data for purposes other than what I have consented to.
What’s the likelihood of my data being breached and the impact to me?
Looking at what I know so far about the device and cloud app, I decided that the likelihood was effectively irrelevant as the impact of a data breach to me would be basically non-existent.
Said another way, there is only pool water data and a unique user+password combo being held by the company providing me with the service – any breach of this data should cause me no harm, so I’m not going to invest time and effort investigating exactly where and how the company is storing my data.
How does the device connect to the internet/cloud, and how does data get in/out of your environment?
As evaluated earlier, the device connects outside of my home network. I can connect directly to it from my phone, using Bluetooth, to request an immediate water check, however this only provides an attack vector to my smartphone. As I’m using an up-to-date iOS device to run the app, using the IoT device (and its very limited compute power) to ‘attack’ me via my smartphone would be a very esoteric and costly way of ‘getting in’ to my environment.
While valid for some threat models, I’m going to discount them for the typical ‘home user’ and this post. Why? Because they’re theoretical attacks around a completely different threat model to the target audience (please excuse the pun). If the device was, for example, a set-top box that is connected to a home’s core network and uses/stores your credentials to access your home computers for videos and music, there is a far more credible threat to be thought through based around the data and access of that particular IoT device.
Lastly, let’s look at how the device maintained / patched, and how regularly?
For this IoT device, I’m not even sure it can get software updates as it is a very basic device. If it does, it will likely require a local Bluetooth connection from the smartphone. The Sigfox network seems to exist more for transferring captured data points, not maintaining software/patch-levels.
The supporting cloud app seems to be patched through the smartphone’s app store for bugs and features, and the cloud server side is invisible to me. As covered earlier, if this device gathered info that I was more concerned about, I would investigate the server side more.
In summary, while I did look at my list of key points to evaluate, the lack of the device and related cloud app gathering any data of use to anyone but me, along with the benefits the device should realise made it a quick decision to approve the device for install.
Now if only someone would break into the device, see the trend of my pool’s pH levels rising on a daily basis and tell me exactly how I can solve that problem… now that’s a ‘hack’ I could get behind!
COMMUNITY BLOG - guest author Simon Stahn - 30 November 2021