The Internet of Things (IoT) connects smart objects that can sense and manage our environments, be they homes, vehicles, factories, supply chains, cities or power grids. IoT objects transfer data over networks using IP address connectivity. The IoT market is growing rapidly and will to impact many aspects of life and work in the coming years. Thanks to IoT, a huge volume of data is being generated and transferred across networks. Ensuring this data is reliable, secure and authentic is perhaps the most critical challenge facing the growth of the IoT market.
One of the most promising and fastest growing IoT opportunities is smart-home applications. This includes a range of technologies, sensors and controllers installed in our homes that deliver energy savings, automation of mundane tasks, security and other benefits.
Device control and security systems are probably the most popular smart-home IoT applications today. They focus on controlling home appliances—such as thermostats, baby monitors and lighting—and managing security cameras both in and outside the home through remote access. Other home applications include sharing multimedia content and providing access to shared resources and applications.
Hackers have managed to breach connected devices such as Surveillance Cameras, Smart TVs etc., by identifying loop holes or possible vulnerabilities and exploiting the same by introducing a ransomware or malware, which has proven to be a serious threat to the home eco-system & the personal identity as such, and hence securing a smart home is crucial.
Home Security Threats
There are many security challenges and risks to smart home networks that can propagate quickly. For instance, if a home network device is compromised it can quickly impact other connected devices. As such, security should be a high priority for every aspect of an IoT system, including the hardware level, software level or network connectivity level. It is important to encrypt all data so if the system is compromised the data cannot be read by hackers. This may seem obvious but, sadly, it is not practiced enough.
Consider the following scenario of hackers using a vulnerable IoT device—say, a surveillance camera—to access a victim’s mobile phone. First, the hacker sends an infected file to a victim’s IoT device and waits for them to download it. When the victim uses the infected file, it establishes a connection with the hacker’s device. The hacker can then control the victim’s surveillance camera, as shown below.
Following is a snapshot of typical hacking achieved using Kali Linux (used for digital forensics and penetration testing), which has a wide variety of tools. Here we have used “MSFvenom” tool to generate the infected file and “Metasploit” tool to listen to target victim’s IoT device. The infected file was placed in victim’s IoT device used in our experiment and all the exploits were done over the public network.
Most surveillance cameras are connected to the internet, which lets us access, control and maintain the cameras remotely. In parallel, cyberthreats to these systems are accelerating.
Remote access of devices is normally achieved by exposing them directly to the internet. But the exposure of such devices through public IP access is dangerous as there are numerous malicious exploits that will scan for opened ports to gain access to the device.
Let’s consider a typical set up for remote access to a surveillance camera. In the setup shown below, the home gateway is public, with a port forwarded to access the surveillance camera. Though the firewall presence before the home gateway can provide some security, it is still vulnerable. Another problem with this set up is that the data is not secure and can be bypassed and retrieved anywhere in the public medium. To overcome these shortcomings, data at all points between the mobile device and the surveillance camera must be encrypted. In addition, access to the surveillance camera must be secure.
Data Security with a custom VPN
Virtual private networks (VPNs) generally offer end-to-end security with encrypted data that flows across the client-server tunnel. Apart from encryption, there are plenty of other options available with a VPN for remote access, which can be employed to enhance security.
In the scenario described above, with a VPN installed between the mobile device and home gateway, the traffic would be routed through a VPN server as follows:
■ The mobile device requests a video feed from the surveillance camera, with the Virtual IP of the home gateway and the respective port rather than using physical interface IP (Public IP)
■ The VPN server routes the packets to the home gateway
■ The home gateway further port forward the packets to the surveillance camera
The main advantage of this set up is that the home gateway is not exposed publicly, so the surveillance camera is protected from unauthorized access.
This setup can be further extended with a VPN client installed in public gateways, such as Wi-Fi kiosks. With few IP rules added at the gateways, the entire subnet of one gateway can be accessed by another. The public gateways that provide free internet access are highly vulnerable and installing such VPN clients provide enhanced security.
Key Benefits of VPNs:
■ Remote device access is done with virtual IP
■ The entire data flow is encrypted
■ Gateway devices are not exposed in public
■ End client devices like handhelds and desktops connected to the gateway devices are also secured
■ Malicious port scans are avoided
■ Remote users are properly authenticated by the VPN server, which can include multi-level authentication
The wide use of IoT devices and the communication between the devices and the external world imposes numerous challenges and must be countered with efficient, proactive and proven security mechanisms. Using a custom VPN is one solution that provides end-to-end security and protects IoT devices from serious threats.
Senior Software Engineer,
5+ years of experience in Aricent with expertise in Networking protocols, VPN solutions, Streaming protocols and Multimedia solutions.
Suriya Mohan S
Sr Engineering Project Manager,
16 years of experience in IoT, Automotive, Multimedia, Content Adaptation, Connectivity and Security domains.