Blog articles

Our views, analysis and opinions of the world of connected embedded devices.

Internet router in danger sign

The security of home internet modem/router gateway devices

We were at the Institute of Information Security Professionals and CREST annual conference yesterday where Cisco gave an interesting talk on the security of the home broadband modems and routers that form our digital link between our homes and the internet.

Cisco has been investing heavily in security in recent years both internally and via acquisitions of security companies such as NDS. They now appear increasingly to be using security to increase brand confidence and competitiveness while at the same time deliberately distancing themselves from the more negative connotations of being a US network technology supplier.

The talk was very interesting and resonates well with what we are seeing.   We often hear when dealing with consumer electronics companies who are building connected/smart devices for the home, something similar to, “Security isn’t that important – the home modem/router will protect us.”

In an ideal world that should be true, but what if those gateway devices – the electronic doors that connect our home to the internet - aren’t really secure at all? What if, metaphorically, we are unintentionally and without our knowledge leaving the electronic doors and windows of our house open?

For those of us familiar with consumer electronics security, unfortunately we see almost weekly reports on security vulnerabilities in these devices. And it’s often issues that should be relatively simple to fix, such as not using the same default username and password for every device. And a lot of these security vulnerabilities also allow an attacker on the internet to take control of your device remotely.

Even worse, this security risk is not just coming from no-name manufacturers but from big, well-known brands who should know better.

None of these devices run anti-virus software. Their software is also often not updated when a security problem is discovered in it. Even if the software is updated, then you normally have to update it for your device manually. And usually through a very poor web interface that is incomprehensible for a significant proportion of the population. It also doesn’t record any information, unlike PCs, that would allow the source or method of any attack to be discovered.

In fact the general situation is so bad that the Electronic Frontier Foundation announced last year that they were going to produce their own secure software for these devices.

 

How can an insecure modem/router be misused?

If an attacker takes control of your gateway device it can be used to attack you by, for example, redirecting your banking website to their false one and hijacking your account. They can also use your device to send some digital garbage over the internet to disrupt the internet connection of someone else. 

Doesn’t sound serious enough? What if they also used every other device belonging to your ISP (as they’re all going to be the same) to send garbage? What if they used the same type of device all over the world?

Manufacturers may even be inadvertently providing the tools on the devices to enable this to be done more easily!

Current estimates for insecure devices are 20 MILLION. And this is likely to be an underestimate. Some people are proposing a figure of 80 MILLION.

Imagine a concentrated attack coming from millions of devices connected to the internet and spread globally so it’s practically impossible to stop.

This isn’t fiction or even a potential threat – there are companies today offering to sell the use of insecure devices to attack others. The recent attacks on Sony and Microsoft over Christmas have been attributed to the Lizard Squad. The Lizard Squad are thought to control a network of over 100,000 home router devices that they have taken control of. There have also been recent reports of 300,000 devices being taken over.

If a relatively small number of devices can affect major corporations – what could a much larger number of devices do? Imagine the potential disruption to our businesses, finance or even infrastructure.

 

Why is security not considered?

The fundamental situation is due to the fact that security costs money. Consumer electronics is a cut-throat industry with low profit margins and there’s unfortunately no incentive for manufacturers to add security unless they have to.

There is just not enough pressure on them currently to change.

This requirement for security can only come from consumers (pressuring their internet service provider or brands directly via buying power) or by government regulation.

Unfortunately consumers currently don’t appear to be aware of the implications. There are signs that things may be changing however, with rumours that a well-known consumer research organisation will be highlighting security of products in the near future.

Given the high impact of the risk, even if the likelihood at the moment is low, it is difficult to see how this market can avoid regulation in the longer term.

Padlock with no entry sign on top

 

In our company we’ve reviewed the security of a large number of consumer electronic devices and helped a wide range of manufacturers and operators to understand all aspects of securing their products and systems. 

We’re involved with protecting the electronic connected devices that are increasingly forming a critical part of our connected lives from being used to attack us. From automotive In-Vehicle Infotainment systems to smart TVs, security is often an afterthought at best.

More often than not, though, we hear the same question from consumer electronics companies: “Why would we want to add security?”

 

The consumer product manufacturer point of view

For those of us who work in this industry, this question is not surprising. 

From a consumer manufacturers point on view:

  1. Time-to-market is critical and being late can mean the difference between a whole product line succeeding or failing
  2. Cost is critical and per-product profit margins are very slim. When you’re making a large number of devices then every cent cost really matters
  3. Skilled people are limited and therefore expensive (see 2.)
  4. Most consumers don’t understand the implications of an insecure product so won’t pay for security (even though there is evidence that they are deeply concerned about their personal privacy)

The immediate judgement could therefore be that improving the security of our devices can take time and money and could make those devices less competitive in the marketplace!

This can result in the view amongst many consumer manufacturers that consumer security is not a high priority when developing a product (especially if you take a short-term view as is common in the industry).

Very often, even things like brand reputation protection and protection of their own revenue streams security is not even considered!

 

How much security?

On the other hand, there is a lot of hype in consumer security. For example, the risk of your internet-enabled fridge within your home network being used to attack you is probably quite low. Even the risk of your smart electricity meter being used by robbers to find out when your house is empty is probably very low (it would be easier just for them to stand outside!)

That is not to say that consumer products don’t have risks – it’s just that as an industry, consumer electronics companies are traditionally not good at recognising them. They make brilliant devices that usually improve our lives but they’re not security companies.

For example if those same smart meters contained the ability to switch off your power supply (and that of everyone else who had one installed) then the security risk to us is much, much greater.

Risks are also hard to determine and can depend on the product use case. For example, a smart TV that records and transmits audio insecurely to a remote server will not pose a real general security risk to the majority of the population, but what if that TV is in a politicians office and being used to spy on them?

What is important to remember is that the amount of security should be proportionate to the risk and consumer product companies need to better understand their risks. 

Most security issues in consumer devices are concerned with protecting consumer privacy or revenue streams. The cost of fixing problems during product design is usually a lot less than many companies expect and much less than the resulting damage that may occur to the brand.

Most products we see could easily have been fixed early on by understanding the risks and adding simple, pragmatic, commodity, often free, security improvements. Retrofitting security or rebuilding reputation, on the other hand, takes a lot more time and money.

Even products with higher risk such as smart meters, home network routers, smart energy systems and connected home security systems can save costs in the long run. Incorporating secure product development processes result in security just becoming part of the product and not an add-on.

 

The future

There are signs that things are changing. High value brands and industries that may have particularly high liabilities (e.g. automotive) are starting to recognise and take security much more seriously. Industries such as smart home, building and energy are also wakening up to the potential threats and seeking advice.

However, many high-risk consumer electronics companies are still slow off the mark. We still hear regularly about insecure home network routers and smart security systems. Hopefully the combination of media hype, consumer pressure and potential regulation will improve this situation in future.

 

About us

MathEmbedded has been heavily involved with consumer security for many years and has recently created a consumer product security health check service to help companies to understand their risk.