> Can good devices on your home network help protect it from bad devices by voting them off the island?
Can good devices on your home network help protect it from bad devices by voting them off the island?
December 13th, 2019
The Internet of Things is driving exponential growth in home automation through the miniaturization of what it means to be an internet enabled entity. We see smart appliances in the kitchen, smart mood lighting, intelligent robot vacuums, and remotely managed security systems, all providing endless opportunities for making our homes connected and intelligent.
IoT devices deployed in homes mean new risks and significant security challenges. The same technology that the consumer IOT industry believes will make everything in our lives smarter could also make our lives less secure. AT&T’s IOT SCOE researchers are working to address the challenge of detecting rogue devices in our homes. Behavioral analysis provides some techniques for detecting compromised devices. And one idea may help: what if we crowd-sourced rogue detection? What if good devices on our home networks warned us of bad devices on those same networks?
Figure 1. Registration gateway
This solution does require enhancements to IOT devices that manufacturers need to support and is significantly challenging. It’s impractical to expect the world of device manufacturers to sign on unless we provide a clear business benefit. Business benefits to our customers include improving home security and the customer experience as well as automated rejection of malicious devices and reduced customer costs. In a world of relatively inexperienced users, any solution that significantly improves security can help improve overall safety.
These enhancements are lightweight and require no special knowledge outside the device’s own behavior and complement the enhancements recommended by the guidelines from standards bodies like NIST. Essentially, a device already knows what it does for a living. Now we add a requirement that if it sees something out of normal behavior, it sends out a warning in the form of a negative vote: “Hey, this other device on the network did something unexpected.” Each IoT device on the network that supports the reputation score protocol will maintain some basic information about its own operational profile. When it sees something out of the ordinary, it sends out a vote. The contents of a vote depend on the scenario and may be incomplete. But in the aggregate, a pattern of misbehavior may appear. mine?
What kind of information goes into a device’s operational profile? Devices receive commands from specific controllers, send data to specific targets, get updates from specific domains, and interact in limited ways. They have well defined data rates and packet sizes, and host known services on known ports. Deviations from the norm stand out. If we could put a mini-gateway in front of every device we could monitor traffic in-line, but that is impossible in many cases and impractical in most. Instead, we consider placing requirements on device manufacturers to modify their firmware to support some simple functions to monitor aberrant network behavior that indicates compromise. In some corner cases, the device under consideration will be too simple to modify, in which case a smaller set of metrics will be collected or smarter devices in the home network may indirectly vote on their behalf. If a device can’t vote, then it cannot directly participate in the voting data feed but may be able to indirectly participate if its controlling entity can send votes based on log or event data or even on missing data. Our design also has components to manage the system’s policy via a GUI.
How do we register IoT devices that lack intelligence today? Currently, we provision an IOT device by installing it, powering it on, and setting its credentials either at startup locally or over the network, based on some initiation process provided by the vendor. Essentially, the device is trusted by default. Once a device has network access, we rarely monitor it to revoke access based on bad behavior.
But what if we could monitor the interactions with other IOT devices on the same network, and with routing and switching elements in the home? A new device’s behavior over time becomes critical to its trustworthiness. We are exploring if the device can be “voted off the island” on the basis of information gathered by many IOT endpoints.
Reputation scoring-as-a-strategy adds an additional validation step to the registration of a new IOT endpoint on the home network. A rogue device must overcome this challenge to remain on the home network. An IOT device is deemed essentially untrusted until its behavior on a network conforms to some standard, profile or baseline. If it misbehaves, then it’s kicked off the home network. And to make this process even more reliable, the protocol to ensure that this happens is not centralized but is based on a distributed voting scheme.
We are building prototypes of this solution with several components, including a Registration Gateway and a Voting Manager. The registration gateway is present in any IoT environment and has network authentication responsibilities, normally implemented as a gateway router and capable of kicking devices off the network. Our design enhances this gateway to provide an external reputation data feed of “Reputation Scores” from third parties. This is a service that third parties would offer analogous to virus updates. As more and more devices are brought to market and as vulnerabilities are discovered, the risk associated with any individual device will change with time. Think of our current CVE databases used in vulnerability scanning. This function now meets a similar need for IOT devices. The Voting Manager listens to the many IoT devices in the home. The Voting Manager receives “votes” which are event data from the devices on the network through a proxy, which in our prototype is the Registration Gateway. We’re exploring voting hierarchies, hosting voting managers in the cloud, and building distributed algorithms for scoring the reputation of a device based on input from many households.
This solution is currently at a proof-of-concept level to test our understanding of how devices can share information to form a group-consensus on the reputation of a device. We’re gaining insights into what is actually connecting to our home networks. New and novel machine learning applications could mine these votes for additional insights and give us another tool in our expanding tool box against the bad guys. These ideas may someday move out of the lab and into our homes.