By Patrick MeLampy
As IP-enabled technology for the home continues to increase, networks and security architectures are in dire need of change. Every IoT-enabled smart device inside the home needs to communicate with a server, which is typically located outside the home. The amount of data and frequency of communication between the device and the server varies, but even a single outbound connection increases vulnerability to security threats. The now infamous attack on Dyn, which was launched inside compromised IP video security cameras, is a prime example of the vulnerabilities currently existing in these connections.
How should networking evolve to allow smart home data to transport securely? The answer is actually minimally. This security lies in the network’s most basic building block: the router. IoT providers need to replace their basic access switches on-premises with increasingly smarter, session-stateful routers that can subscribe to registries of certified and authorized IoT services. By only recognizing the certified components, they should provide a secure route between a home and the IoT service while preventing any non-conforming traffic from being passed to/from the IoT device. This technique would essentially create a virtual private network between each IoT device and its server. With this approach, both the service and homeowners win; the service owner is ensured of the IoT device accuracy and location while the homeowner can now prevent any unauthorized outbound flows. Other benefits of this device-specific intelligent router would include clear end-to-end control, even through mid-network network address translations (NATs), such as NAT64 or carrier-grade NATs.
There are those in the industry that tout virtual customer premises equipment (vCPE) as a security technology for IoT. In actuality, vCPE just moves the security border from the customer edge to the service provider edge, meaning the same networking issues exist. However, by moving the problem from a customer edge to a provider edge, better systems for security and traffic analysis may be available in a cost-effective manner. Service function chaining of different types of deep packet inspection (DPI)or firewall technologies can also help. But sadly, the trend in IoT, as well as data exfiltration, is to use encryption. Encrypted packets that originate in a home and are intended for a service cannot be analyzed outside of their IP protocol headers. It seems unlikely that IoT devices can be forced to go through proxies, so this makes DPI and standard firewall technology less likely to work.