WHEN THE MIRAI BOTNET hit in 2016, security professionals were appalled to discover the devices that were bombarding sites with traffic in distributed denial of service (DDoS) attacks were basic IoT devices such as security cameras, baby monitors and other consumer devices whose base operating system was some flavour of Linux.
They were further disturbed to learn most home Internet gateways had virtually no security effective enough to protect users from IoT devices – and IoT devices in the main have no protection from evil coming in from the Internet. Worse yet, we learned most IoT device manufacturers were woefully behind in security expertise. They know how to build hardware but have little in-house experience with software and its security requirements. Hence Mirai and its ilk – give bad guys an easy target and they pounce.
That's when CIRA Labs, the research body attached to the Canadian Internet registry, along with the Internet Society of Canada (ISOC), Innovation, Science and Economic Development (ISED), the Canadian Internet Policy and Public Interest Clinic (CIPPIC), and Canarie, formed a core team tasked with facilitating a multistakeholder approach to identify and guide the development of IoT policy, putting security at the heart of internet innovations in Canada.
The goal is to bring together relevant government, academia, and private and non-profit sectors to tackle this ever-growing challenge. Its Network Resiliency Working Group published its final report earlier this year. The group decided to develop a framework to, as CIRA Labs/IXP program manager Yann Berthier put it, "prevent lightbulbs from killing the Internet."
That was the genesis of what is now known as the Secure Home Gateway project. Its goals are to protect IoT devices from Internet attacks, protect the Internet from IoT devices, and to protect the home (and probably small businesses, who often use consumer gateways) from attacks and from the devices it houses. The gateway must be easy to use, provide security access controls and other enterprise networking standards to home networks – and be based on routers commonly found in the home.
Plus, everything has to be open source.
There were other challenges to face as well. Device manufacturers are busily creating a dependency on the cloud, so there's no direct end-to-end communication between the phone or other device issuing commands to the IoT device and the IoT device itself. The path is phone -> cloud -> IoT device. That complicates matters because there's an additional place for bad things to happen.
A second challenge, according to Berthier, is the fact that the gateway needs to know what the device is, and what it should be allowed to do, in order to manage it – and this has to be done transparently because users don't have the knowledge to do it manually nor, in most cases, the patience.
Enter Manufacturer Usage Description (MUD). A new standard, approved earlier this year, MUD allows device manufacturers to provide everything the gateway needs to know about a device in a standardized format. The user just has to scan a QR code from an app on their phone to download the MUD file and the gateway will take care of the rest.
If a device tries to do something it shouldn't – if a garage door opener tries to access security cameras, or sends information out over the Internet that has nothing to do with the door – it will be briskly shut down or quarantined. The gateway uses Per Device Access Policy (PDAP) to identify new IoT devices on the network, wrap appropriate policies around them, and monitor their operation and quarantine them if their behaviour changes.
CIRA realizes that the information may be updated from time to time, and that manufacturers may discontinue products or go out of business, so it will act as a broker, keeping copies of the up-to-date MUD info so users will never be left in the lurch. And if manufacturers aren't sure how to create MUD profiles for their devices, CIRA offers help here in its GitHub repository.
Each secure home gateway will come with a DNSSEC signed third-level .CA domain to allow users to securely access and manage their gateways remotely.
Check out a demo of the prototype here. Organizations that would like to participate in the project can read the recommendations of the initial team and then visit the project's GitHub repository for further information.
