By Ken Munro, partner at Pen Test Partners
Controversy over intrinsic security issues aside, there is also the small matter of just how wise it is to hook up billions of Internet of Things (IoT) devices to a wider network and to each other.
Networking the IoT has seen the emergence of an array of technologies competing to become the connection method of choice, with a key point of focus being the last mile. So announcement of a new Wi-Fi standard 802.11ah – or HaLow – which works in 900Mhz, was met with more than a little excitement.
Here is a standard that promises to extend the range of Wi-Fi and in doing so uses less processing power than its predecessor. Impressive. Or at least it would be, if it weren’t for the fact that those enhancements potentially create as many problems as they solve.
By using lower frequencies over greater distances, HaLow could potentially expose a far bigger attack surface of devices and make it easier to carry out mass attacks remotely.
Wi-Fi operates in the 2.4 and 5GHz bands. Both of these frequencies are greatly weakened by anything that blocks their path, so a lot of power is required for good range; a typical Wi-Fi card will transmit at about 100mW.
Many legacy IoT products – thermostats, remote switches, burglar alarms, weather stations – are already in the sub-1GHz ISM band (434/868/915MHz). These lower frequencies allow signals to travel further and more easily through buildings, furniture and trees, giving these devices the edge over 2.4GHz when it comes to range. These devices typically transmit at about 10mW.
Very few of these products are IP enabled; they rely on simple protocols, designed specifically for that product. There is no way for an attacker to bridge between the IoT network and the home LAN. But when you move up to running IP on these networks – as is expected in 802.11ah – you can no longer assume the two networks are segregated.
There is talk of 802.11ah functionality being incorporated into home routers themselves, rather than using dedicated gateways as is common today. This may enable an attacker to make the bridge between your IoT network and your home network.
Easy war drives
Then there’s the issue of just how close you have to be. The new standard, 802.11ah, will significantly extend the distance from which Wi-Fi IoT devices can be attacked, so it may not be necessary to take such bulky RF antennas out on IoT ‘war drives’ [searching for Wi-Fi wireless networks by a person in a moving vehicle]any more. If 802.11ah gains traction, attackers could get onto your network from hundreds of metres away. Suddenly, the limited range of 2.4GHz Wi-Fi seems like an appealing security feature.
Another big driver behind many IoT protocols is the need to reduce power usage. Low power usage implies less processing power, which can lead to corners being cut in security. So, if HaLow offers lower power usage, the potential for it to support better security than related 802.11 standards is going to be very limited indeed.
Will HaLow offer even worse security than current Wi-Fi offerings? Interestingly, it appears that the 802.11ah draft standard only specifies the PHY (physical/RF) and media access control (MAC) layers. This means that the network and transport layers are not part of the specification, leaving the IoT vendors to implement their own, possibly including any security functionality and in a cost-sensitive nascent market that equates to the cutting of corners.
Another function to improve range involves the use of relay stations, whereby traffic is relayed over greater distances to a maximum of two hops. But who owns the relay and who has access to your traffic? This depends very much on the implementation; is the relay acting simply as a switch and forwarding packets, or is it doing more?
Your ‘to do’ list
Of course, we do need to tackle the last mile with IoT but we need to make sure security is a prime consideration. There are some key issues that should be top of the ‘to do list’.
Existing Wi-Fi suffered from poor access point validation, making it relatively easy to carry out Man in the Middle Attacks or subvert a connection. Profile validation by the device could eliminate this problem.
Then there’s the issue of the lowest common denominator. With IoT devices connecting with one another, and sharing the PSK, the security of the network could be determined by the least secure device on the local network. It would therefore be great to see Wi-Fi client segregation enforced by default in the new standard, with functionality available to open up services when explicitly required.
Joining up the IoT could pave the way for a hyperconnected world of automation. Or it could be the ultimate form of deperimeterisation, potentially exposing our home networks to attack from innumerable vectors. And that’s why we should scrutinise the standard we use for connectivity and ask ourselves is it an improvement on what we have and is it really good enough.
Pen Test Partners is an ethical hacking firm.