Feb 19, 2017We've been seeing growth in the number and scope of cyber-attacks for the past few years, but fall 2016 will be remembered for one of the largest cyber-attacks in U.S. history. The intended target of the distributed denial-of-service (DDoS) attack was bombarded by tens of millions of IP addresses from around the world, which ultimately took down internet giants like Twitter, Spotify and PayPal before the damage could be contained.
Some of the sources of the concerted DDoS attacks were smart-home devices connected to the internet. These had been remotely infected with malware, which took advantage of lax, or sometimes non-existent, security settings. One manufacturer of popular IP security cameras, sold worldwide under many brand names, was identified as a primary culprit. Tens of thousands of cameras were shipped with poorly implemented security, unfriendly password tools for users, and outdated software inclusions that left the door wide open for hackers and malicious code.
This attack was an eye-opener for the IoT development community, as well as for consumers. Multiply this one example by the tens of millions of IoT devices installed worldwide, and it's clear how the lack of robust security for smart devices could lead to cataclysmic market problems. Porous security in the Internet of Things will do more damage than merely stopping forward-thinking industries from reaching their business potential. It will also mean constant, permanent risk of theft and malicious activity for consumers and businesses everywhere, from now on.
What Is the Security Price?
When manufacturers and developers think about smart objects, their first focus is on the abilities of these devices to perform certain tasks. Then, they also have to think about how to make the devices simple for the installer and end user to utilize. In the case of battery-operated devices, they also must devote significant commercial and technological overhead to making them as energy-efficient as possible. Once the obvious feature and benefit goals have been achieved, the product or service must then, of course, meet the prime commercial consideration: it has to make economic sense to sell, install and buy.
Achieving all these requirements while speeding products to market in a fast-moving, competitive landscape can be challenging—so much so, in fact, that the device's security integrity is often an afterthought, despite its critical importance. Whether through device-to-device communications inside the home or data sent from the home to the cloud, the inviolability of smart devices must now become a requirement for IoT product development.
Z-Wave S2: Making the Smart Home Hacker-Proof
Z-Wave has put security front and center to extend its position as a leading enabling technology for smart homes. The protocol has always employed the same robust AES encryption used in online banking, but the technology's latest implementation features the S2 Security Framework, which takes impermeability to even higher levels. The S2 Framework, which is already resident in the latest Z-Wave devices, is about to become a requirement for all Z-Wave-certified products. S2 Security is an ambitious initiative to make smart homes hacker-proof.
With S2 security, Z-Wave devices are able to utilize a PIN or QR code during installation. This means that as Z-Wave nodes are added to a smart-home network, there is no vulnerability during the all-important pairing process, whether from an innocent neighbor's smart-home devices, or from a remote hacker's "sniffing" software.
Additionally, S2 authentication pre-empts two common hacking techniques used on smart objects. Both "man-in-the-middle" attacks, in which an attacker secretly relays or alters communication between two devices, and "brute force" attacks, which employ trial and error to crack user passwords, are blocked by S2.
Because most security breaches originate from outside the home via the internet, Z-Wave offers a Z/IP Gateway solution for securing cloud communications. This technology sends all household IoT communications traffic—including that from devices not powered by Z-Wave—through a secure TLS 1.1 tunnel. In this way, Z-Wave's S2 Security essentially encrypts all correspondence between the smart home and the internet.
Sigma Designs is so confident in Z-Wave's S2 Security that it has put the specification into the public domain, in order to invite scrutiny and challenges to its capabilities. In an IoT market crowded with challengers, ranging from established industry leaders to crowdfunded newcomers, Z-Wave's mandate of state-of-the-art security measures for both devices and cloud applications currently stands alone. We have taken these steps because at Z-Wave, we believe that features and pricing alone can no longer drive adoption in the competitive IoT market. Hacker-proof security is the ultimate IoT differentiator, and it is our job to help developers achieve that worthy goal.
Raoul Wijgergangs is the VP of the Z-Wave Business Unit at Sigma Designs, a company that designs and builds semiconductor-based technologies for IoT-based smart-home and media devices. A veteran in the smart-home IoT industry, Wijgergangs joined Zensys, the founding company of the Z-Wave communication protocol, in 2004. Zensys was acquired by Sigma Designs in 2008. Prior to working at Zensys, he spent a decade at Philips, where he held key positions, including senior director of global sales and marketing for Wi-Fi and Bluetooth. Wijgergangs also helped found Arcadyan, a Philips joint venture with Accton. He holds a Bachelors of Engineering degree in computer science and an M.B.A. degree from the University of Twente, in the Netherlands.
