Cybersecurity: “Even Smart Light Bulbs Harbor Risks”

The vacuum cleaner robot does the rounds, the heating regulates itself automatically and the lighting responds to an app. Every new device makes private households more convenient – and less secure. Under the aegis of ForDaySec, a Bavarian research association that is soon to be wound up, MCML Associate Johannes Kinder, chair of Programming Languages and AI at LMU, investigates how digitally secure our everyday life is and how connective devices can – not just in the short term – be guarded against undesirable access.

Within the framework of ForDaySec, researchers apply themselves to “security in everyday digitization”. What exactly does that mean?

Johannes Kinder: Conventional IT security research concentrates primarily on the technology itself: on cryptographic methods, secure networks and software vulnerabilities, for example. ForDaySec broadens this perspective. We are interested in what digital security looks like in everyday life. Why? Because digital systems in the home are not assembled in response to a plan: They grow over a number of years. New elements – a smart TV, a camera, a thermostat or a vacuum cleaner robot – are added every Christmas, every Black Friday. Gradually, they build up into a complex digital environment comprising many components from different vendors, and users can scarcely keep track of the overall system that takes shape.

Your research focuses on what has been termed the hardening of firmware. What is that?

Firmware is software that runs on and is built into a device. It controls key functions and is what makes a device “smart” in the first place. It can communicate with apps, cloud services and other devices. In this context, there are many areas that can turn out to be vulnerabilities: in the code itself, in network communication and in the vendor’s cloud services. Our goal is to identify any such security loopholes and to selectively modify the software in such a way that potential attacks are prevented. That is especially important for devices for which the vendors no longer provide updates.

Updates Through the Ventilation Slot

What is technically possible when there are no further updates?

You can sometimes update the firmware over the network – via WLAN, for example, or using an existing update function. In other cases, we have to be more creative and use special contact points on the PCBs inside many devices that were originally intended for production or maintenance purposes. To access these boards, though, you usually have to open the device.

The contact points then give us direct access to the memory, where we can install a new version of the firmware. To do that, we connect the device to a computer and deliberately overwrite the existing software, just like the vendor would do with a regular update. In some cases, we can even access these points through ventilation slots or other apertures without having to take the whole thing apart. There was one connected camera, for instance, where we were able to use tiny pins on the PCB to install an updated version of the software and patch a known vulnerability.

Sounds complicated. What can private users who don’t have this kind of technical expertise do?

True, this is not the kind of thing private users can or should be doing themselves. Looking ahead, specialized third-party providers could play an important role in maintaining devices, providing security updates and continuing to operate systems after vendors have discontinued support. We are already familiar with similar models in other areas such as the maintenance of computers and smartphones.

For private individuals, the most important thing is to pay close attention to security aspects when first buying a device. One example is to clarify whether the vendor supplies regular updates and how long these are guaranteed. In many cases, purchase decisions revolve primarily around functionality and price issues, whereas security and maintenance considerations are scarcely regarded. Yet precisely these considerations determine how long a device can be used securely and reliably.

The ForDaySec association has been around for four years. How has the smart device landscape changed in this time?

Firstly, some devices have now reached the end of their service life and vendors are discontinuing support. One manufacturer of vacuum cleaner robots, for example, recently announced that certain models would no longer be supported. They can no longer be operated via the app, but only at the push of a button, which deprives them of much of their functionality. As a result, a lot of electronic waste could be generated – a problematic development for reasons of sustainability, too.

Above all, though, we are seeing a further significant increase in the spread of smart devices. If you go out today and buy a new household appliance, you can hardly get one that doesn’t have any digital components. Even heaters, air-conditioning systems and dishwashers are often connected to apps.

Misuse as Tools of Control

What specific security consequences can devices that are not secure have?

Unsafe devices can have very direct consequences, such as if the heating fails, a digital door lock won’t open, surveillance cameras no longer record anything or connected smoke alarms and other alarm systems no longer trigger warnings.

Most risky of all are devices fitted with microphones and cameras that, in worst-case scenarios, can be misused for surveillance. But even seemingly harmless devices such as refrigerators can become a security risk if they are connected to other smart devices and thus disclose sensitive information.

Even the wireless communication emitted by intelligent light bulbs can allow conclusions to be drawn about whether anyone is home or in what room a person is. This kind of information can be abused in the case of break-ins, for instance, or to check up on people within toxic relationships. These risks often arise not from a single device, but from the interplay of lots of connected components.

At ForDaySec, you take an interdisciplinary approach to studying this problem. What have you learned from other disciplines?

Collaborating with legal professionals was important. They investigate such aspects as the obligations of vendors to provide updates and when a product’s inability to be updated becomes a legal issue – as in cases where a device would have to be opened for a security update.

Working together with ethnographers too has been exceptionally instructive. They don’t just look at technical roles such as “administrators” and “members”: They also look at the real people behind these roles – the mother, the father, the grandmother. Seeing this perspective helps you understand how digital systems are used in practice and how security risks arise. What happens when a child who has always looked after the updates moves out?

The Internet of Things – Gaining Ground in Private Homes

What are the most important findings of your subproject?

We now have a far better understanding of how the software is actually structured in smart home appliances. And it has become apparent that many devices from vacuum cleaner robots to surveillance cameras – are based on the same software modules and operating system components. That is why weak points in these components can affect lots of different devices and vendors at the same time.

We were also able to show that many such devices can be secured retroactively. In several cases, we succeeded in analyzing the firmware, plugging known security loopholes and thus making the devices more resilient in the face of attacks – even when the vendor was no longer providing updates.

At the same time, we gained a better understanding of where the limits of such approaches lie – such as when the technology in such devices is largely inaccessible, or when important information about the software is missing. This knowledge helps us to more systematically identify typical security problems and develop new protective mechanisms – especially for devices that are already in use in many households.

The ForDaySec findings are channeled directly into our ongoing research. Our aim is to develop methods with which connected household devices can be operated securely in the long run, even above and beyond the vendor’s officially rated service life.

What open issues do you see as particularly pressing?

In the context of cybersecurity, the focus of public debate is mostly on critical infrastructures such as power and water utilities. Yet we often overlook the fact that digital systems in private homes have now also become a pivotal infrastructure: what is known as the Internet of Things in private households. Every smart doorbell and every connected household appliance expands this private network, which grows bigger, more complex – and more vulnerable to defects and attacks.

Heaters, cameras, solar installations, medical devices, you name it: If one of them fails or is no longer maintained by the vendor, that can have direct and tangible consequences for the entire connected system in a private home. That is why one of the most urgent challenges in cybersecurity research is understanding how secure and resilient the digital networks in our own four walls really are.

ForDaySec

Coordinated by the University of Passau, the Bavarian research association “Security in Everyday Digitization” (ForDaySec) focuses on developing technologies and solutions that enable digital devices to be used securely across many different aspects of everyday life and work. To this end, five Bavarian universities have pooled their interdisciplinary expertise to bring together research in the fields of computer science, law and sociology. Funded by the Bavarian State Ministry of Science and Arts, ForDaySec will be wound up after a four-year stint at the end of March.

©LMU Munich

Subscribe to RSS News feed