How to Secure Your Wi-Fi Router and Protect Your Home Network
We are all heavily relying on our home networks to work, learn, stay connected with family and friends and to keep us entertained; unfortunately, cyber villains are now hard at work trying to exploit our current situation. Luckily, there are a few easy steps you can take to lock your cyber-doors and prevent intruders from wreaking havoc on your home network.
In the following video, we’ll show you how to dead-bolt your home router with a custom password, strengthen your network firewall, kick out pesky, free-loading devices and clean out security protocol dead wood. It won’t prevent squabbles over who gets to use the tablet or lessen the allure of time-sucking cat videos, but it will help keep you and your family cyber-safe.
Revisiting Security Fundamentals
It’s Cybersecurity Awareness Month—time to study up!
Cybersecurity is a complex topic. The engineers who address cybersecurity must not only be security experts; they must also be experts in the technologies they secure. In addition, they have to understand the ways that the technologies they support and use might be vulnerable and open to attack.
Another layer of complexity is that technology is always evolving. In parallel with that evolution, our adversaries are continuously advancing their attack methods and techniques. How do we stay on top of that? We must be masters of security fundamentals. We need to be able to start with foundational principals and extend our security tools, techniques and methods from there: Make things no more complex than necessary to ensure safe and secure user experiences.
In celebration of Cybersecurity Awareness Month, I’d like to devote a series of blog posts to address some basics about security and to provide a fresh perspective on why these concepts remain important areas of focus for cybersecurity.
At the most basic level, the three primary goals of security for cable and wireless networks are to ensure the confidentiality, integrity and availability of services. NIST documented these concepts well in its special publication, “An Introduction to Information Security.”
- Confidentiality ensures that only authorized users and systems can access a given resource (e.g., network interface, data file, processor). This is a pretty easy concept to understand: The most well-known confidentiality approach is encryption.
- Integrity, which is a little more obscure, guards against unauthorized changes to data and systems. It also includes the idea of non-repudiation, which means that the source of a given message (or packet) is known and cannot be denied by that source.
- Availability is the uncelebrated element of the security triad. It’s often forgotten until failures in service availability are recognized as being “a real problem.” This is unfortunate because engineering to ensure availability is very mature.
In Part 1 of this series, I want to focus on confidentiality. I’ll discuss integrity and availability in two subsequent blogs.
As I mentioned, confidentiality is a security function that most people are aware of. Encryption is the most frequently used method to assure confidentiality. I’m not going to go into a primer about encryption. However, it is worth talking about the principles. Encryption is about applying math using space, power and time to ensure that only parties with the right secret (usually a key) can read certain data. Ideally, the math used should require much greater space, power or time for an unauthorized party without the right secret to read that data. Why does this matter? Because encryption provides confidentiality only as long as the math used is sound and that the corresponding amount of space, power and time for adversaries to read the data is impractical. That is often a good assumption, but history has shown that over time, a given encryption solution will eventually become insecure. So, it’s a good idea to apply other approaches to provide confidentiality as well.
What are some of those approaches? Ultimately, the other solutions prevent access to the data being protected. The notion is that if you prevent access (either physically or logically) to the data being protected, then it can’t be decrypted by unauthorized parties. Solutions in this area fall primarily into two strategies: access controls and separation.
Access controls validate that requests to access data or use a resource (like a network) come from authorized sources (identified using network addresses and other credentials). For example, an access control list (ACL) is used in networks to restrict resource access to specific IP or MAC addresses. As another example, a cryptographic challenge and response (often enabled by public key cryptography) might be used to ensure that the requesting entity has the “right credentials” to access data or a resource. One method we all use every day is passwords. Every time we “log on” to something, like a bank account, we present our username (identification) and our (hopefully) secret password.
Separation is another approach to confidentiality. One extreme example of separation is to establish a completely separate network architecture for conveying and storing confidential information. The government often uses this tactic, but even large enterprises use it with “private line networks.” Something less extreme is to use some form of identification or tagging to encapsulate packets or frames so that only authorized endpoints can receive traffic. This is achieved in ethernet by using virtual LANs (VLANs). Each frame is tagged by the endpoint or the switch to which it connects with a VLAN tag, and only endpoints in the same VLAN can receive traffic from that source endpoint. Higher network layer solutions include IP Virtual Private Network (VPNs) or, sometimes, Multiprotocol Label Switching (MPLS).
Threats to Confidentiality
What are the threats to confidentiality? I’ve already hinted that encryption isn’t perfect. The math on which a given encryption approach is based can sometimes be flawed. This type of flaw can be discovered decades after the original math was developed. That’s why it’s traditionally important to use cipher suites approved by appropriate government organizations such as NIST or ENISA. These organizations work with researchers to develop, select, test and validate given cryptographic algorithms as being provably sound.
However, even when an algorithm is sound, the way it’s implemented in code or hardware may have systemic errors. For example, most encryption approaches require the use of random number generators to execute certain functions. If a given code library for encryption uses a random number generator that’s biased in some way (less than truly random), the space, power and time necessary to achieve unauthorized access to encrypted data may be much less than intended.
One threat considered imminent to current cryptography methods is quantum computing. Quantum computers enable new algorithms that reduce the power, space and time necessary to solve certain specific problems, compared with what traditional computers required. For cryptography, two such algorithms are Grover’s and Shor’s.
Grover’s algorithm. Grover’s quantum algorithm addresses the length of time (number of computations) necessary to do unstructured search. This means that it may take half the number of guesses necessary to guess the secret (the key) to read a given piece of encrypted data. Given current commonly used encryption algorithms, which may provide confidentiality against two decades’ worth of traditional cryptanalysis, Grover’s algorithm is only a moderate threat—until you consider that systemic weaknesses in some implementations of those encryption algorithms may result in less than ideal security.
Shor’s algorithm. Shor’s quantum algorithm is a more serious threat specifically to asymmetric cryptography. Current asymmetric cryptography relies on mathematics that assume it’s hard to factor integers down to primes (such as used by the Rivest-Shamir-Adleman algorithm) or to guess given numbers in a mathematical function or field (such as used in elliptical curve cryptography). Shor’s quantum algorithm makes very quick work of factoring; in fact, it may be possible to factor these mathematics nearly instantly given a sufficiently large quantum computer able to execute the algorithm.
It’s important to understand the relationship between confidentiality and privacy. They aren’t the same. Confidentiality protects the content of a communication or data from unauthorized access, but privacy extends beyond the technical controls that protect confidentiality and extends to the business practices of how personal data is used. Moreover, in practice, a security infrastructure may for some data require it to be encrypted while in motion across a network, but perhaps not when at rest on a server. Also, while confidentiality, in a security context, is pretty much a straight forward technical topic, privacy is about rights, obligations and expectations related to the use of personal data.
Why do I bring it up here? Because a breach of confidentiality may also be a breach of privacy. And because application of confidentiality tools alone does not satisfy privacy requirements in many situations. Security engineers – adversarial engineers – need to keep these things in mind and remember that today privacy violations result in real costs in fines and brand damage to our companies.
Wow! Going through all that was a bit more involved than I intended – lets finish this blog. Cable and wireless networks have implemented many confidentiality solutions. WiFi, LTE, and DOCSIS technology all use encryption to ensure confidentiality on the shared mediums they use to transport packets. The cipher algorithm DOCSIS technology typically uses AES128 which has stood the test of time. We can anticipate future advances. One is a NIST initiative to select a new light weight cipher – something that uses less processing resources than AES. This is a big deal. For just a slight reduction in security (measured using a somewhat obscure metric called “security bits”), some of the candidates being considered by NIST may use half the power or space as compared to AES128. That may translate to lower cost and higher reliability of end-points that use the new ciphers.
Another area the cable industry, including CableLabs, continues to track is quantum resistant cryptography. There are two approaches here. One is to use quantum technologies (to generate keys or transmit data) that may be inherently secure against quantum computer based cryptanalysis. Another approach is to use quantum resistant algorithms (e.g., new math that is resistant to cryptanalysis using Shor’s and Grover’s algorithms) implemented on traditional computing methods. Both approaches are showing great promise.
There’s a quick review of confidentiality. Next up? Integrity.
Want to learn more about cybersecurity? Register for our upcoming webinar: Links in the Chain: CableLabs' Primer on What's Happening in Blockchain. Block your calendars. Chain yourselves to your computers. You will not want to miss this webinar on the state of Blockchain and Distributed Ledger Technology as it relates to the Cable and Telecommunications industry.
Driving Increased Security in All IoT Devices
CableLabs engages with the IoT industry and the broader stakeholder community, including governments, to help drive increased IoT device security. The rapid proliferation of IoT devices has the potential to transform and enrich our lives and to drive significant productivity gains in the broader economy. However, the lack of sufficient security in a meaningful number of these newly connected devices creates significant risk to consumers and to the basic functionality of the Internet. Insecure IoT devices often serve as building blocks for botnets and other distributed threats that in turn perform DDoS attacks, steal personal and sensitive data, send spam, propagate ransomware, and more generally, provide the attacker access to the compromised devices and their connections.
To help address the challenge of insecure IoT, CableLabs along with 19 other industry organizations came together to develop “The C2 Consensus on IoT Device Security Baseline Capabilities” released earlier this week. The broad industry consensus identifies cybersecurity baseline capabilities that all new IoT devices should have, as well additional capabilities that should be phased in over time. The development kicked off in March with a workshop hosted by the Consumer Technology Association (CTA). Over the past months, the group has coalesced around the identified cybersecurity capabilities. These include capabilities in the areas of device identity, secured access, data protection and patchability, among others.
CableLabs has also engaged with the National Institute of Standards and Technology (NIST) as it develops its recently released draft report, “Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers.” Both industry and governments largely agree on the capabilities that must be included to increase device security. Like the C2 Consensus, NIST focuses on foundational cybersecurity capabilities, including device identity, secure access, patchability of firmware and software, protection of device configuration and device data, and cybersecurity event logging.
The cybersecurity capabilities identified in the C2 Consensus and NIST will help prevent and minimize the potential for exploitation of IoT devices. Both documents provide a strong foundation and help point IoT manufacturers in the right direction on how to increase device security. However, cybersecurity is an ongoing journey, not a destination. Security practices must evolve and continue to improve to address new and emerging threats and changes in technology. This foundation must continue to be built on overtime.
CableLabs has long been a leader in the development of security technologies. For decades, CableLabs has helped guide the cable industry in incorporating many of the identified security capabilities into cable devices and has ensured the maintenance and advancement of these capabilities over time. For instance, since the first DOCSIS specification in 1997, CableLabs has helped ensure the protection of data: All traffic flows between each cable modem and the CMTS are encrypted to protect the confidentiality and integrity of those transmissions. This is not a once-and-done process; CableLabs has and must continue to advance the cryptography used in cable devices to protect against new and more powerful brute force attacks and other potential threats. Similarly, nearly 20 years ago, CableLabs adopted PKI-based digital certificates to support strong device identity and authentication for devices connecting directly to the cable network (e.g., cable modems, Internet gateways, set-top boxes). Since the initial implementation, CableLabs has continued to advance its PKI implementation to address new and emerging threats.
CableLabs has leveraged its experience and success in developing and implementing cybersecurity technologies in cable devices to help drive increased security in IoT devices. The underlying fundamentals, as well as many of the approaches to implementing, are transferable to IoT, as detailed in our white paper, “A Vision for Secure IoT”. We’ve not only engaged with the C2 Consensus and NIST’s IoT security efforts, but also in industry specification organizations, specifically the Open Connectivity Foundation (OCF)—to develop secure interoperability for IoT devices. OCF has implemented nearly all of the identified capabilities in its specification, tests for the capabilities in its certification regime, and provides the capabilities, free of charge, in its open source reference implementation – IoTivity.
Since publishing “A Vision for Secure IoT” in the summer of 2017, industry and the broader stakeholder community, including governments, recognize and have begun to address the challenge of insecure IoT.
Micronets: Enterprise-Level Security Is No Longer Just For Enterprises
Today we are introducing CableLabs® Micronets, a framework that simplifies and helps secure increasingly complex home and small business networks.
As we add devices to our networks such as cell phones, computers, printers, thermostats, appliances, lights and even medical monitors, our networks become more susceptible to intrusions. Micronets automatically segments devices into separate, policy-driven trust domains to help protect the devices, data and the user. Agile and easy-to-use, Micronets gives consumers increased protection and control of their local network without overwhelming them with technical details. Micronets reduces the risks associated with vulnerable devices but is not a substitute for strong device security.
The Micronets Advantage: Smart Security and Ease of Use
CableLabs Micronets is an advanced network management framework that utilizes three components to provide enhanced security:
Automated Networked Devices: While CableLabs is not the first organization to introduce the concept of network segmentation, Micronets’ primary advantage is in its implementation. The Micronets framework uses advanced mechanisms like device fingerprinting and Manufacture Usage Definitions (MUD) to intelligently group networked devices into dynamically managed trust domains or “micronets.”
For example, children’s devices are assigned to one micronet, home automation on another and so on. If one device is compromised, devices on the other micronets will not be visible to the attacker. The system will automatically quarantine the infected device, minimizing the risk to the network and other connected devices. While the system is largely autonomous, the user has the visibility and control to adjust trust domains and add new devices.
Seamless User Experience: Micronets provides a layer of dynamic management and secure credential provisioning that hides the complexity associated with network orchestration and focuses on improving the user experience. It’s a self-organizing platform that’s very easy to use and control which is a major benefit to an average customer who lacks the time and knowledge required for manual network administration.
Adaptive Devices: The Micronets framework also includes an intelligence layer that manages the connectivity between the individual trust domains, the Internet and third-party provider services. Because security threats continuously evolve, Micronets is built to evolve as well. State-of-the-art identity management and cloud-based intelligence technologies, like machine learning and neural networks, are leveraged to provide adaptive security that can evolve over the years, thereby providing a solution that will work for today’s as well as tomorrow’s needs.
Another benefit that Micronets can provide is enhanced security for highly sensitive devices or applications, through secure network extension via APIs. For example, Micronets can be used to establish a secure, end-to-end network connection between an Internet-connected medical device, like a glucose tester, and the cloud services of a healthcare provider. This enhanced capability provides confidentiality, integrity and availability of the medical device and the healthcare data to and from the device.
Micronets provides features, such as network isolation, similar to 5G network slicing but can operate across Wi-Fi and mobile networks. Micronets is focused on security of private networks (e.g., home networks and SMB networks) where 5G slicing is focused on different service segment performance levels of end to end networks. Since Micronets is an overlay technology, it’s compatible with existing networks, even 5G slicing, where 5G slicing is dependent on the broad deployment of the underlying 5G technologies.
Under the Hood: A Deeper Dive into How Micronets Works
Micronets has five major architectural components:
- Intelligent Services and Business Logic: This layer acts as the interface for the Micronets platform to interact with the rest of the world. It functions as a receiver of the user’s intent and business rules from the user’s services and combines them into operational decisions that are handed over to the Micronets Manager for execution.
- Micronets Manager: This critical element orchestrates all Micronets activities, especially flow switching rules between the home network, cable operator and third-party providers that allow the delivery of services. It also provides controls that allow the user to interact with the Micronets platform.
- Micronets Gateway: Micronets Gateway could be a cable modem, router, wireless access point, or LTE hub/femtocell. It’s a core networking component that uses Software Defined Networking (SDN) to define how Micronets services interact with the home network. It also oversees the entire device profile on the user network—both wired and wireless.
- The Home Network: All the devices on the customer’s home or SMB network are automatically organized into appropriate trust domains—or micronets—using the device identity and SDN based logic. However, the customer can always make manual changes through a user-friendly Micronets interface.
- Micronets API: Operator partners and third-party operators can interact with the Micronet manager via secure APIs. Micronets ensure that third-party devices and services are secured through mutual authenticated and encrypted communications channels.
The Rollout: Getting Micronets In Homes and Business
- White Paper: Our white paper lays out the vision and architecture of Micronets in greater detail.
- Industry Partnerships: We’re working with our industry partners and cable operator members to bring Micronets to consumers. We are also working on implementing an easy-onboarding framework that builds on top of features from the Wi-Fi Alliance (WFA), namely EasyConnect, WPA3 security and the Internet Engineering Task Force (IETF) Manufacturer Usage Description framework to enable the secure and seamless configuration and on-boarding of consumer devices. We are also leading the development of a secure interoperability specification for IoT devices in the Open Connectivity Foundation, and with Micronets, we’re making significant strides to simplifying and securing increasingly complex networks.
- Code: We are releasing the reference code, currently under development, to the open source community in the coming months.
- Government Collaboration: We’re participating in and supporting government efforts like NIST’s National Cybersecurity Center of Excellence project on mitigating botnets in home and small business networks.
- Our Members and Vendors: We are planning on developing and publishing specifications for standardized API’s for advanced security services based on machine learning and device fingerprinting in collaboration with our members and vendors.
CableLabs has long been a leader in the development of security technologies for the delivery of video and broadband Internet access services. With Micronets we are bringing our expertise to the growing world of connected devices, for which security is a shared responsibility across the Internet ecosystem. Micronets helps mitigate the risks associated with insecure IoT, but is not a substitute for or alternative to the ongoing efforts to drive increased device security, to prevent vulnerabilities at their source.
Download our white paper by clicking below or learn more here.
Interested in working with the CableLabs team or hearing more about Micronets? Contact Darshak Thakore (firstname.lastname@example.org).
Technology in Your Everyday Life: Why You Should Pay Attention to Innovation
If you were around 30 years ago, you may recall using a payphone, writing a check, or strolling down the street with your Walkman. All of those conveniences of 30 years ago don’t seem all that convenient today. In just three decades, the span of CableLabs' entire existence, we went from analog to digital, from payphones to smartphones, from libraries to the internet. Now we wake up every day ready for the next big thing.
While you may get excited about the latest new device or app you probably don’t give much thought about what lies behind the next big thing. So long as the device or app works why should you care?
Reason #1: Cybersecurity
Like it or not, your life is online. This comes with many benefits, like convenience and accessibility, but also a few risks.
When CableLabs was formed in 1988, a huge chunk of our innovation efforts focused on television and improving the viewing experience. Fast forward to today: your TV is now connected to your network, just like your phone and a myriad of other smart devices you can’t live without. Many of them have digital eyes and ears, a.k.a. cameras and microphones, that aren’t secure. That’s why a lot of our work today centers on cybersecurity. Whether you’re streaming a YouTube video or making an online payment, it’s very important to use secure devices.
Cable operators have a long history of successfully defending against attackers seeking to steal your service, customer data and video content. We’ve enabled cable-based security technologies to be leveraged in the wider internet ecosystem, including in Wi-Fi hotspots, smart grid devices and medical communications through our subsidiary Kyrio. The cable industry also provides broad-based technology thought leadership on security through substantial contributions to the Internet Engineering Task Force (IETF), the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), Wi-Fi Alliance and the Broadband Internet Technical Advisory Group (BITAG), among other leading technical bodies.
Reason #2: Networks
You may not realize it, but bandwidth and network speed have become just as important as your other utilities. You can’t have the next big thing without them.
Just like we don’t care about electricity unless the lights go out, we don’t pay attention to how much data we use until it’s gone. We download and upload all day long without giving it much thought unless there is congestion somewhere on the network. As new bandwidth-hungry technologies, such as VR/AR, AI, and autonomous vehicles, become more mainstream, the demands on network bandwidth will increase. One of CableLabs’ main focus areas is building better and faster networks capable of supporting these new and future technologies.
Reason #3: Sustainability
Technology and its byproducts affect our planet, so how we innovate and use technology is just as important as the benefits it provides.
Recycling is great, but we can all do more. CableLabs’ unique position within the communications industry gives us an opportunity to drive policy priorities that focus on greener, more energy-efficient products. Through technological development and voluntary energy agreements with manufacturers, our industry has achieved rapid energy efficiency gains—proof that we can drive sustainability. That’s great for business and even better for our planet.
These are just a few of the many reasons to stay on top of technology and innovation trends. We’ve been doing it for the last 30 years! Please watch our Near Future videos and click below to visit our 30th Anniversary site to learn more about CableLabs and how our technology affects your everyday life.
Do We Have Privacy Wrong?
Technology sparks changes in society, which brings changes in law, which can affect technology use and innovation. Privacy law in U.S. law provides a good demonstration of this technology, society, and law cycle. Recognition of a need for a right to privacy didn’t occur until December 15, 1890, when Samuel Warren and Louis Brandeis published “The Right to Privacy" in the Harvard Law Review. Warren and Brandeis felt a need to develop this new right because of the prevalence of a new technology: inexpensive cameras. Cameras, particularly in the hands of the press, allowed for “unauthorized circulation of portraits of private persons.” We now have laws that regulate how and where cameras are used.
Financial vs. Mental
The Internet has given rise to a new collection of privacy concerns that we have yet to resolve. The difficulty in resolving the non–4th Amendment (government intrusion) privacy issues that arise with technology may not be because of what the technology creates but how we view privacy. Current legal solutions—such as the California Consumer Privacy Act of 2018 (effective January 1, 2020), which in itself is based in part on the European General Data Protection Regulation which went into effect May 25, 2018,—focus on controlling data. This approach lumps together the financial harm that arises from identity theft with the mental harm that arises from privacy intrusion.
Confusing these two types of harm adds to the confusion that technology innovators may face regarding what data should be considered private. This, in turn, can negatively impact technical innovation as new innovations may create new types of data with uncertain legal implications. This negative impact could be lessened if intrusion-of-privacy concerns were decoupled from identity-theft concerns. That is, privacy should be less about data collection, storage and use and more about the tort of privacy intrusion. This is not to say that data protection isn’t important—particularly with regard to the financial impacts of identity theft—but rather that regulating data to limit privacy intrusion harm is akin to regulating how high someone can raise their arm while trying to protect against assault. (Assault, in a legal sense, is intentionally acting to cause the reasonable apprehension of an immediate harmful or offensive contact. This is different from battery, which is the harmful or offensive contact itself.)
A problem with regulating data as a means to protect against privacy intrusion is that it’s not always apparent that the data technology raises privacy implications. It isn’t likely that George Eastman considered the social impact of the Kodak camera’s ability to easily create and allow the sharing of a stranger’s image (“could he? should he?”). The many creators of the Internet couldn’t have reasonably foreseen what others might learn about us based on the apparently insignificant details of our Internet use scattered across the web, such as our IP address, websites visited, web pages visited, length of time spent on each web page, geographic location, what we post, and purchasing history—let alone the information we provide when we fill out forms.
Privacy Intrusion as Assault
Although the data you make available about yourself on the internet may not be apparent, what is apparent is what a privacy intrusion feels like to you. You feel vulnerable. To be vulnerable is to feel apprehension to mental harm, much as assault is the apprehension of physical harm.
Treating privacy intrusion like assault allows for the mental harm of privacy intrusion to be separated from the financial harm arising from identity theft. Separating these two types of harm results in more than just redress for the victims. It also allows the innovator to consider separately the identity theft and privacy intrusions that may arise in the implementation of the innovation rather than have to consider the legal implications in having identity theft and privacy intrusion lumped together. For example, online camera applications tend to have more privacy-intrusion risks whereas online payment applications tend to have more identity-theft risks. Clarity in the law helps the innovator identify the legal risks.
The cycle of technology impacting society, causing changes in the law, which then regulates technology is spinning faster than ever as a culture that favors innovation and disruption creates more technology faster than ever before. The right to privacy—one of the early U.S. legal creations to come from a new technology—is receiving a renewed focus. An intrusion of privacy, however, isn’t the same thing as identity theft. Lumping them together in the law helps neither the victim nor the innovator.
At CableLabs and Kyrio, we think about the social and legal impacts of innovation. We also create and bring to market technologies that enhance protections against identity theft and privacy intrusion.
Subscribe to our blog to learn more about law and innovation in the future.
But it’s Just a Light Bulb, Does it Need All This Security?
A version of this blog was published by S&P Global Market Intelligence.
In IoT security, one of the common arguments is about “how much security” a given device needs (as if we could measure that in grams). The typical example is usually a light bulb. The objective in asking the question this way is usually to vacate some or all of the security requirements for that class of device; the real question we care about, however, is the security available to protect the network, not the just the device.
The light bulb question tricks us into thinking in the wrong frame, it focuses on the device and not the network.
- Why would anyone attack this?
- What would they do if they compromised it, turn my light on and off?
If an attacker were able to compromise the light bulb, they may initially try to test the compromise with a change in command from on to off and back again, but then they would likely not do anything else that would signal the fact that they’ve gained control over that device. The likely target was never the light bulb, this is just a means to an end and part of a larger attack vector.
The light bulb is an interesting initial attack target for several reasons. One of the most pertinent aspects is the fact that the bulb has constant power. The light may be off, but the “smart” element of the bulb is awake and listening to network traffic. The bulb also has a network stack, this is how it communicates with the smart light switch, the rules engine, the family hub, or the owner's phone; this bulb isn’t just listening, it’s also transmitting on that network.
To do this work, the bulb also has a processor; since custom hardware is expensive, that processor can likely perform many functions (so that it can be included in other IoT devices) if not address them all generally. The light bulb also has storage for maintaining state, auditing, and communication, memory to run the operating system and the network stack. Additionally, the bulb also includes drivers for the filament, LEDs, coloration, and dimming aspects of the bulb. Most importantly, when we onboard the light bulb into a network that allows us to control the bulb, we provision that device with networking credentials.
The combination of the above aspects of the smart bulb, combined with either the extremely unlikely chance of discovery or the potentially less likely chance that the firmware or operating system will be updated by the user, make this an excellent first attack point for a network. Once compromised, the attacker can cautiously watch the network, potentially interact with other devices on the same network (including cameras and sensors), spoof other devices, and even perform some physical actions that could compromise the safety of the inhabitants of the home (e.g. by advising the front door to unlock or turning the oven on).
It’s unlikely that anyone - other than a prankster or the neighbor whose house you insist on parking in front of - wants to turn your light off and on. That said, the likelihood of other malicious attacks, the ability to gain access to your network and to the other devices in your home make the light bulb a perfect first step in an attack. A well-known cybersecurity attack principle is lateral movement. An adversary compromises a less protected target on a network and then uses that device or system as a pivot point to perform reconnaissance, move laterally in the network, escalate privileges, and finally reach their objectives.
The ability to find devices such as a light bulb and attack them has never been easier; adversaries can use device identification tools (e.g. shodan.io) to find these light bulbs (both online and as a pin on a map) and then attack them. Some of these light bulbs provide discovery and introspection information that may make for easy interactions within the home but also allow attackers to look up specific attacks based on known vulnerabilities in that bulb’s device and firmware version. These attacks are carried out either locally from a radio within the attacker’s car, or from across the globe, if they’re internet-connected.
Once the light bulb is compromised, they can horizontally attack the rest of the network, attempt to escalate privilege, interact with the other devices, and even use other legitimate devices to spoof interactions with outside equipment, other internet connected services, or other bridged devices within the home. Underestimating the importance of the security for all devices leads to holes in network security and is a path to risk exposure (financial, privacy, safety, litigation, and well-being). It’s not just a light bulb, it’s the network, and that network needs to have strong security.
At CableLabs, we are partnering with manufacturers and working to protect consumers and their networks; to do this, we are contributing device security expertise to IoT standards bodies like OCF and to open-source initiatives like IoTivity. Please join us in these initiatives, either as part of the creation and engineering process or by leveraging this work in your devices.
Blockchain Enters the Cable Industry
A version of this article appeared in Broadband Library.
Blockchain is one of today’s most discussed and visible technologies. Some technologists consider blockchain to be the most significant technological innovation since the dawn of the Internet. Many researchers have begun to see blockchain applied to Internet of Things (IoT) security, providing better consumer control and transparency of privacy rights and options, private and public sector voting, and more. And yet, to a significant segment of the population, blockchain remains a mystery. What is it? And how can it apply to the cable industry?
What Is Blockchain?
Finding a definition of blockchain that doesn’t involve a distributed database or a reference to Bitcoin can be difficult. Perhaps a simplistic but concise definition is that a blockchain is an immutable, distributed method of record-keeping for transactions—a ledger that is visible to the participating community.
- Immutable means that the information that a blockchain contains cannot be changed.
- Distributed means that the information is replicated among many participants (in Bitcoin terms, nodes).
- Ledger implies that the blockchain records transactions.
- Visible to the participating community means that every transaction recorded in the ledger is visible to every participant (user or implementer) of the blockchain.
In short, blockchain is a big deal. Its benefits are enabled through a synergy of cryptography—the application of math to protect data—and network algorithms that allow distributed systems to manage consensus. Combining these concepts, blockchain provides the ability to create a history of transactions that is significantly more expensive to change than it was to create. We’ve never had that ability before. Revisionist historians should be concerned!
Blockchain and Cable—Hype vs. Reality
To appreciate how blockchains can be applied to cable, we have to get past the hype. According to the hype:
- Blockchains are the best technology to solve every trust and security problem in existence. That’s simply not true.
- Blockchains are the secret to disintermediation, which allows the elimination of middlemen and the need for people to know who they’re dealing with. That’s certainly controversial, and it may be somewhat true. But how many people believe getting rid of the middleman works out well?
The reality is that blockchains allow us to create histories of transactions (which we used to call logs) with unprecedented integrity. Although that may seem somewhat boring, it is transformational. Transactions recorded on a blockchain become statements of fact. There are many use cases where this concept could build new types of relationships between operators and customers, between operators, and between regulators and the regulated. Information flows can now be synchronized with high fidelity. Transparency in business operations can be provided where legal and helpful.
2018—The Year of the Blockchain
Cable operators are developing capabilities now, but it’s too early to share successes and lessons learned. This year, 2018, is the year that cable starts to integrate blockchain solutions, but it will be quiet and subtle.
Should cable operators work together to create their own blockchains? Perhaps. Ensuring control of the software that enables a blockchain to work across multiple partners will be essential to the success of blockchain projects. Governance of the code base and the processes to develop consensus is at the heart of implementing blockchains. Although blockchain use cases are often subtle, they can also be business-critical once they’re mature.
Interested in learning more? Subscribe to our blog to stay current on blockchain and the cable industry.
CableLabs Hosts “Cyber Risks in an IoT World”
Security provides the fundamental trust that enables the growth of broadband, and as the number of connected devices grows rapidly, all actors must make it a priority. The cable industry’s security expertise and investment positions it to play a constructive role in this rapidly evolving, global challenge. Here at CableLabs, we continue to focus on cybersecurity in our innovation and R&D work, and we recognize the interdependence of public policy and technology developments in this area.
In that spirit, we recently hosted an event at our facilities in Colorado entitled Cyber Risks in an IoT World, which was co-presented by the Rocky Mountain Chapter of the Federal Communications Bar Association (FCBA) and Silicon Flatirons. Our primary goal was to shine a spotlight on key elements of federal cybersecurity policy and the evolving risk faced by enterprises in light of the rapid proliferation of Internet of Things (IoT) devices. The event featured Evelyn Remaley, Deputy Associate Administrator at the Office of Policy Analysis and Development of the National Telecommunications and Information Administration, U.S. Department of Commerce, among other notable speakers and attracted over 60 attendees from the local and regional technology policy and legal communities.
CableLabs’ Rob Alderfer kicked off the event by laying out the broader context, including the trends that are driving increased risk to consumers and the basic functionality of the Internet. With the constant barrage of new cyber incidents, often driven by IoT devices vulnerable to exploitation, governments at all levels are taking notice and grappling with the rapidly evolving threat. Cybersecurity is no longer the domain of the IT department, but rather a key area of governance for all enterprises. You can read more about our vision for improving IoT cybersecurity here.
Clete Johnson (Wilkinson Barker Knauer, LLP) provided a primer on federal cybersecurity policy that cast the Internet and enterprise networks as the battlefields, espionage platforms, and crime scenes of the 21st century. The current regulatory landscape can be subdivided into several broad areas: the threat environment, the policy environment, government activities, and the developing policy consensus across government and industry. The threat environment is characterized by the increasing number of more and more severe attacks. These attacks originate from both non-state actors (organized crime groups, proxies for nation-states, hacktivists, and, potentially, terrorists) as well as state actors (Tier I intelligence services and their allies and partners). However, the line between non-state and state actors often blurs and these groups often overlap. Johnson also detailed the developing policy consensus that centers around dynamic, flexible risk management; a shared responsibility across all stakeholders; mutually beneficial public-private partnerships; and a move beyond the “punish the victim” enforcement. This developing consensus is largely embodied in the Cybersecurity Executive Order and its implementation.
Evelyn Remaley (NTIA) delivered the keynote presentation on the Cybersecurity Executive Order, the developing Botnet Report required by the Order, and, more broadly, the NTIA’s work in cybersecurity through the multi-stakeholder process. Remaley emphasized that NTIA recognizes the complexity of the ecosystem and sees it as a multi-textured and evolving global system that requires an agile, inclusive cyber policy approach. Two truths underlay that perspective:
- To protect innovation, there must be stakeholder-driven policy outcomes that are flexible enough to adapt quickly to changes in technology
- No single industry sector or the government will be able to solve the challenges facing the Internet ecosystem, because while the Internet is largely managed by the private sector, governments, civil society, and individuals all have key roles. Successfully addressing cyber threats requires collaborative efforts from across the Internet ecosystem. The ongoing effort to produce the Botnet Report is an example of this collaborative approach in action.
Panel Discussion with Evelyn Remaley
The panel discussion following Remaley’s presentation tackled both baseline questions around the incentives at play in the current IoT ecosystem and the upcoming Botnet Report’s role in addressing the risk of distributed threats, as well as practical questions about where the policy development process goes after the final report is released. Mark Walker moderated the panel discussion between Evelyn Remaley (NTIA), Michael Bergman (Consumer Technology Association), and Tracy L. Lechner (Brownstein Hyatt Farber Schreck, LLP). The panelists discussed the incentives misalignment that keeps a significant number of IoT providers from investing in better device security, including the perception that consumers do not place a significant value on security and that increased security comes at a significant cost (time and/or money). They also discussed the availability of effective security controls and the various industry efforts to drive increased adoption of those controls.
Panel Discussion on Risk Landscape for Enterprises
The final session entitled The Risk Landscape for Enterprises: Attacks, Recovery, Liability, and Compliance covered the cybersecurity threat landscape from the enterprise perspective. This panel was moderated by Blake Reid (University of Colorado Law School; Silicon Flatirons) who lead the discussion with Paul Diamond (CenturyLink), John Diana (LogRhythm, Inc.), Ryan Howe (Webroot, Inc.), and Deborah Shinbein Howitt (Lewis, Bess, Williams & Weese, P.C.). The discussion focused on the challenges enterprises of all sizes face when tackling the rapidly changing cybersecurity risk landscape, including limitations on resources and talent, as well as the task of understanding and complying with the numerous legal obligations coming onto the scene. Much like developing a cybersecurity program, building up the required legal policies begins with identifying the most critical data a business handles (e.g., healthcare information, social security numbers, credit card information) and then creating incident response plans that meet the most stringent obligations in those areas first. The NIST Cybersecurity Framework was highlighted as providing an enterprise with a structured approach to assessing cybersecurity risks and developing a robust cybersecurity program that matches its unique needs.
As CableLabs continues to focus on developing new and innovative security technologies, we must continue to ensure we have a sound understanding of the rapidly evolving cybersecurity policy landscape, both here and abroad. But, just as importantly, policymakers should have a sound understanding of current and developing technologies. Events like this help bridge those gaps in understanding.
Cable’s Role in Cybersecurity
The cable industry does more than just provide internet connectivity for millions of customers: it also plays an active role in driving security in the broader internet ecosystem. Cable operators have a long history of successfully defending against attackers seeking to steal service, customer data and video content. The cable industry has been protecting the delivery of high-value video content for over 30 years through technology that has never been breached in a successful, scalable manner. Moreover, the industry has been setting fundamental broadband security features through cable internet access standards for over 20 years to ensure the confidentiality, integrity and availability of cable broadband services globally. As the details and motivations of attacks continue to evolve, so does the security incorporated by cable operators.
Of particular focus for CableLabs is the urgent need to address the risks associated with insecure internet-connected devices (“Internet of Things” or “IoT”). IoT represents the next major axis of growth for the internet. But, without a significant change in how IoT providers approach security, the explosion of connected devices increases the risk to consumers and to the basic functionality of the internet. The consensus forecast has the number of devices connected to the internet doubling (or more) between 2016 and 2020. To the extent these devices do not contain sufficient security, the number of potential attack vectors will multiply rapidly as IoT proliferates.
A Comprehensive Approach to Addressing Insecure IoT
A combination of mitigation and prevention is necessary to fully address the current and emerging threats posed by insecure IoT. The cable industry recognizes that addressing these security risks (e.g., botnets) is a shared responsibility across the entire internet ecosystem. To this end, cable operators have invested substantially in developing and deploying measures to reduce the risks associated with insecure IoT, including DDoS and other botnet attacks, with a primary focus on protecting networks to ensure the availability of broadband service.
Cable industry efforts to improve measures that seek to mitigate attacks against their networks and their customers include both individual and collaborative measures:
- The development and advancement of compromised-device detection and identification systems
- Customer notification and remediation programs
- Distributed denial of service (DDoS) monitoring and mitigation systems
- IP-address spoofing prevention technologies and cybersecurity information sharing systems
In addition to maintaining and expanding these existing techniques, CableLabs and cable operators are also working on next-generation networking technologies to help reduce these risks.
Although Internet Service Providers (ISPs), including cable operators, have been working on mitigating the effects of compromised and insecure devices for more than 15 years, these efforts ultimately only address the symptoms and not the root cause of the problem. The challenge of this task has already begun to outpace current and anticipated techniques. Unfortunately, IoT providers have not generally incorporated the needed security measures or committed to maintaining the security of their IoT devices. To fully address the risks posed by insecure IoT devices, IoT providers must drive increased security into future connected devices. Preventing compromised devices must be a substantial part of the industry’s shared responsibility in addressing the risks posed by insecure IoT to consumers and the internet.
Increasing IoT Security through an Industry-Led, Standards-Based Approach
Industry-led standards represent the most promising approach to increase IoT security. Given the global and constantly evolving nature of threats, the industry must utilize its expertise with a goal to develop, adopt and enforce fundamental IoT security measures. To achieve the needed level of security, an IoT security standard must address:
- Device identity
- Authentication, authorization, and accountability (onboarding)
- Lifecycle management
- Future (upgradable) security
A robust technical standard is necessary, but not sufficient. To establish value and credibility in the marketplace, an open and balanced development organization must be established to ensure due process and consensus, drive widespread adoption of the standard, address the intellectual property rights of participants and ensure conformity through strong certification testing and enforcement of the standard.
To this end, CableLabs and a number of cable operators are actively engaged in the Open Connectivity Foundation (OCF). The OCF is an industry effort to develop an open specification to enable connected devices to securely communicate with one another regardless of manufacturer, operating system, chipset or physical transport. OCF membership is broad-based with over 300 members, including leading companies at all levels of the IoT space – silicon, software, platform and finished-goods. CableLabs and Comcast hold board seats and CableLabs chairs the Security Work Group of OCF. In addition, CableLabs contributes to IoTivity, a Linux Foundation Collaborative Project sponsored by OCF, which provides an open source reference implementation of the OCF specification that will further enable broad adoption.
Engaging with the Broader Internet Ecosystem
CableLabs and the cable industry have enabled cable-based security technologies to be leveraged in the wider internet ecosystem, including in Wi-Fi hotspots, smart grid devices and medical communications, through CableLabs’ subsidiary, Kyrio. The cable industry also provides broad-based technology thought leadership on security through substantial contributions to the Internet Engineering Task Force (IETF), the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), Wi-Fi Alliance and the Broadband Internet Technical Advisory Group (BITAG), among other leading technical bodies.
Broadband service continues to become more integral to economic activity and social connectivity. The number of connected people and devices continues to grow, as does broadband network capacity and performance. Security provides the fundamental trust that enables these trends, and as the internet ecosystem grows, all actors must make it a priority.