For a while now I’ve been working to define an architecture for securing homes from cyber threats – not just your PC or Mac – we have that covered with our award winning products – I’m worried about your TV, your game console, your digital thermostat – all the other “computers” in your home which could be spying on you, or could be misused by a hacker to do evil things.
The obvious approach seems to be to just filter your home traffic, perhaps at your ISP, but somewhere out of your home in the great “Cloud” of the internet – but there are some big problems with that approach, and even bigger security concerns – Here’s my take on why cloud based security is just not going to fly for the average homeowner…
1. Privacy. Keeping what I do to myself.
Cloud based systems rely on understanding what you’re doing, and what websites you’re trying to to access – they can only protect you from things they know about.
The Internet however is moving rapidly towards using encrypted links wherever possible – HTTPS etc. This is a positive move, because it ensures that no one can “snoop” traffic and credentials within intermediate networks. Without encryption, anyone with access to the numerous networks between you and the website (or other internet service you’re accessing) can capture the traffic – this means passwords, browsing information, web forms etc.
In fact this privacy problem is so important that Google and Mozilla are forcing and prioritizing websites which support encryption wherever possible – the industry wants you to be protected, and you also want to be protected.
Cloud Protection systems however are trying to do much the same things as hackers – they’re “snooping” on you, admittedly for good reasons, but it’s still snooping and without the ability to see plainly and clearly what you are doing online, they struggle to protect you.
There are ways around this encryption problem, by adding an intermediary, or “gateway” between you and your ultimate internet destination. We call these “Man-In-The-Middle” (MIM), or SSL Bumps – simply instead of the computer in your home talking directly to the web server you’re trying to access, with a MIM gateway in-between, your computer talks to the gateway, and the gateway talks to the end web server. As far as your computer and the web server are concerned, they are having a direct conversation, but sitting in the middle is this gateway pretending to be both parties.
MIM has been used for a decade for both good and bad – lots of web filtering systems use it to filter out inappropriate content, but also hackers use it to intercept content – you can buy tiny plug-in devices which can be used to advertise “fake” free wifi hotspots, which use MIM to capture passwords etc from unsuspecting users.
Encrypted internet give us privacy and protection from people spying on what we do online, but encryption hides what we do from normal cloud based protection systems
Now, this may seem harmless, and it is, as long as you trust the gateway service as much as you trust the end website – As an example, imagine your ISP had a cloud protection system in place – If you want to use Google Mail, you open your browser, navigate to gmail.google.com etc, and everything works perfectly – But are you really comfortable that some intermediate system in the internet is now able to see every email you send and receive? Do you trust your Cloud Security provider as much as Google? Are you comfortable that the Cloud system is not archiving off your interactions with Google?
There’s also the possibility that someone might poison the system the internet uses to connect computers together – the “Domain Name Service”. Again, you might think you are connected to Google, you might have the padlock indicating the connection is private, but all along your information might be intercepted by someone else.
Obviously you’d probably not want this, and neither does Google.
2. Cloud Protection is defeated by Certificate Pinning, designed to keep private things private.
To stop Man-In-The-Middle interception of internet traffic (which can be used for good and bad equally) , companies such as Google, Facebook etc have implemented something called “Certificate Pinning” to make it really obvious when there’s some intermediary intercepting our content. Simply, when two computers agree to have an encrypted, protected conversation, they exchange a “certificate” which lets the other computer know who they are. There’s a lot of math involved, but certificates are the underlying, foundational mechanism that computers use to communicate. The certificate says “I am google.com and I can prove this because someone we both trust says so”.
Most of the time, as long as the certificate is valid, that’s good enough for the two computers to be satisfied – One computer says “I want to talk to gmail.com”, the other says “Here’s a certificate proving I am gmail.com”
Now, if you remember the concept of “Man In The Middle” – this is where some intermediary gets in the middle of the conversation – yes, the MIM server tells you “Yes, I am gmail.com” – basically it lies.
Generally this lie goes unnoticed, because the MIM server has been given the “right” to lie about its identity. Again, the math is long, but certificates rely on trust of a higher power – Google’s certificate is signed by someone else – and as long as your computer trusts that higher power, it will trust these faked certificates.
With MIM servers, they have the ability to create these “proofs of identity” on the fly – they have the ability to pretend to be whoever they want to be – you might agree with me that it makes me a little nervous – you may remember recent negative press around Gogo and Superfish which were using exactly this trick.
To protect you from this kind of behavior, to make sure when you try to use gmail.com, you REALLY go to gmail.com – Google (and others) have taught their web applications the exact information about the certificates they use – If someone gets in the middle, Gmail will tell you “This is not the site you intended to go to”, and will protect you. The “pinned” apps can tell the difference between the real Gmail.com website, and someone pretending to be gmail.com.
Now this is a good thing if it’s a hacker in the middle, someone has broken into your local starbucks wifi for example, but not so good when it’s a legitimate cloud based filter – simply, there’s no way to intercept encrypted traffic if the application does not want to be intercepted.
You’re protected from being mislead as to the website you’re accessing, but cloud based protection is prevented from intercepting and understanding that conversion.
Generally the industry is moving more and more towards pinning – because it’s a superb defense against hackers and rogue networks.
Pinning is going to block all forms of intentional, and unintentional interception of your data
3. Cloud based protection can’t protect you from rogue devices in your home
It may not be obvious, but communications between two devices in your home don’t go via your ISP to the cloud. The way networks work, is the traffic stays as local as possible. Perhaps you have a media server with photos, videos or music – when you access that content, the traffic stays in your home, or when you print to your wireless printer, again (unless you’re using a cloud print service), the ISP does not see the traffic as it flows around your home network.
Sending all the traffic in your home to the cloud and back again would be really bandwidth intensive, and would slow down your Internet connection – a LOT!
So, cloud based protection can’t help you if one device in your home goes rogue and starts attacking other devices – The Cloud system simply doesn’t get to see the traffic at all.
Unfortunately, this is EXACTLY the kind of attack we are predicting for the future – as protection on traditional devices (Laptops, desktops, tablets etc.) gets better, hackers are increasingly looking to target things like smart TVs, thermostats, and the other internet connected devices we use.
Once a “beachhead” is established in your home, perhaps through infecting a PC with a new virus, or a game console, there’s nothing a cloud service can do anymore to protect you – the best possible result is that the cloud protection could offer, is to tell you that “something in your home is infected”, and only by detecting some outgoing traffic.
If the malware is clever, once it’s installed on a device it can easily hide itself from any kind of cloud inspection.
4. Cloud based protection is one-policy-fits all.
Another limitation of cloud is that generally, and without special software on your devices, it doesn’t know anything about the numerous devices in your home. If you’ve ever needed to know your “public IP” – the unique address the internet uses to communicate with you, you might be interested to know that every device in your home seems to have the same one.
You can see your public IP by simply searching for “public IP” on google.com – try it from a few different computers in your home, you’ll see it’s always the same.
This “network magic” happens because there’s simply not enough unique addresses to serve all the different devices which are connected to the internet. The magic is called “Network Address Translation” – there’s a good introduction on Wikipedia.
So, if every device in your home seems to be the same device, how can a cloud based service provide different rules for different devices?
You may for example want your 6 yr old’s iPad to have different content restrictions (perhaps no drugs and gambling websites?) than your own PC, or you might want your Smart Thermostat to not talk to anyone other than google.com.
With cloud based protection, this isn’t really possible – Since every device appears to be the same, mostly a “one size fits all” policy has to be in place.
There are ways around this IF you can configure each device separately, or install some software on each of them, but it’s a big IF – how do you install something on a game console or a thermostat? Even installing (and managing) software on every PC, tablet, phone etc is bothersome, and defeats the point of cloud based protection in the first place.
Cloud based protection only really works when one policy works for every device in your home – this was possibly manageable when we only had a few Pcs, but now we have so many devices, and even smart home devices connected to the internet, how can you find a single policy which protects a baby camera, a thermostat, a child’s tablet and an adults PC equally well?
5. Cloud protection might slow things down – significantly.
Finally, even if the privacy and security concerns, rogue devices, in-home threats are not enough to dissuade you that cloud protection has problems, there’s one final concern – speed.
Next time you open a web page, notice how it “builds” – most websites don’t appear instantaneously – they fill in over a few seconds. This behavior is designed to give you a great experience – the key content is viewable very quickly, and less important stuff appears over time.
If you have a really fast internet connection you may not notice it too much, but given the growing sophistication of websites, this “build” is a key concern of web designers – they want to make your interaction with their sites as smooth as possible.
You can see how things build over time if you’re using Google Chrome using the “More Tools/Developer Tools” option, and then selecting Network and reloading the page.
Cloud based protection tends to interrupt this process – the cloud service has to get the content before you, analyze it, and then pass it on – so your smooth interaction directly with a website is now broken by the cloud service – it’s getting the content, thinking about it, and then passing it on.
This small delay may not seem much, but when you’re used to a really snappy experience, an extra second can seem like an eternity – and of course if the cloud service is having a “bad day”, you’re going to suffer as well – no amount of improvements that Google, Netflix etc make to their systems will help you if you have a tardy cloud filter in-between.
6. Bonus – what I do like about cloud protection
Despite all of the above, cloud based protection systems are ESSENTIAL in protecting us – even though they have technical challenges, cloud based systems still are the best method to protect the widest range of devices from basic threats. Cloud systems are a vital extension to other more local protection methods, like installed software and home gateway filters.
If you have nothing else, a cloud based system really makes a difference and WILL make your online experience more secure, but it’s a poor substitute for on-device security, or in-home security.
Cloud security raises the bar for everyone – it’s not the best by any means, but better than nothing at all.
My 5 Recommendations to make your smart home safer…
As our homes get smarter – more and more internet connected devices, we need to be conscious about the increased risk – remember, one bad device in your home can contaminate all the others.
So until we get enterprise-class network filtering solutions built into our home network systems (enterprise class in terms of effectiveness of course, but simple enough for us to use without becoming network security experts!)
1. Make sure you change the default passwords on any device you connect to your home internet
2. Update them with new firmware as/when the manufacturer allows
3. Install endpoint security software on your PCs, Macs and phones – endpoint security is always going to be the most effective, though perhaps not the simplest to use or manage
4. Remind your family about the risks of phishing and clicking on risky links. Users are invariably the weak link in any security system, so the more aware they are, the safer you’ll be.
5. Be aware of what each device in your house does, and what data it captures, just in case it becomes compromised – a wireless security camera which also has private areas of your house in view – probably not such a great idea.