Cloudflare wants to secure IoT connections to the internet
- 28 April, 2017 04:02
Many people are worried about putting smart internet-connected devices in their homes or offices because of flaws that could allow attackers into their private networks.
Web optimization and security firm Cloudflare is trying to alleviate those fears with a new service that could allow internet-of-things manufacturers to protect devices from attacks and deploy patches much quicker.
Cloudflare's content delivery network is used by millions of people and companies to increase the performance of their websites and to protect them from malicious traffic. The company's servers work as invisible proxies between websites and visitors, providing on-the-fly encryption and firewall protection.
That technology has now been adapted to protect IoT devices as part of a new service called Cloudflare Orbit, launched Thursday. The service is aimed at device manufacturers and promises to provide them with the ability to defend their customers' devices against attacks even if they haven't been patched yet.
Hundreds of thousands of security cameras, digital video recorders, and other internet-connected devices have been compromised and enslaved by hackers over the past year. This has given rise to powerful botnets capable of launching crippling distributed denial-of-service attacks.
A hacked device can also provide attackers with a foothold inside a local area network and can be used to attack other local devices that wouldn't otherwise be accessible from the internet.
The poor state of security in the IoT world is not only caused by bad development practices that lead to firmware vulnerabilities, but also by slow patch deployment and adoption.
One vendor can sell hundreds of products and models, many of which are likely to share considerable portions of code with each other. A vulnerability in the code of one product model can affect dozens more, so it can be months before the vendor develops, tests, and releases firmware updates for all of them.
And even then, unless the products have an automatic update mechanism, which is rare, a large number of devices will never be patched. That's because users simply don't treat their IoT devices like they treat their computers when it comes to security updates.
Cloudflare Orbit seeks to take user behavior out of this equation and provides a way for device makers to defend devices against attacks even if they run outdated firmware or if no firmware patch is available.
Before connecting to the internet, Orbit-enabled devices will first establish a secure connection to Cloudflare's network, in a similar way in which computers access the internet through a virtual private network (VPN) service.
Cloudflare already has detection and blocking mechanisms in place at its network edge for a wide variety of attacks. On top of that, IoT manufacturers who use Orbit will be able to add their custom firewall rules to create so-called "virtual patches" for specific exploits.
This will protect devices immediately and will give vendors more time to work on firmware updates with permanent fixes. Those updates can also be distributed through Orbit when they're ready to be deployed.
Many IoT devices need to connect to their manufacturer's back-end servers in order to be accessed by users via smartphone apps. These servers act as a bridge so that roaming users can access their devices from anywhere.
In order to be protected against man-in-the-middle attacks, the connections between end-user devices and the manufacturer's infrastructure need to be encrypted. The servers also need a way to authenticate and identify each individual device, so that attackers can't spoof them.
The problem is that implementing encryption and authentication correctly is not an easy thing to do, and it's not uncommon for security researchers to find vulnerabilities in these components when testing IoT devices.
This is another aspect where Cloudflare Orbit can help because it offers the ability to deploy TLS Client Authentication, a form of TLS (Transport Layer Security) encryption where both the client and server have identifying certificates and use them to authenticate each other before establishing an encrypted connection. By comparison, when browsers establish a secure HTTPS (HTTP over TLS) connection to a website, it's only the server's certificate that gets checked.
By offloading the encryption and authentication tasks to Cloudflare Orbit, IoT vendors can rely on well-tested implementations and will free their own server resources. In addition, Cloudflare's technology uses compression and performance optimizations that reduce bandwidth usage and can result in lower power consumption and better battery life for the end user device.
Cloudflare Orbit is not a service that IoT users can opt into themselves, but it is encouraging to see efforts that attempt to tackle big IoT security problems like vulnerability response and patch distribution on a larger scale.
If adopted by IoT vendors, services like Orbit have the potential to improve the security of end-user devices, whether they're security cameras inside homes, smart lightbulbs in office buildings, or remotely controlled thermostats in industrial facilities.