United States - Flag United States

Please confirm your currency selection:

Are you sure you want to log out of your MyMouser account?
Bench Talk for Design Engineers

Bench Talk

rss

Bench Talk for Design Engineers | The Official Blog of Mouser Electronics


Router Security Vulnerabilities Could Compromise the IoT Steven Keeping

Back in late May 2018, news agency Reuters reported that the US Federal Bureau of Investigation (FBI) warned Russian computer hackers had “compromised hundreds of thousands of home and office Wi-Fi routers and were planning to collect user information or shut down network traffic.”

The agency discovered the plan after it seized a website the hackers planned to use to give instructions to the routers. Though that solved the immediate problem, it still left the routers infected, and the FBI urged owners of many brands of routers to turn them off and on again and then download firmware updates to strengthen the security of their products.

Russian hackers are notorious cybercriminals but are far from unique. Across the globe, millions of nefarious individuals are targeting Wi-Fi routers because they perceive them as the weak link in the communication chain between computers and the Cloud. That is bad news for the Internet of Things (IoT), which is based in part on the technology.

Linking Sensors to the Cloud

The IoT—a network built on short-range RF technology, cellular infrastructure, and the internet—will eventually connect billions of tiny devices scattered around the planet like so much summer pollen to monitor their surroundings and report back. Widespread deployment relies on cheap, compact sensors with limited battery capacity. Such restrictions limit the range of the sensors’ wireless connectivity to tens of meters. Bridging the gap between these short-range sensor networks and the Cloud is taxing engineers the world over, and many have turned to the Wi-Fi router for the answer.

In principle, it’s not a bad idea. According to the World Bank, 97.5 percent of Americans have access to the internet, and while not all of those have broadband access, of the ones that do 70 percent use Wi-Fi. Familiarity with the technology makes it an ideal candidate for connecting smart-home products—for example, connecting smart-home products to the IoT. Already there are dozens of proprietary “Wi-Fi gateways” on the market that can receive Bluetooth® Low Energy (BLE), Thread, Zigbee®, or other short-range wireless protocols’ packets and forward them to the Cloud via the router’s wired connection to the external telecom’s network. And the next round of Wi-Fi products from the leading manufacturers are likely to include such capability as standard.

Unfortunately, even before the FBI’s sobering warning, Wi-Fi routers were hardly renowned for their security. And, the soft underbelly is likely to make the units an even bigger target once the information they route includes information from dozens of IoT devices including smart locks, security cameras, and break-in alarms.

Open to Attack

According to the American Consumer Institute (ACI)—in its report entitled Securing IoT Devices: How Safe Is Your Wi-Fi Router?—hackers find routers easy prey because:

 

  • The passwords are weak.
  • Additional security, such as two-factor authentication, is rare.
  • The devices are permanently connected.
  • Consumers rarely upload security-patching firmware.
  • The common use of open-source software, which gives the hacker unprecedented access to the router’s underlying code, further compounds the firmware’s vulnerability.

 

ACI’s analysis of routers showed that of a sample of 186 units, 155 (83 percent) were vulnerable to firmware cyberattack. Overall, the router sample found an incredible 32,003 known vulnerabilities. Perhaps it is little surprise that internet security company Symantec’s recent “threat report” noted that as part of a 600 percent increase in IoT attacks in 2017, routers were the most frequently exploited device, making up 33.6 percent of the total.

Router manufacturers are fighting back with developments such as Wi-Fi Protected Access 3 (WPA3), a significant upgrade to the previous generation of router security firmware. WPA3, for example, implements protection against “brute force” attacks whereby hackers target weak passwords by systematically working through options.

According to the Wi-Fi Alliance, chips supporting WPA3 are on the market, but it’ll take a while for them to be integrated into new devices. And even then, WPA3 only stalls the hackers for so long. Eventually, they will find a weakness; and router makers will be forced to craft firmware patches to move one more step ahead, which consumers will then habitually fail to upload.

A More Secure IoT

Cellular—or mobile-IoT—could be the answer for engineers looking for a more secure technology than WPA3-protected Wi-Fi routers to form gateways to the Cloud for Local Area Networks (LANs) powered by short-range wireless technologies such as Bluetooth Low Energy, Thread, or Zigbee.

The technology is one of several new Low-Power Wide Area Network (LPWAN) offerings entering the IoT sector. Its development was encouraged by the 3rd Generation Partnership Project (3GPP)—a telecom standards organization—introducing new modem categories in specifications adopted in 2015. Now Long-Term Evolution for Category M1 (LTE Cat-M1) and Narrowband IoT (NB-IoT) modems from several manufacturers are commercially available. Just as some Wi-Fi routers do today, these new modems will soon start to incorporate chips capable of receiving short-range wireless signals from IoT sensors and then forwarding them to kilometer-distant cellular base stations for relaying to the Cloud.

No technology is completely secure from the most determined hackers, but LTE was designed to include:

 

  • Strong cryptographic techniques
  • Mutual authentication between LTE network elements
  • Security mechanisms built into its architecture from inception

 

Those underpinnings should see LTE-M and NB-IoT modems far more resistant to attack than Wi-Fi modems, perhaps encouraging the bad guys to look elsewhere for the weak link. Moreover, because they will be employed solely to do the specialist job of periodically sending relatively small amounts of information from wireless sensors to the Cloud before returning to sleep, cellular modems will spend most of their time disconnected from the network and therefore beyond the reach of the criminals.

Cellular IoT also makes sense in applications where a Wi-Fi router gateway does not. Based on a long-range, low-power wireless technology, battery-powered cellular modems can be positioned virtually anywhere, making it easy, for example, to track the whereabouts and condition of refrigerated foodstuffs or the moisture levels of a remote corn field. And as cellular IoT matures and the price plummets, the technology might simply displace the short-range RF technologies built into today’s sensors, and in doing so simplify and strengthen the IoT communication chain.



« Back


Steven Keeping gained a BEng (Hons.) degree at Brighton University, U.K., before working in the electronics divisions of Eurotherm and BOC for seven years. He then joined Electronic Production magazine and subsequently spent 13 years in senior editorial and publishing roles on electronics manufacturing, test, and design titles including What’s New in Electronics and Australian Electronics Engineering for Trinity Mirror, CMP and RBI in the U.K. and Australia. In 2006, Steven became a freelance journalist specializing in electronics. He is based in Sydney.




Comments are closed.

All Authors

Show More Show More
View Blogs by Date