 Hello everyone, today I want to speak about smart security for smart homes in the 5G era. My name is Armin Vasecek and I'm a research manager with Avast. Smart home security is an area of increasing concerns. As we put more and more devices into our homes, we also increase the attack surface of these homes at the same time. At Avast we did some research to find out how many devices people are actually having in their home networks and what are the device types that people are using. So we find the results to the right in this pie chart. So we found that at least one-third of the homes that we were looking at have five to ten devices in their home network. Six percent have even more, have even ten or more devices in their home networks. The next question that we looked at was how many of these devices are actually vulnerable. So we found that 40 percent of the smart homes contain at least one device that's vulnerable to cyber attacks. Looking into what is kind of the most common attack vector here is we found that 69 percent are vulnerable to weak access credentials. So the weak access credential is when people don't reset their default passwords or use weak passwords themselves. The top vulnerable devices in the smart homes are printers, network storage and cameras. So all of these device types have in common that they are standalone devices, the interaction, the user interaction with them is very sparse and they're always online. So they're always connected to the internet, they're always accessible. A device that has similar characteristics is the home router. So we also found that home routers, 59 percent to be exact, have also weak access credential problems and also some other vulnerabilities. And there's a trend, this doesn't change. So we asked the users how they maintain their routers and 59 percent of them responded that they have never locked into their home router nor have ever updated its firmware. So these problems are most likely not going to go away and they will stay for us because the user don't want to resolve them. Another side story in these are the media boxes, which is the next most prevalent IoT device category in smart homes. The connection to 5G here is that the European Union was freeing up the 700 megahertz spectrum for the radio access for the 5G and this spectrum was occupied by the antenna TV. So people had to move on to the DVB T2 for what they needed, some set-top boxes. And the set-top boxes were manufactured, but unfortunately, because this was such a quick action, they have some vulnerabilities that some of our researchers discovered. So this is an example for a story how these vulnerabilities get introduced in the home networks. Something happens, devices come up and have to be employed and connected to the home networks and then they sit there and they have the vulnerabilities. So next we were also looking at what is the geographic distribution of vulnerable smart homes. And for example, the US has 35% of connected homes with at least one or more vulnerable devices. So the reason there is the spread is depending on several factors. So we found that the prevalent device types are one reason why some geographies have more vulnerable smart homes than others. So the mix of devices that people have in their homes is quite different. For example, Western countries tend to have more of the smart speakers, whereas countries in the East have more cameras on their home networks. Another reason is the supply chain. So many, some devices are manufactured cheaper than others. So the cheaper the device typically, the older the software, the older the chips, the older the firmware. So this is also kind of reason for devices to become more vulnerable. Next day, ISP security culture is also an important factor. Some countries, ISPs attack great pride in securing the networks for the consumers, but in others, ISPs don't care that much. And finally, it's also important what are the other devices on the home network. What typically happens is if after one device gets infected, Atticus try to do a lateral move and find other vulnerable devices in the same home network. So looking at the type of malware that is common for IRTs, it all started out with the Mirai infections and which produced these super large botnets for DDoSing. So this was a very early IRT malware. It just had a single purpose, DDoSing, crypto mining, but it could be easily spotted and stopped. So what then happened was that the authors of the Mirai open sourced the source code. So there's now this code base has been reused and rewritten and evolved over time. This led to more sophisticated malware types like the Tori or at the moment we have the Kaiji malware going around and finding vulnerable hosts. The difference here is that this malware has evolved. It's now more persistent, so it's harder to remove. It tries more obfuscation techniques to hide itself from detection. It has extended the range of the malware that it actually can deliver and it gets us more information from the networks. So there is a trend of getting more sophisticated malware out there from malware authors and it's actually quite a crowded area for malware authors to find a vulnerable IRT devices. So they are competing with each other to infect smart homes. Okay, so let's try to find a solution. So starting with the manufacturers, they should secure the devices that they deliver. Unfortunately, it's not that easy. So securing IRT devices on the device level doesn't seem to be feasible for some very simple reasons. First, the consumer electronics, which is the category of IRT devices, consumer space has very low profit margins. So since it's very competitive, people are very reluctant to add the chip that's needed for security or the software stack that does the security. So this is all very cost driven. Time to market is of essence. So it's kind of very hard to add the security capabilities even though they would be needed. Another factor is that IoT manufacturers might not always have the security expertise that's required to build a secure device. So this is very deep knowledge that you have to have to build all the secure boot and the secure device authentication methods into the firmware. Also, IoT devices lack the hardware resources to run a security workload. So unlike your PC or your mobile phone, where enough resources are there, where you can actually install an endpoint security solution, IoT devices might not even have the management interface so that you can access and add software to the device. So what remains is that the IoT security has to work on the network level. So the network is the unifying element in the smart home. All devices are at some point on the network. Just as a definition of an IoT device, it's connected. It connects to the internet, it connects to the public cloud to deliver its service. So for that reason, it has to become part of some form of the home network, either the home Wi-Fi or maybe it has a modem for 5G or an LTE connection. So being on the network, we can detect accesses to malicious URLs in the web. We can also see what kind of behavior the device is exposing on the network. So we can detect behavior changes and we can also see if a device is installing some hidden channels, it's using some hidden channels. By that we mean it's using a app using a regular protocol in a malicious way to hide information. We can also react to these threats on the network by restricting network access of IoT devices. Even though they have no management interface, where we can just turn them off, we can do so on the network by implementing security policies on the network. And inevitably, some of the devices will become infected at certain points in time. So what's also important here then, what we can do on the network, we can protect the rest of the network from compromised devices. So as we use increasingly IoT devices in our smart homes, and the prediction here is that the number of devices is going to triple to 75 billion, 75 billion connected things, we need more protection. Manufacturers are under time and cost pressure, so they cannot deliver the security that's often needed for the devices. So the bottom line is someone else. Operators need to step up on smart home security. So operators are currently busy with implementing the 5G. So 5G will accelerate the IoT trends that we see right now. So one of the big pillars of 5G is the enhanced mobile broadband. This is coming to the consumer home in the form, for example, of fixed wireless access. So this is one of the first services that's going to be launched on 5G, for example, to connect rural areas or densely populated multi-dwelling units, etc. So the promise of the enhanced mobile broadband is significantly faster data speeds and greater capacity. So when you increase the data speed and the bandwidth that's available for each home, at the same time, you also increase the potential for Fodido's attacks, for example, and other types of attacks. Also, if there are more devices that can be now onboarded on home networks, there are more vulnerable devices that are potentially vulnerable devices that Atticus can use. So this is the trend that's emerging with 5G and IoT. The key 5G needs is for it to realize its value propositions, the network virtualization, and also open networking platforms. These are two of the big pillars that are prerequisites to implement 5G in a sustainable manner. So this network virtualization and this virtual networking enables the mobile edge computing, so which can be seen as an extension of the home network in the operator cloud. And this is a very important point because at the same time that 5G accelerates these trends of having more devices, having a bigger attack surface, it also offers a solution because through this virtual networking, we can introduce new network functions that help us doing the security. So we can introduce new services faster and more dynamic than before. We can help by developing security functions on the network edge to secure mobile homes. Okay, let's take a step back and look at what's actually going on when smart homes are being attacked. So here is an example of a botnet attack. So we have three types of devices here. So there is this infected device that's under the control of the bot master. This is the guy to the right who's controlling the command and control server. So this bot master will instruct the infected device to attack the victim device, by brute forcing, for example. So if there is big credentials, then a brute force attack is very likely to be successful. Another way would also be to steal the credentials and use the stolen credentials to get shell access on the victim device. After this level of access has been established, the next thing is that the victim device will receive instructions, for example, via some hidden general to download malware. So this is then the actual binary. This is the actual file that contains the bad actions. So the victim device, then we'll go ahead and carry out whatever the bot master tells it, for example, the dusting, spamming, crypto mining, or any other form of malicious action. What's very interesting is that the bot masters, the attackers, they are most often part of a criminal organization. So this has been a change from the hacker at home in his garage. Now the actors that we see are criminal organizations that make a business out of offering bot nets for rent. So you can go online, you can book your bot net, you can determine do you want to do those, do you want to spam whatever is kind of what it was kind of the thing that people want. You can hire a bot net, 1000 nodes, 10,000 nodes, different geographies to execute your malicious actions. The business model is very much very similar to a cloud model. So when you go to a cloud, you book an instance, you start the instance, run the workload, and then you get built. Same for bot net. You go online, you book a bot net, you run your malicious workload, and then you get built by the criminal organization. And as the botless have to live on in a third step, the attackers seek to extend and maintain the posture that they have in the network and to go out and look for the next vulnerable device, either on the internet or in the local home network by scanning for vulnerabilities. So MarketWatch has this prediction about the global bot net detection market, which is very interesting. It's expected to grow tremendously by 37.6% during the forecast period, which is like three years. So in return, this also means that the threats for bot nets will also increase over time in the future. All right, so now we took a look at how an attack would look like. Let's see how we can defend against such an attack. So it's a similar net setup between devices and the bot net commanding control. And what you really want, you want to protect the victim device by drawing a security fence around the home network, so on the network level. So what you do is you collect some statistics from the home. So what's also helpful is that the virtualization of the network, the extension of the home network in the Edge Cloud increases the visibility of the traffic. So it becomes easier and with more visibility, it becomes, the data becomes better than in current setups to collect the statistics that are then in the next step put as a security workload, as an analytics security analytics workload at the Edge. Here it's crucial that it's as close that the spatial proximity is as close as possible to where the data is generated to the smart home. Often there is a race between the attacker and the defender going on. So for example, think about when the attacker tries to download the malware. So there is an HTTP request going out and then there is an HTTP response which starts the download. So the outgoing HTTP request has to be checked and a verdict, if it's a good request or a bad request, has to be delivered before the HTTP response comes back to guarantee that the user doesn't see or doesn't feel any difference in the processing. So this is why we want to be as close. This is why we want to have short latencies to basically not have any impact on the user experience, which is very important when doing this kind of service. In a third step, after the decision has been made, if the network traffic is good or bad, you can block the flows very close to the Edge. And this is done by using the form of a virtual network function. And this is basically what we are suggesting here. So we are suggesting here to put the security workload, the security analytics workload as a network function on the Edge. So looking at this diagram on the left hand side, we have the user domain where is the smart home network. And inside the smart home network, we have all these IoT devices. They can have 5G, they can have Wi-Fi, they can be wire bound. They all connect to the operator domain. And in the operator domain, we have this mobile Edge cloud, for example, running on the central office. And inside this mobile Edge cloud, we have a security network function that protects, that gets the statistics, computes the analytics and computes decisions for the smart home. A very important link here is upstream, the threat intelligence cloud. So this is a very important piece because this threat landscape changes all the time. So this is a very important operation to keep track of what are the current threats, what are the current scanners, who is scanning the internet for vulnerabilities, what kind of vulnerabilities they scan for, what is the current malware, what is the development of these malware families, what's going to be infected, and maybe even do predictions, what's going to be infected next. This is our whole services that the threat intelligence cloud would deliver. And the threat intelligence cloud will deliver this information to the smart home security network function so that it can do its processing. So the relation between the BNF and the threat intelligence cloud is similar to what a music player does at the music. So the music player is the mechanism that makes the music audible, whereas the music is the content. This is what you want to hear. This is what you enjoy to hear. Yes, so there are two other boxes. There's the upstream in this diagram. So if the traffic is checked and it's pasted, then it can go upstream to the internet. And then there's also a management interface for the life cycle management of the virtual network function. And this is also a very important piece because subscribers should be able to transparently join the service or a join out of the service. So whenever one of these actions, one of these triggers happens, then with the proper automation, the network functions is added to the data pass or removed from the data pass on behalf of the user. Okay, so wrapping this up, let's look at what kind of value this system could create in the emerging edge ecosystem. So the value for the user is quite obvious. So it's protection from threats and specifically protection from threats specifically aimed at smart homes. It's also very important that this happens through a zero-touch provisioning approach. This is important so that the user can basically do it as a convenience by using a web interface or the smartphone or not even doing anything at all. And this is done automatically because it's, for example, bundled with a connectivity package. So it's very convenient for the user and the user doesn't take any responsibility in installing a device or installing some software on a device. The cloud native software piece is also very important because this being cloud native and being agile, the software function can be updated on demand. So when new threats emerge or when new functionality is required, this can be rolled out very fastly. It's a cloud system, so the updates are very convenient for the operators. Finally, the usage is transparent across all devices in the smart home. So because everything happens through the network, when you add devices to the network, they are automatically protected just by being on the network. All the traffic is going to be checked. So all devices are going to be checked and assured that they are not being infected. The value creation for operators is also very interesting. So to the right, I put in a picture from a consulting paper that several operators did where they analyzed what is kind of the impact of this emerging edge. And this graph speaks to the business opportunities that come out there. So this is a shorter version of the graph that displays the top five business opportunities in addition to traditional telecom products. And one of them is actually the business to consumer security services. So similar services that I proposed here with the IRT protection for smart homes. So what can operators gain here? Operators can create additional revenue streams through offering security services to their users by bundling connectivity and security at the same time for their users. This is like just from a business perspective, from an operational perspective, what's also very interesting. We spoke about the protection, the virtual network function being close to the edge, being close proximity to the smart home. So we can basically stop the threats immediately after they arise. So even though a device is infected and would produce some DDoS traffic, some DDoS traffic, we can stop it right at the edge. In that way, no additional cost through the DDoS traffic is caused. So this kind of saves the operator some operational cost in terms of not having to route unnecessary traffic. And finally, also very important is that offering security to the users increases the subscriber trust in the operator brand. With this, I want to close. Thank you very much for your attention. If there are any questions, I'm available on the chat. Thank you. Hello, we've opened up the phone bridge. So if you have any questions for Armin, you can put them in the Q&A chat and he will be able to answer those for you. Once again, if you have any questions for Armin, you can put them in the Q&A chat and he can answer those for you. Thanks again, everyone, for watching. Thanks again for joining me for the presentation. Now is a good time to ask questions. So if you don't have any questions at the moment, I think there's also the opportunity in the Slack channel. So if you haven't joined the Slack yet, then yeah, thanks for the webcast. I will be available in the Slack channel as well for future questions. Thank you. There's a question. Sorry, Prakash has a question, but I think you didn't finish typing. Could you repeat the question again? Armin, the second half of this question actually is in the regular chat. It's how will you support upstream security for IoT devices that are not managed? Oh, thank you. So the upstream security is actually what we proposed is this virtual network function. This is actually the upstream security. So you have a device that sits in your home. It's connected through your ISPs, your operator and an upstream in the Mobile Edge Cloud. There's a security function. So the IoT device itself is unmanaged from the point of view of the operator. It could be a doorbell, you unpack it, you connect it to your Wi-Fi network and the traffic passes through the edge where the traffic is going to be checked. And then it's continuing on the data path to the cloud or to the internet wherever it needs to go. So this is kind of the value proposition of being on the network. You don't have to manage devices. You look at the network traffic and then take decisions about the security. Oh, and just thinking about it, if you say, well, it is end-to-end security. So the question was like, if the end-to-end security data is not guaranteed yet, it is guaranteed because the connection between the device and its cloud, this is what's the end-to-end. And we check this connection. So yes, there is an end-to-end security component to that. But there is no security stack on the device and there is no security stack on the endpoint. So this end-to-end security guarantee would entail. This would need to be established by the manufacturer. Being a third party by looking at the traffic, you can check that the end-to-end connections that they are secured that they are not misbehaving. So this is the end-to-end guarantee that you can do using this security analytics approach. Okay, it looks like we are at time. I had put it in the broadcast. I'll broadcast it again. But if you want to continue the conversation, you can do so on the Slack channel. The Slack channel name is number two, business IoT edge. Once again, that's number two, business IoT edge. Please feel free to continue any questions or discussions that you might want on that Slack channel. Thank you very much. Thank you.