When the NSA is urging consumers to secure their digital homes, especially networking and IoT devices, we really have to say it out loud: they usually can’t.
It’s not every day that the United States’ National Security Agency (NSA) virtually bangs on the doors of the average Joes and Janes, alerting them that there’s an impending security issue they need to prepare for. That kind of alarming news is usually delivered by the NSA to critical infrastructure service providers, like power and water companies, or government offices, and sometimes public or private companies that might be future victims of state-sponsored cyberattacks.
But that’s exactly what happened last Wednesday, February 22nd, when the agency engaged US households and urged them to secure their home networks.
The agency’s Cybersecurity Information Sheet (CIS), titled “Best Practices For Securing Your Home Network”, warns readers that “Malicious cyber actors may leverage your home network to gain access to personal, private, and confidential information”, and goes on to provide advice on how to avoid, or at least decrease, the probability of these outcomes, by “practicing cybersecurity-aware behaviors, observing some basic configuration guidelines, and implementing… mitigations on your home network”.
You can find the full document here, and to make it even easier for you, we summarized the parts in which the CIS recommends how to secure the network and devices in an easy to carry 1-pager you can send to your loved ones (and refrain from sending to your unloved ones):
For those that want an even shorter version of these recommendations, here are the headlines:
- Secure electronic devices and use the most updated version of the devices’ OS.
- Secure and update routing devices.
- Segment and protect your Wi-Fi.
- Use security software.
- Protect your passwords.
- Limit use of the admin account.
- Limit sensitive conversations near devices with mics.
- Exercise secure user habits.
- Use a secured connection when teleworking.
Before we shed light on what recommendation is pretty much out of the consumers’ control even if they wanted to embrace it – let’s first ask: Hey, NSA, why now?
NSA: WFH is NSFW
Threats to home networks and devices that connect to and through them have been known for many years. The cybersecurity vendors are both raising awareness to these threats and are supplying the remedies. An official government entity, especially a security-minded one like the NSA, might have the gravitas commercial vendors lack, so its warning might be received as a real call to action. Sure, a word from the NSA could create an “ok, this is serious” urge within consumers’ mindsets, and the agency indeed urged them – wayyyy back in 2018.
In fact, if you compare the 2023 version and 2018 version of the NSA’s recommended best practices for securing home networks and practicing safe Internet usage, you will see they are basically the same documents, with very minor changes – so why (again) now?
I think there are two reasons for that, and only one is clearly visible when you read between the lines.
A hint for the first reason lies not in the recommendation document itself, but in the press release the agency sent announcing the availability of the document. In it, Neal Ziring, NSA Cybersecurity Technical Director, proclaims that “In the age of telework, your home network can be used as an access point for nation-state actors and cybercriminals to steal sensitive information…”.
The agency is aware that more people now are teleworking (i.e., “working from home”), and while providing freelancers or small remote-only companies with helpful security advice is also a nice gesture, the real scenario the NSA is probably worried about is the one in which corporate employees, working from home, are sharing the same network with devices that aren’t secured, and potentially opening up the gate for hackers to reach a more lucrative goal: the organizations themselves.
There’s another trigger phrase not-so-hidden within the NSA’s press release, which made me think of another reason for the need to educate the public (again): “… used as an access point for nation-state actors”.
Nation-state actors, or “entities being operated and/or funded by countries that added offensive cybersecurity to their arsenal”, are constantly trying to cripple or disable other countries’ critical services such as power, water, transportation, etc. Discovering and preventing threats to US critical infrastructure and services is very much NSA’s thing, and these nation-state actors are not only trying to cause damage to these national treasures by attacking them directly – they are also trying to take over devices within consumers’ networks, slowly building an army of zombie devices, that in due date will launch a powerful DDOS attack on the service provider, practically making it unable to provide the service.
Another scenario actually combines the two threats described above, as the nation-state actors hack home networks of critical service providers’ employees, and try to use these employees’ corporate devices to get into the organization’s core systems.
Smart home, dumb devices
Now let’s get back to two specific recommendations that are, unfortunately, mostly useless. I’m referring to the ones advising the consumers to “secure and update their routing devices”, and “secure electronic devices and use the most updated version of the devices’ OS.”
To understand why these recommendations are necessary, yet mostly useless, let’s look at the home network “ecosystem” as the host of devices that can be roughly categorized into 3 groups:
Computational devices – Desktops and laptops, smartphones, tablets, smart hubs (like Google Nest and Amazon Echo) and the like.
Networking devices – Routers, Wi-Fi extenders, access points, switches, etc. – these devices are utilized to enable, manage and optimize the data traffic in, through and out of the home network. While they tend to run on a limited number of operating systems best suited for such low-performance devices, there are many variants and customizations of these OSs used by many vendors. This category also includes network-attached storage devices, as they share some characteristics with the other networking devices (and are just as vulnerable, our data shows).
Others (aka IoT devices) – Smart TVs, speakers, IP-based cameras, connected printers, smart alarms, smart toothbrushes, etc. – these are task specific devices, built with low-to-medium performance hardware, with limited interfaces and usually installed, managed and operated via a smartphone.
Although devices from all 3 groups are vulnerable to cybersecurity threats (as is anything in this world that connects to a network…), there are major differences between them when it comes to how vulnerable they are, and especially what makes them vulnerable.
Computational devices are vulnerable, but once the vulnerability is discovered, the remedy is usually developed, delivered and deployed fast via an automatic OS, software or hardware device-specific update.
Networking devices and IoT devices are a different story. They are more vulnerable than computational devices, but not because there are more vulnerabilities discovered every year in this group of devices compared to computational devices (although routers are by far the most vulnerable device group in the last few years, according to our data), but, more importantly, due to the amount of time it takes to patch these vulnerabilities once they are discovered.
The long and winding road that leads to the customer’s device
Owners and users of devices that are part of the home or office network – while reminded constantly to monitor and rectify their security posture by adhering to access permissions, software updates and general usage of common sense – are fully dependent on the device vendors when it comes to patching a discovered vulnerability in one or more of these devices they own.
The problem is that device vendors react much slower than software vendors when it comes to deploying updates to their devices, even if these are critical updates needed to fix a security flaw. They produce multiple models in each product category, so while they might be lucky and only need to develop the patch once, they need to test it with all the different models. Even after the patch has been tested internally, they cannot simply release it in the open without conducting another series of tests with a limited number of users, to make sure the patch achieves the same outcome as it achieved when tested in their labs.
As previously mentioned, the router is the most vulnerable device group within the home network. For hackers, router vulnerabilities present an even bigger opportunity than other networked devices, since the router is the gateway to all the other devices on the home network, and the only path for these devices to connect to the Internet. This means that a router vulnerability has the potential to cause significant harm to all the devices within the home network, expose details about these devices and the traffic within and throughout the home network, disconnect the user from the Internet, and even use the router and the devices on the home network as part of a DDOS attack against the ISP or other destinations.
Hackers rejoice!
Knowing the importance of keeping routers secure, it is disheartening to see that some router vendors neglect these devices when it comes down to responding to discovered vulnerabilities. When Kaspersky Labs analyzed the patching timeframe (i.e., how much time passes between the discovery of a vulnerability until a patch is issued) of router vendors in June 2022, it discovered that of the 87 critical vulnerabilities discovered during 2021, almost 30% were still not fixed by the vendors. This means that hackers were aware of these vulnerabilities (as they are documented and published at NIST and other organizations’ databases) and had between 6 to 18 months to take advantage of them, as the routers’ vendors had not yet issued a remedy.
Even when the patch is ready for deployment, there is still the question of how it will be deployed onto the users’ devices. Some devices can be updated via the corresponding app on the smartphone. Others, however, need to be updated manually – a lengthy and quite complicated process for those who are less tech savvy.
All of this is assuming the device vendor can develop the needed remedy on their own. Sometimes, the vulnerability stems from one of the components within the device, such as the chipset, and the component provider first needs to update the embedded software that it initially shipped on its chipset. This would also require the device vendor to conduct its own tests, making sure whatever update the component vendor sent does not cause issues with other components within the device.
This is why it usually takes between 3 to 6 months for device vendors to issue a software patch after a vulnerability in their device was discovered. In some cases, it even takes more than a year. Some devices cannot be updated at all (due to lack of storage needed to temporarily store the update file, or discontinued support by the vendor), so the only solution left for the owner is to disconnect them from the network and usually discard them.
So why am I telling you all this? First, to illustrate how the NSA’s “advice” to home network owners to “secure their networking IoT devices” is theoretically on point, but practically useless, as even if the consumers execute a daily “check for latest version of the software in all my IoT devices” routine, they are still dependent on the slow discovery-to-patching process managed by the devices’ vendors.
Second, and here is the good news – there is actually a way to keep these and other devices, the home network and the ISP, protected even if patches for their vulnerabilities are still months away from deployment.
Hint: it’s by using us.
Join the club
At SAM Seamless Network, we know protecting devices within home networks by chasing down vulnerabilities within individual devices is a never-ending race, and the good guys always finish last. Instead, we protect the devices by protecting the network that they reside in.
Our software is embedded within the router (or modem-router), which is usually provided to the customer by their ISP, and does three things (and very well):
- It protects the router (and the network) from threats trying to enter from outside (you know, the Internets).
- It protects the devices by constantly monitoring the traffic between them and the router, and when our AI realizes that a device is acting in a way which raises suspicion (like suddenly communicating with another device on the network that it never communicated with, or sending packets of data to a server somewhere on the internet at odd times), we remove that device from the network so it will not infect or harm other devices, investigate the issue using automated processes aided by a constantly updated database of vulnerabilities and remedies from device vendors and other databases, and decide on the best course of action based on multiple factors (availability of patch, level of threat, etc.)
- It protects the ISP and other destinations outside the home network by preventing hacked devices within the network to be used for attacks outside of it.
Here’s an analogy I like to use when I explain the difference between placing protective measures on every device, versus placing them at the network level: You’re the owner of a club and you’ve been notified that somewhere out there there’s a terrorist trying to get into your club. If you go the “Device-based protection” path, you’d attach a personal bodyguard to every person who is in the club. That is obviously not only complex to manage, but rather costly. If you go with the “Network-based protection” path, you’d place a bouncer at the only door to the club, and a few people to constantly patrol inside the club, interact with the people there to pick up any potential signs of suspicious behavior, and when such behavior is spotted that person is then separated from the rest of the crowd and neutralized.
Speaking of clubs – if you want to join a club that already includes some of the world’s leading ISPs, who already secure their customers (and themselves) from threats hiding within their home network – come dance with us.