Perhaps because smart lightbulbs that refuse firmware updates and refrigerators with blue screens of death aren’t enough fun on their own, a new WiFi protocol designed specifically for IoT devices and appliances is on the horizon, bringing with it all of the potential security challenges you’ve come to know and love in WiFi classic.
The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance. Wi-Fi HaLow differs from the wireless signal that most current devices uses in a couple of key ways. First, it’s designed as a low-powered protocol and will operate in the range below one gigahertz. Second, the protocol will have a much longer range than traditional Wi-Fi, a feature that will make it attractive for use in applications such as connecting traffic lights and cameras in smart cities.
The new version of Wi-Fi also could be useful for connections among smaller, lower-powered devices such as smart watches, fitness bands, and other pieces of wearable technology. The Wi-Fi Alliance, which certifies Wi-Fi compatible devices and is overseeing usage of the proposed new protocol, is touting it as an extension and improvement of the existing protocol.
“Wi-Fi HaLow is well suited to meet the unique needs of the Smart Home, Smart City, and industrial markets because of its ability to operate using very low power, penetrate through walls, and operate at significantly longer ranges than Wi-Fi today,” said Edgar Figueroa, president and CEO of Wi-Fi Alliance.
But, as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol. Device manufacturers all implement things in their own way and in their own time, a practice that has led to untold security vulnerabilities and innumerable billable hours for security consultants. Security experts don’t expect Wi-Fi HaLow to be the exception.
“While the standard could be good and secure, implementations by different vendors can have weaknesses and security issues. This is common to all protocols,” said Cesar Cerrudo, CTO of IOActive Labs, who has done extensive research on the security of a wide range of smart devices and smart city environments.
Many of the devices that may use the new protocol–which isn’t due for release for a couple of years–are being manufactured by companies that aren’t necessarily accustomed to thinking about threat modeling, potential attacks, and other issues that computer hardware and software makers have had to face for decades. That could lead to simple implementation problems that attackers can take advantage of.
“While the standard could be good and secure, implementations by different vendors can have weaknesses and security issues.”
Cerrudo said that the longer range of Wi-Fi HaLow could present an opportunity for attackers, as well.
“Having a longer range also means that attackers can launch attacks from longer distances, your neighbor’s devices three or more houses away will be able to talk to (hack) your devices. What’s more scary is that if this new standard goes mainstream and it’s adopted by smart home, smart city, smart phones technologies then hackers will get in a golden age being able to hack everything from miles away,” Cerrudo said.
“For instance, an attacker in China wants to hack smart homes and cities in the US he will just need to hack some smart phones in the US and from there launch attacks that will affect homes and cities technologies.”
Each new iteration in technology brings with it fresh security and privacy considerations, and the proliferation of connected non-computing devices is no different. The concept of a voice-enabled hub that controls your home’s climate, entertainment, and other systems is now a reality, as is the ability to send an email from your refrigerator. That’s all well and good, until these smart devices start doing really dumb things.
“This is nothing new but until now we have different technologies (protocols) used for communications on smart home and smart cities devices, etc. When all these converge and use the same technology then the attack surface grows significantly and opens the door for attacks,” Cerrudo said.
Image from Flickr stream of EFF.