This Device Can Hack-Proof a Smart Home

The data in your smart home probably isn't safe. The growing Internet of Things—the increased connectivity of everything from fridges to thermostats—means that your personal data will be spread across more devices than ever before, providing myriad avenues for hackers to siphon off and profit from your sensitive information.

Two researchers think they may have a solution to this: a device that guards your home network and stops any dangerous code from getting in at the first hurdle. It's similar to the kind usually used by businesses, but cheap enough for the home user.

The "iGuardian," a small box just smaller than a banana, sits on your internet connection's ethernet cable and inspects any traffic coming in before it reaches your router. It also checks any traffic going out of your network, to make sure that your IoT devices aren't trying to connect to servers that are known to be malicious.

When it does this, it is "looking for patterns of known attacks, or symptoms that would indicate that there is a compromise that may have already taken place," Daniel Ayoub, co-founder of Itus Networks, the company behind the iGuardian device, told me. This information is provided by open source databases of known viruses and digital threats. If the iGuardian sees anything it doesn't like, it can cut off the connection, stopping the data from entering or leaving the network.

Ayoub runs a prototype model of the iGuardian at his home, with all of his internet traffic running through it. On that network, which includes gadgets such as a games console and computers, Ayoub also has a storage device—an internet-connected hard drive—which allows him to access his files through public internet anywhere in the world. He wouldn't tell me who the manufacturer of it was, but after a brief scan of it using some other tools he found 15 to 20 different vulnerabilities in the device, which could have given a hacker a plethora of ways to grab the data stored on it.

And that storage device isn't alone. A report released by HP last week analysed 10 of the most popular IoT items, and found that each had an average of 25 vulnerabilities.

The idea behind iGuardian is that it lowers the chance of anyone abusing those vulnerabilities and accessing the user's data by stopping anything malicious before it enters the network.

This sort of protection is the norm in the world of business and enterprise, with professional-grade firewalls and other security devices commonplace. "This isn't a new idea—network intrusion detection systems are a core feature of corporate security," David Emm, Senior Security Researcher at Kaspersky, told me over email.

Similar products aren't so popular in the consumer market, probably because we've all been using anti-virus on our computers happily enough. But with the Internet of Things, perhaps this sort of approach could be useful outside of large businesses.

"Anti-virus and [more secure] routers are out there, but they are really the only two choices that the consumer has," Jock Breitwieser, the other Itus Networks cofounder, said. "The routers are incredibly hackable, and anti-virus only protects a single device."

The iGuardian was launched on Kickstarter this morning and, assuming it reaches its goal of $125,000, individuals can get their own for a minimum pledge of $99. Ayoub said a similar device can cost "tens if not hundreds of thousands of dollars" in the corporate market, as this price list of intrusion detection systems shows. If it reaches retail, the iGuardian will be going for $179.

Theoretically, you could build something like this yourself: The iGuardian uses Snort, a piece of open source software which prevents intrusions and analyses traffic. Snort has been around for years, and although complex for the average user, the documentation on how to use it is out there. But for most it's probably easier to just purchase a readymade box that'll do the work for you.

However, the iGuardian does have its limitations. For one, it won't actually fix any problems with weak IoT items. "What we're doing is a kind of risk mitigation. The vulnerabilities still exist in the products; we're not able to patch them, per se," Ayoub stressed. The iGuardian will drop the packets of a specific attack it picks up going to a device. All the other traffic going to that device will remain uninterrupted and the device will continue to be fully functional.

I asked if the iGuardian could be too strong with its protections, perhaps detecting innocent data as malicious, and annoyingly blocking it in the process. "With any system, there's a balance that needs to be struck between being overzealous and actually providing effective security," Ayoub said, and pointed out that the invention hasn't yet been tested on a wide range of networks, meaning that such problems will have to be ironed out later. "I have not seen a terribly large number of false positives," he said.

Emm, the researcher from Kaspersky, pointed out that this could be a benefit of having the protection at the 'end-point,' like anti-virus, as opposed to over the whole network. "Doing this at the end point means that traffic can be analysed in the context of the application that is performing some action: this reduces the risk of false positives," he said.

But overall, it's becoming more important for consumers to beef up their security. "As more and more everyday objects become computers (e.g. baby monitors), it makes sense to have such protection in place, to reduce the risk of someone trying to attack the home and make changes to devices located around the house," Emm said.

And as the Internet of Things spreads further, we'll likely see more security products pop up. "We're maybe one of the first to develop this for the consumer market, but I'd be really surprised if in five years from now there weren't other people making the same stuff," Ayoub said.