Thales Blog

3 Ways to Protect Smart Devices from Criminal Exploits

July 20, 2023

Melody Wood Melody Wood | Partner Solutions Marketing Manager, Thales More About This Author >

When people think of home or business security, they are usually worried about protecting against a physical breaking in via a window or door and a burglar stealing valuables such as jewelry, cash, electronics, and equipment. However, in today’s IoT era, there are increasingly new ways people can break in to steal from us – by hacking into our Smart Devices. This article explains why these are vulnerable and 3 ways how we can protect them.

Smart Devices Provide Criminals a New Entry Point

Most of us leverage Smart Devices to simplify our lives: smart locks, security cameras, lights, thermostats, smart doorbells, and monitors. However, it often does not occur to us that the same devices that make our modern lives so much easier, also open a Pandora’s Box for a new age of criminal exploits. Unfortunately, Smart Devices are popular ports of entry for cybercriminals to conduct Digital break-ins to then steal our identities, customer data, financial information, bank accounts, credit cards, etc.

Once connected to the internet, Smart Devices become vulnerable to cyber-attacks. Hackers only need one loophole to break into a network. Smart Devices are particularly vulnerable to a “Zero-Day Exploit” attack, whereby hackers take advantage of a security vulnerability at the device level, to access the network it’s connected to. This is how cybercriminals can remotely “break-in” thru a smart device, get onto a network, locate “the goods” (typically valuable data), and then steal from people or organizations.

Additionally, in today’s connected world, the burglar hacking into a Smart Device may or may not be a person. Instead, it’s more likely to be an organized crime ring using a computer in a targeted attack or a bot conducting an automated broad-scale attack.

One famous example of a digital break-in via a Smart Device is the Casino Fish Tank attack. A North American Casino managed one of its fish tanks using an internet-connected Smart Thermostat to control water temperature, saline levels, and feedings. Unfortunately, hackers exploited a vulnerability in the connected thermostat to get a foothold in the Casino’s overall network. Once “in” the network, the thieves accessed the database for client records, and ultimately stole 10 gigabytes of customer data. The house did not win on that day!

Protecting Against Smart Device Break-Ins

This story also demonstrates the sobering reality that we can no longer solely rely on Usernames/Passwords to protect our networks. Instead, in today’s IoT landscape, we need additional authentication layers at the gadget level to ensure any connecting Smart Devices are trusted using certificates and keys – which are infinitely more difficult for a hacker to bypass or imitate – when attempting a break-in.

Following are 3 ways to protect our homes and businesses without having to relinquish our Smart Devices.

1) Manufacturer Protocols “Matter”

First, consumers should seek to purchase Smart Devices that are Matter certified. The Matter protocol is the first effort to provide a standard for secure, reliable interoperability for smart home devices, mobile applications, and cloud services.

Originally known as CHIP (Connected Home Over IP), Matter is a unifying, IP-based protocol built on proven technologies ensuring inter-device connectivity. Smart Device vendors such as Amazon, Apple, , Google, Samsung, and 250+ others support or contribute tothis important standard.

Additionally, while most manufacturers are experts in their device domain, they are not typically familiar with IoT security needs or how to incorporate them into production. However, following the Matter standard helps manufacturers since it clearly outlines security standards and spells out the necessary components to inject into Smart Devices such as certificates and key materials.

2) Leverage PKI and Certificate-Based Signing

Public key infrastructure (PKI) is a long-established standard to provide digital trust. For years, critical industries have used PKI when devices from multiple manufacturers need to seamlessly exchange information and work together in a secure way.

DigiCert, a Thales Technology partner, played a key leadership role in developing the security-related aspects of the Matter protocol around device attestation. As Tom Klein, Senior Director – Digital Trust Specialists at DigiCert, explains: “To ensure the security of smart devices, each Matter device employs its own unique Device Attestation Certificate (DAC). Device attestation accomplishes secure interoperability by verifying that each device comes from a trusted manufacturer, installing a strong identity on the device, and enabling validated, authenticated connections.”

Certificates essentially verify that each device seeking to connect to a network is genuine and has been issued by the manufacturer, versus a rogue stimulation by a would-be thief. Each device certificate is managed as part of a secure cryptographic chain, using Public Key Infrastructure (PKI) to enable secure communication between devices using encryption. Additionally, Smart Devices leveraging these PKI and certificate protocols guarantee any software updates are from digitally verified sources.

3) Safeguard Private Keys and Digital Signatures with a HSM

To further enhance Smart Device security layers, and in accordance with PKI best practices, a Hardware Security Module (HSM) is considered to ensure trusted network authentication. HSMs typically provide centralized storage, protection, and management of cryptographic keys used in PKI and certificate signing.

Thales offers a variety of IoT Security solutions, including tamper-resistant Thales Luna HSMs for high-assurance encryption key protection. Luna HSMs securely store the keys associated with PKI and digital certificate signatures, regardless of complexity or scale. Storing cryptographic keys inside a Luna HSM is analogous to putting them inside a safe and ensures access to sensitive information by authorized persons is tightly controlled, avoiding the risk of identity theft and fraudulent access to Smart Device networks.

Luna HSMs can also generate keys in a randomized fashion, to better protect against any hacker’s attempts at forging a digital signature. Lastly, Luna HSMs can support multiple public key algorithms including Elliptic Curve Crypto (ECC) whose shorter key lengths and less intensive computational power are well suited to constrained Smart Devices.

Thieves are resourceful and will always actively seek ways to steal valuables. Anyone using Smart Devices can quickly bolster their defenses against a potential attack by selecting manufacturers adhering to the Matter standard. This branding guarantees devices were built using security standards including injected PKI certificates and HSM-protected key materials. These combined components minimize illicit device hacks and ensure that only authenticated devices can connect to networks, thus providing stronger protections against any would-be digital thieves seeking an easy entry point. Together, both longstanding partners Thales and DigiCert are proud to offer joint solutions that establish Digital Trust.

To learn more, please consider attending our upcoming webinar featuring DigiCert’s Anthony Ricci, Senior Director of Product Management for Emerging Markets. Or, you can also attend one of our upcoming customer events in Boston or Seattle.