Security Protection for Smart Home Networks

Release Date:2024-11-14 Xu Baohong, Wang Lili

Smart home networks are transitioning into the FTTH Gigabit era, providing unprecedented bandwidth, reduced latency, and expanded coverage. This transformation offers operators opportunities to introduce emerging services such as home cloud security, cloud offices, cloud VR, and game acceleration. However, these services also introduce a wider range of potential cyber threats to home networks, making the protection of private data essential.

ZTE’s smart home product portfolio utilizes the IPDRR security framework to establish a security system and architecture for smart home networks, with CPE products as its core. This model consists of five functional modules: risk identification (Identify), security protection (Protect), security detection (Detect), security response (Respond), and security recovery (Recovery).

Risk Identification

Risk identification for smart home networks includes determining asset priorities, identifying risks, and conducting impact assessments.

The internal devices in a smart home network include home gateways (HGWs), access points (APs), and various access terminals like PCs, set-top boxes (STBs), smart door locks, smart cameras, and smart phones. These devices, along with the software and data running on them, are assets that require robust protection.

The interior of a home network can be considered as a trusted area, while the exterior is an untrusted area. According to the STRIDE threat model analysis, the risks faced by home networks mainly stem from external attacks and internal data leaks concerning network privacy. The primary attacks include flooding attacks, buffer overflows, command injections, brute force attacks, and reverse engineering.

Security Protection

To ensure the continuity of home network services and mitigate risks and impacts from attacks, the security measures for smart home networks focus on the external protection of the all-optical main gateway at the boundary. This includes system security, network security, data security, and application security.

The system security function includes hardware protection, operating system protection, and security for open source components. No debugging interfaces (JTAG/serial ports) are left on the hardware, and the serial port pins are removed. The operating system’s root file system must be a read-only and include address randomization to increase the difficulty of overflow attacks. The operating system disables support for unnecessary file types. By default, the system kernel does not load unnecessary file system drivers, reducing the attack surface. Open-source components are scanned regularly to eliminate any related vulnerabilities.

The network security function includes firewall, VPN tunnel protection, access control, and DoS attack prevention. The firewall can set access rules based on protocol type, MAC address, IP address, and packet port. VPN tunnel protection employs IPsec for encryption and authentication. Access control is implemented through blacklists and whitelists of URLs or IP addresses, and guest access devices are isolated within the Wi-Fi network. To prevent DoS attacks, the CPU load is reduced by limiting packet rates, thereby alleviating the risk of being attacked.

The data security function includes algorithm and key management, configuration file encryption, data transmission security, and personal data protection. The authentication algorithm’s security strength requires that the DSA key length should be at least 2048 bits. Each device must have a unique, strong key password, and plaintext passwords are prohibited. Configuration files are encrypted during storage and transmission. Encrypted channels and access authentication are used for data transmission on the WAN side. User passwords and other personal data must not be displayed in plaintext, and sensitive data must be scrambled and encrypted.

The application security function includes authentication and authorization, input and output verification, third-party plug-in resource control, and access management. Authentication and authorization involve verifying identities when external media, such as Web/TR069, access the home network. The home network conducts legitimacy checks on external inputs to prevent injection attacks, cross-site scripting, and format string attacks. The system must control the permissions of third-party plug-ins, prohibiting them from running with root privileges and minimizing their process permissions. Web configuration via the HTTP GET method is forbidden, and the HTTP POST method should be used instead. Additionally, URL parameters must not contain sensitive data.

Security Detection

The home network security detection function monitors attacks in real time and tracks the normal operation of services and protection measures. It includes monitoring EMS user operations, overseeing home network system resources, controlling malicious software, and recording user logs.

  • Monitoring EMS user operations: This involves monitoring the use of system accounts, ensuring that access is granted only with valid authorization, and auditing related operational records. It also includes detecting brute-force attacks on user accounts and implementing silent measures to mitigate these threats.
  • Overseeing home network system resources: This involves monitoring the performance indicators of system software and hardware resources, such as CPU, RAM, FLASH, and processes during attacks. It includes recording logs and reporting alarms.
  • Controlling malicious software: This involves using digital signatures and encrypted executable programs to restrict the installation and upgrade of malicious software. Downloading, installing, or executing third-party plug-ins from unknown sources is prohibited through certificate verification.
  • Recording user logs: This involves recording user-related activities, exceptions, faults, and information security events, including but not limited to user ID, system activities, date, time, and details of key events. It also includes implementing privacy protection measures for sensitive data and personal identity information contained in the logs.

 

Security Response

The home network security response function involves responding to, processing, and managing security events.

Security event response processing includes detecting DoS attacks and other invasion events, as well as supporting the notification and reporting of security incidents. The system can be restored through rate limiting, traffic interruption, and filtering controls. The system automatically rolls back to the previous version when a malicious version upgrade is detected.

Security event management involves documenting the entire handling process of security events, which includes, but is not limited to, the detection process, response procedures, outcomes, and any related information.

Security Recovery

The home network security recovery function includes restoring the system to its normal state and implementing prevention and recovery measures. Users can manually or automatically execute an appropriate recovery plan based on the generated security events. The HGW facilitates offline configuration for access points, enabling a seamless plug-and-play experience along with automated deployment to ensure environmental recovery. Additionally, the HGW supports patch upgrades and security hardening through upgrade policies to minimize security risks.

By leveraging the industry-leading IPDRR security framework, the ZTE smart home CPE product solution offers a comprehensive and robust security solution for building secure home networks for users.