This Fancy Rock Wants to Protect Your Connected Devices
Yossi Atias is sitting in a conference room in One World Trade Center in New York City, but he’s staring directly into a room in his company’s headquarters, in Israel. On a shelf in the room, visible to Atias on his laptop’s screen, is a buffet of connected gadgets. There’s a smart alarm, a smart lighting system, and a smart camera. From halfway around the world, Atias is about to hack into these devices, and shut them down.
Atias, of course, has no ill-will towards his company, Dojo Labs. The hack is staged so he can show me how the company’s first product, a connected device meant to watch over the security of other connected devices, will work. Moments after Atias uses hacking software on his laptop to remotely kill the alarm system at his company’s offices, he gets a notification on his phone. It’s a text from Dojo, and it says, “Good afternoon Yossi! I’m noticing unusual activity.”
As more consumers adopt products that belong to the so-called Internet of Things, Atias is betting they’ll also want to protect those devices—all of which hook up to the same Wi-Fi connection and accrue a ton of data. “These devices are nice for comfort and quality of life, but when it comes to security it’s a pretty big black hole, because most of those devices are not really secured,” Atias says. Gadi Amit, founder of New Deal Design—and the guy who created the Fitbit’s sleek looks—is making that bet, too; his firm did the industrial design and user interface for Dojo.
Dojo has three main components: a small box that houses the computer; a digital, rock-shaped remote; and an app. The base unit—the white computer—plugs directly into the Wi-Fi router. It serves as a kind of filter for all the traffic flowing in and out of any other device using that router, and is stocked with algorithms that learn about and analyze traffic in real time, to detect anomalies. When it sees one, it sends the user one of two alerts. The first lets her know there was a potential threat, but that no action is required on her part. The second informs her a threat was made and that she needs to act. In the second case, Dojo may go ahead and block the compromised gadget by disconnecting it from the Wi-Fi. In that sense, Dojo acts a bit like a guardian angel for the connected home, watching over it, keeping it safe.
In broad strokes, the Dojo “brain” doesn’t work so differently from anti-virus software. Atias says it uses “a deterministic system,” that looks at all the devices under Dojo’s watch, across all owners, to make decisions. Because it’s connected to the cloud, Dojo’s can actually learn from all the metadata coming from the devices its collective users have in their homes. Put simply: the more people that use Dojo, the more secure it becomes.
From a security standpoint, this is a big claim. The connected home is still in its infancy; the security of the connected home is an even more nascent topic. Experts are still assessing risk and considering how to patch potential security holes. We’ve only recently become aware of the fact that smart TVs are recording and saving our voice commands. And as of now, Dojo doesn’t have a proven track record as a security company, which means its claims about IoT protection will only be validated once the devices spend some time on the market.
Craig Young, a security researcher at Tripwire, says Dojo’s anomaly detection method makes sense. “It seems like it’s a new take on an old concept in security,” he says—but it’s not bulletproof. “I can see without a doubt that these [devices] are not going to be a cure-all for the Internet of Things security problem.” Tripwire has its own IoT Hack Lab, where Young says he’s already created some hack simulations that circumvent Wi-Fi entirely. Young also points out that Dojo’s cloud-based server, the one watching over the entire Dojo network, “create this big nest of metadata that’s attractive for hackers.”
Plus, it’s simply impossible to gauge Dojo’s effectiveness until it’s actually out there, in the wild. Atias’s demo makes it clear how Dojo works—but a presentation delivered by the company doesn’t portray the true nature of a cyber security attack. In reality, the hacker likely wouldn’t simply shut off the hackee’s alarm system just to break in; he would likely be using the hacked device as a vehicle to get to the cloud server and access personal data, like credit card and social security numbers.
Atias’s presentation does, however, highlight some noteworthy interactions that Amit has created between the user and the app, and the user and the Dojo remote. The app’s interface is a straightforward chat system. It communicates updates and alerts in conversational English, as if you’re talking to your house sitter on WhatsApp. Iconography is notably absent. The remote isn’t loaded with much more than a lighting system that flashes green, yellow, or red concentric circles—Amit calls this the “ambient UI”—to convey security status to users. If it’s green, all is safe. If the rock flashes orange or red, Dojo has detected suspicious activity. The point of the rock, in addition to the text-based alerts, is to give users updates in the home, when they may not have their phones in hand. Amit calls it “a digital pet rock, that’s kind of innocuous, and is just going to sit in the corner.” Dojo doesn’t ask much of its users, and won’t pipe up unless there’s a problem.
In Finland, a company called F-Secure is gearing up to launch a very similar product. The F-Secure Sense is a white, diamond-shaped mini-tower with a set of functions nearly identical to Dojo’s: it uses algorithms to analyze all the traffic flowing through a given Wi-Fi connection, and detects abnormalities. Samu Konttinen, EVP of consumer security at F-Secure, says it’s meant to be a hands off, all-in-one device. “We really started thinking of a solution where you wouldn’t have to install security software. We thought, let’s design something that will protect all of those devices, but this one solution could solve all of your security problems.”
As the number of connected gadgets in our homes increases, it stands to reason we’ll see an increase in IoT security devices like these. Konttinen cites increasing sales in Wi-Fi connected devices, and the attendant rise in security concerns, as F-Secure’s motivation for designing the icy, supremely Scandinavian Sense. Atias says looking forward, it’s safe to assume all our devices will plug into the network. “Samsung, Bosch, Siemens—in three or five years, they will not have a single device out of their factory that’s not connected,” he says, based on conversations he’s had with other companies. Products like Dojo and Sense address a real need in this new marketplace, Young says. “When people talk about the Internet of Things, they say, ‘oh you can hack the smart TV, but I don’t care, it’s a low level risk to me.’ But the thing is, that TV gives you away to other parts of the network,” Young says. Not caring, “throws the traditional thinking of risk management on its head. You can’t easily envision what the worst case scenario is from your home.”
It’s tempting to regard products like Sense and Dojo the way you might an upcharge by your local auto mechanic. You mean I have to buy a device to protect my other devices? On the other hand, as the objects in our homes send more and more personal information to the cloud, protective devices like these sure seem prudent. Beautifully designed products like Dojo and the Sense have the potential to make an unsexy topic a little more attractive. Atias and Amit hope that will, in turn, make consumers consider the issue more seriously. “Most people are not aware of the amount of data being collected,” Amit says. “Both the big guys and the hackers don’t want to talk about how much data is sifted from homes. We think now you can control it in a very easy way.”