Researchers show that IoT devices are not designed with security in mind

Lack of encryption and other security issues found in home automation hubs could facilitate burglary, stalking and spying

In the latest blow to Internet of Things (IoT) security, an analysis of smart home devices has found flaws that could give attackers access to sensitive data or allow them to control door locks and sensors.

The research was performed by a team from application security firm Veracode for six up-to-date devices acquired in December and found serious issues in five of them. The tested devices were the Chamberlain MyQ Garage, the Chamberlain MyQ Internet Gateway, the SmartThings Hub, the Ubi from Unified Computer Intelligence Corporation, the Wink Hub and the Wink Relay.

All of these devices enable remote control and monitoring over the Internet of various home automation devices and sensors, including door locks, interior switches and power outlets. Most of them connect to cloud-based services and users can interact with them through Web portals or smartphone applications.

The Veracode team didn't look for vulnerabilities in the firmware of the tested devices, but instead analyzed the implementation and security of the communication protocols they use.

The researchers looked at the front-end connections, those between users and the cloud services, as well the back-end ones -- those between the devices themselves and the cloud services.

For front-end connections, they found that with the exception of SmartThings Hub, none of the devices enforced strong passwords. In addition, the Ubi did not enforce encryption for user connections, exposing them to possible man-in-the-middle (MitM) attacks.

For back-end connections the situation was even worse. The Ubi and MyQ Garage did not employ encryption, did not offer adequate protection against man-in-the-middle attacks and did not protect against replay attacks, which enable man-in-the-middle (MitM) attackers to capture traffic and then play it back, potentially triggering unauthorized actions. In addition, the Ubi did not properly secure sensitive data.

MitM protection was lacking across all devices with the exception of the SmartThings Hub, either because TLS (Transport Layer Security) encryption was not used at all or because it was implemented without proper certificate validation.

This suggests that those who designed these IoT devices assumed that the local area networks they'll be installed on were secure. That's an error, because research over the past several years have showed that if there's anything worse than the security of IoT devices, it's the security of consumer routers. Security researchers find serious vulnerabilities in routers on a routine basis, most of which enable hackers to perform man-in-the-middle attacks, and those flaws have resulted in millions of routers being compromised in large-scale attacks over the past few years.

The misguided trust of IoT manufacturers in the security of home networks is also reflected by the debugging interfaces and other services their devices expose to such networks.

The Veracode researchers found that the Wink Hub runs an unauthenticated HTTP service on port 80 that is used to configure the wireless network settings, the Wink Relay runs a network-accessible ADB (Android Debug Bridge) service, the Ubi runs both an ADB and a VNC (remote desktop) service with no password, the SmartThings Hub runs a password-protected telnet server and the MyQ Garage runs an HTTPS service that exposes basic connectivity information.

In the case of the Wink Relay and the Ubi, the exposed ADB interface can provide attackers with root access and can allow them to execute arbitrary code and commands on the devices.

While they didn't directly analyze the security of the vendors' cloud services, the Veracode researchers considered several scenarios, like what would happen if attackers compromised user accounts, intercepted connections somewhere close to the service -- for example by compromising an upstream provider -- or fully breach the cloud service. They concluded that the impact of such breaches could range from attackers gaining access to sensitive data to taking control of a device and executing commands.

The reliance of these devices on cloud services is not always clearly explained to users and they should be, because not everyone realizes that when they talk to their device through a mobile app, they don't do so directly and the traffic actually passes through a service run by someone else, said Brandon Creighton, a member of the Veracode research team.

This also means that manufacturers should have security processes in place not only for the hardware devices themselves, but also for their Web services, Creighton said. "These services can be vulnerable as any other application running on the Internet -- Web service or network service -- so it's important to get those tested and reviewed as well."

Based on the results of their analysis, the Veracode team concluded that the designers of the tested devices "weren't focused enough on security and privacy, as a priority, putting consumers at risk for an attack or physical intrusion."

For example, information gathered from an Ubi device could enable criminals to know when a user is home or not based on ambient noise or light, the team said in their report. Furthermore, by exploiting vulnerabilities in the Ubi or Wink Relay devices, attackers could turn on their microphones and listen to conversations. "Using vulnerabilities found in the Chamberlain MyQ system, thieves could be notified when the garage door is opened / closed, indicating a window of opportunity to burgle the house, and then remotely open the door."

Creighton stopped short of saying that the issues they found on some of the tested devices were a universal problem in the IoT world, but he doesn't think they were anomalies either.

"I think these are common problems that would probably be shared across a lot of different embedded devices," he said.

The good news is that unlike routers for example, many of these IoT devices come with automatic update capabilities, so whenever an issue is found, the vendors can more easily distribute a fix. Veracode has already contacted the affected vendors and at least one of them, Wink, has already issued patches.

Update:

Chamberlain has issued a statement that says:

Chamberlain has reviewed the Veracode study and confirms that the MyQ product test is out of date, as the Chamberlain Group continually reviews and makes improvements to its product security. Additionally, we disagree with some of the findings in the report and will work with Veracode to share our concerns.

Chamberlain takes the safety and security of the smart home very seriously. Our continuous security updates and processes include using industry standard encryption, applying the latest security techniques, and periodic security testing with respected outside services. This study is a good reminder to homeowners to keep their networks secure by using strong passwords and security settings.

Join the CSO newsletter!

Error: Please check your email address.

Tags The Chamberlain GroupsecurityVeracodeUnified Computer Intelligence CorporationAccess control and authenticationencryptionWinkprivacySmartThingsintrusion

More about GatewayTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place