Many connected-home devices lack robust security features, security firm claims

Veracode warns that many connected-home devices lack basic security features, leaving consumers wide open to sophisticated thieves.

According to a report released this morning by security provider Veracode, many of the Internet of Things devices that consumers are buying for their increasingly connected homes are vulnerable to hacker exploits. While Veracode looked at different devices and vulnerabilities, its overall findings mirror those by Synack, which we reported on last month.

According to the Veracode report, for example, a vulnerability in the Ubi voice-controlled Internet appliance could enable criminals to monitor the ambient noise or light in a room to determine whether someone is home or away. Similarly, a weakness in the Chamberlain MyQ Garage garage door opener could alert thieves to a door's opening and closing, again giving a clue to good times to break in.

"The Internet of Things is getting more and more popular," said Veracode security research architect Brandon Creighton, "and it's grown into a phenomenon that doesn't just exist in the realms of technical people who are buying little components and plugging them together. It's now a consumer-level thing, and you can buy most of these devices at a Target or a Home Depot. Even though they're packaged as hardware devices, in reality they're just like any other technological system in that they're primarily comprised of software." And software can be hacked if it's properly protected.

In designing the study, Creighton said "we wanted to choose devices that had an impact in the real world, or at least the potential for it." To that end, his team looked at always-on systems that are marketed to end users who don't possess any particular technical expertise. In addition to the Chamberlain MyQ Garage and the Ubi, the firm tested the Chamberlain MyQ Internet Gateway, the SmartThings Hub, the Wink Hub, and the Wink Relay.

Researchers conducted 10 tests, classifying the results into four categories: user-facing cloud services, back-end cloud services, mobile application interfaces, and device-debugging interfaces. They found vulnerabilities across most categories in all but one of the devices.

"The SmartThings hub did pretty well on the tests we applied," Creighton said. "We didn't do an in-depth security review on every aspect of the device--we didn't go into the firmware. We're not saying they're secure, we're saying that for these tests, they did pretty well."

Veracode installed and configured the devices according to their included documentation, and then monitored and captured all the communication between the devices and their surroundings. "When you're thinking about IoT devices as a consumer, it's important to think about the fact that these are not just isolated things sitting in your house," Creighton said, "there are any number of services they may be communicating with.

And the security of the system as a whole often relies on those services being secure as well. We didn't have permission to scan those services, so the flaws we did find were mostly in the devices themselves, and related to the communication between the devices and the servers."

Test results

Veracode's researchers evaluated four elements of these products' user-facing cloud services: whether the service allowed users to encrypt communications, whether it required encryption, whether it enforced a strong password, and whether any mobile applications that work with the device validated the server's TLS (transport layer security) certificate. All the devices did pretty well in these tests, with the SmartThings Hub the only one requiring a strong password.

In testing the communications between the devices and their associated cloud services, Veracode examined whether they used a strong means of authenticating themselves to the service, whether communication was encrypted, and whether they offered protection against various common forms of attacks.

"We wanted to illustrate that the security of the system is not just about the security you have on the device," Creighton said, "but it's also determined by the security of all of the services run by the manufacturer. Everything the device talks to is another link in the chain." All the devices passed the first test--authentication--but it was downhill from there, and once again the SmartThings Hub was the only device to pass all the tests.

The third category involved two tests: whether sensitive mobile-to-device traffic was secured, and whether the mobile applications validated the devices' TLS certificates. Results on the first test were mixed, while none of the devices used TLS/SSL validation.

"Something that may be crucial for a developer to get their job done might turn into a security vulnerability if left turned on after the device is produced," explains Creighton. "As a developer, you're working in your closed laboratory with a local version of a service. That service is not Internet-accessible and probably doesn't have a valid SSL certificate. So when you're developing it, you turn off certificate validation and it works fine. The problem is, if nobody checks to see if that's still turned off later, the device will work fine but it'll be insecure."

The final category, debugging interfaces, involved services or interfaces that aren't mean to be accessed by the end user but are nevertheless available over the local network or the wider Internet. The testers looked at whether such interfaces were restricted to those with physical access to the device, whether an attacker could bypass whatever authentication process might be in place, and whether the device prevented running arbitrary code. In this case, the MyQ Gateway was the only device to restrict the interfaces to those with physical access, while results on the other two tests were mixed.

"Essentially you could call those debugging interfaces 'unintentional back doors' because of the level of access that they give," Creighton said. "If you have access to the local network that these devices are running on, then you can use standard debugging tools to connect to that service and run commands on it and completely bypass any password or authentication. I'm sure that's important for the manufacturers to do development and testing, but it should not be on in the real world."

No need to panic

Despite the findings, Creighton cautions that these vulnerabilities aren't catastrophic. "All of these are the same type of flaws we find in analyzing applications every day," he said. "There's nothing in here that's Heartbleed-esque, that's going to blow up everybody's devices tomorrow. If we'd found something that was exploitable on a mass scale, we'd have made sure it had gotten fixed before mentioning it at all. But that doesn't mean there aren't risks here."

And the companies involved have proven relatively receptive to learning about their products' vulnerabilities. "We've reached out to these companies and let them know the details of these flaws we found, and we're working with them to get them fixed if they're interested," Creighton said. "The fact is, flaws happen to everybody, and the companies that tend to do the best in modern times are the ones that can rapidly respond."

Join the CSO newsletter!

Error: Please check your email address.

Tags SynackConnected HomessecurityInternet of ThingsVeracodeBrandointernet

More about GatewayHome Depot

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jake Widman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place