In the latest blow to Internet of Things (IoT) security, an analysis of smart home devices has found flaws that could give attackers access to sensitive data or allow them to control door locks and sensors.
The research was performed by a team from application security firm Veracode for six up-to-date devices acquired in December and found serious issues in five of them. The tested devices were the Chamberlain MyQ Garage, the Chamberlain MyQ Internet Gateway, the SmartThings Hub, the Ubi from Unified Computer Intelligence Corporation, the Wink Hub and the Wink Relay.
All of these devices enable remote control and monitoring over the Internet of various home automation devices and sensors, including door locks, interior switches and power outlets. Most of them connect to cloud-based services and users can interact with them through Web portals or smartphone applications.
The Veracode team didn't look for vulnerabilities in the firmware of the tested devices, but instead analyzed the implementation and security of the communication protocols they use.
The researchers looked at the front-end connections, those between users and the cloud services, as well the back-end ones -- those between the devices themselves and the cloud services.
For front-end connections, they found that with the exception of SmartThings Hub, none of the devices enforced strong passwords. In addition, the Ubi did not enforce encryption for user connections, exposing them to possible man-in-the-middle (MitM) attacks.
For back-end connections the situation was even worse. The Ubi and MyQ Garage did not employ encryption, did not offer adequate protection against man-in-the-middle attacks and did not protect against replay attacks, which enable man-in-the-middle (MitM) attackers to capture traffic and then play it back, potentially triggering unauthorized actions. In addition, the Ubi did not properly secure sensitive data.
MitM protection was lacking across all devices with the exception of the SmartThings Hub, either because TLS (Transport Layer Security) encryption was not used at all or because it was implemented without proper certificate validation.
This suggests that those who designed these IoT devices assumed that the local area networks they'll be installed on were secure. That's an error, because research over the past several years have showed that if there's anything worse than the security of IoT devices, it's the security of consumer routers. Security researchers find serious vulnerabilities in routers on a routine basis, most of which enable hackers to perform man-in-the-middle attacks, and those flaws have resulted in millions of routers being compromised in large-scale attacks over the past few years.
The misguided trust of IoT manufacturers in the security of home networks is also reflected by the debugging interfaces and other services their devices expose to such networks.
Sign up for CIO Asia eNewsletters.