The Veracode researchers found that the Wink Hub runs an unauthenticated HTTP service on port 80 that is used to configure the wireless network settings, the Wink Relay runs a network-accessible ADB (Android Debug Bridge) service, the Ubi runs both an ADB and a VNC (remote desktop) service with no password, the SmartThings Hub runs a password-protected telnet server and the MyQ Garage runs an HTTPS service that exposes basic connectivity information.
In the case of the Wink Relay and the Ubi, the exposed ADB interface can provide attackers with root access and can allow them to execute arbitrary code and commands on the devices.
While they didn't directly analyze the security of the vendors' cloud services, the Veracode researchers considered several scenarios, like what would happen if attackers compromised user accounts, intercepted connections somewhere close to the service -- for example by compromising an upstream provider -- or fully breach the cloud service. They concluded that the impact of such breaches could range from attackers gaining access to sensitive data to taking control of a device and executing commands.
The reliance of these devices on cloud services is not always clearly explained to users and they should be, because not everyone realizes that when they talk to their device through a mobile app, they don't do so directly and the traffic actually passes through a service run by someone else, said Brandon Creighton, a member of the Veracode research team.
This also means that manufacturers should have security processes in place not only for the hardware devices themselves, but also for their Web services, Creighton said. "These services can be vulnerable as any other application running on the Internet -- Web service or network service -- so it's important to get those tested and reviewed as well."
Based on the results of their analysis, the Veracode team concluded that the designers of the tested devices "weren't focused enough on security and privacy, as a priority, putting consumers at risk for an attack or physical intrusion."
For example, information gathered from an Ubi device could enable criminals to know when a user is home or not based on ambient noise or light, the team said in their report. Furthermore, by exploiting vulnerabilities in the Ubi or Wink Relay devices, attackers could turn on their microphones and listen to conversations. "Using vulnerabilities found in the Chamberlain MyQ system, thieves could be notified when the garage door is opened / closed, indicating a window of opportunity to burgle the house, and then remotely open the door."
Creighton stopped short of saying that the issues they found on some of the tested devices were a universal problem in the IoT world, but he doesn't think they were anomalies either.
Sign up for CIO Asia eNewsletters.