According to a report released this morning by security provider Veracode, many of the Internet of Things devices that consumers are buying for their increasingly connected homes are vulnerable to hacker exploits. While Veracode looked at different devices and vulnerabilities, its overall findings mirror those by Synack, which we reported on last month.
According to the Veracode report, for example, a vulnerability in the Ubi voice-controlled Internet appliance could enable criminals to monitor the ambient noise or light in a room to determine whether someone is home or away. Similarly, a weakness in the Chamberlain MyQ Garage garage door opener could alert thieves to a door's opening and closing, again giving a clue to good times to break in.
"The Internet of Things is getting more and more popular," said Veracode security research architect Brandon Creighton, "and it's grown into a phenomenon that doesn't just exist in the realms of technical people who are buying little components and plugging them together. It's now a consumer-level thing, and you can buy most of these devices at a Target or a Home Depot. Even though they're packaged as hardware devices, in reality they're just like any other technological system in that they're primarily comprised of software." And software can be hacked if it's properly protected.
In designing the study, Creighton said "we wanted to choose devices that had an impact in the real world, or at least the potential for it." To that end, his team looked at always-on systems that are marketed to end users who don't possess any particular technical expertise. In addition to the Chamberlain MyQ Garage and the Ubi, the firm tested the Chamberlain MyQ Internet Gateway, the SmartThings Hub, the Wink Hub, and the Wink Relay.
Researchers conducted 10 tests, classifying the results into four categories: user-facing cloud services, back-end cloud services, mobile application interfaces, and device-debugging interfaces. They found vulnerabilities across most categories in all but one of the devices.
"The SmartThings hub did pretty well on the tests we applied," Creighton said. "We didn't do an in-depth security review on every aspect of the device — we didn't go into the firmware. We're not saying they're secure, we're saying that for these tests, they did pretty well."
Veracode installed and configured the devices according to their included documentation, and then monitored and captured all the communication between the devices and their surroundings. "When you're thinking about IoT devices as a consumer, it's important to think about the fact that these are not just isolated things sitting in your house," Creighton said, "there are any number of services they may be communicating with.
Sign up for CIO Asia eNewsletters.