As more households take advantage of the benefits that non-traditional Internet-connected devices can provide in convenience, cost savings, and entertainment, the additional risks should also be considered when plugging into the Internet of Things (IoT). A new study out today by researchers with Veracode offers insight into such risks by taking a look at six popular IoT consumer devices and showing how vulnerabilities in these devices could potentially leave users open to burglary, eavesdropping, and stalking.
“It’s hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn’t mean cybersecurity should be sacrificed in the process,” said Brandon Creighton, Veracode security research architect. “We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm.”
All the devices picked by Veracode for examination had three common characteristics. They are all marketed to end users who don't need special technical expertise to use them, they're all always on and connected to the Internet permanently, and they all significantly interact with the physical environment in some way or another through built-in sensors or communication with important household devices. Each of the devices were subjected to a uniform battery of tests that included checks on authentication, encryption, and protocol security. Some of the issues found were open debugging interfaces that could allow remote arbitrary code execution, protocol weaknesses that would allow attackers to access sensitive data from the device and lack of enforcement of strong passwords. In particular, the following three devices provide the opportunity for some scary attack scenarios.
This Internet-based remote control for control of garage doors does not enforce strong passwords, has an unprotected debugging environment, doesn't secure sensitive data sent between the device and mobile applications, and is potentially open to man-in-the-middle (MiTM) attacks. According to researchers, attackers might steal data about when the door is opened and closed -- in order to plan the best time for break-ins -- or even obtain the capability to remotely open the door to gain access once the owner is gone.
Ubi -- an always-on device designed to answer questions, connect to home automation devices, and perform tasks like sending texts or turning on music on devices -- doesn't protect against MiTM, has weaknesses in encryption at rest and in motion, and is vulnerable to replay attacks. Veracode says that a compromise of an Ubi account would give attackers the ability to steal contact list information held by the user or spy on their Google calendar for stalking or corporate spying. Similar to the MyQ, a compromise would give an attacker historical information on the user's home about temperature, humidity, air pressure, ambient light, and sound levels that could be used to build a profile for future break-ins.
A combination hub and control device for home automation sensors and products, Wink Relay has a number of flaws, most critical of which is the ability for remote arbitrary code execution. This means that potential attackers could not only collect information about the user's activity but also control the device remotely. For example, an attacker could turn on the microphone on the device to listen in and record private conversations, giving them the ability to blackmail users or collect information for corporate espionage.