Researchers show that IoT devices are not designed with security in mind

07.04.2015
In the latest blow to Internet of Things (IoT) security, an analysis of smart home devices has found flaws that could give attackers access to sensitive data or allow them to control door locks and sensors.

The research was performed by a team from application security firm Veracode for six up-to-date devices acquired in December and found serious issues in five of them. The tested devices were the Chamberlain MyQ Garage, the Chamberlain MyQ Internet Gateway, the SmartThings Hub, the Ubi from Unified Computer Intelligence Corporation, the Wink Hub and the Wink Relay.

All of these devices enable remote control and monitoring over the Internet of various home automation devices and sensors, including door locks, interior switches and power outlets. Most of them connect to cloud-based services and users can interact with them through Web portals or smartphone applications.

The Veracode team didn't look for vulnerabilities in the firmware of the tested devices, but instead analyzed the implementation and security of the communication protocols they use.

The researchers looked at the front-end connections, those between users and the cloud services, as well the back-end ones -- those between the devices themselves and the cloud services.

For front-end connections, they found that with the exception of SmartThings Hub, none of the devices enforced strong passwords. In addition, the Ubi did not enforce encryption for user connections, exposing them to possible man-in-the-middle (MitM) attacks.

For back-end connections the situation was even worse. The Ubi and MyQ Garage did not employ encryption, did not offer adequate protection against man-in-the-middle attacks and did not protect against replay attacks, which enable man-in-the-middle (MitM) attackers to capture traffic and then play it back, potentially triggering unauthorized actions. In addition, the Ubi did not properly secure sensitive data.

MitM protection was lacking across all devices with the exception of the SmartThings Hub, either because TLS (Transport Layer Security) encryption was not used at all or because it was implemented without proper certificate validation.

This suggests that those who designed these IoT devices assumed that the local area networks they'll be installed on were secure. That's an error, because research over the past several years have showed that if there's anything worse than the security of IoT devices, it's the security of consumer routers. Security researchers find serious vulnerabilities in routers on a routine basis, most of which enable hackers to perform man-in-the-middle attacks, and those flaws have resulted in millions of routers being compromised in large-scale attacks over the past few years.

The misguided trust of IoT manufacturers in the security of home networks is also reflected by the debugging interfaces and other services their devices expose to such networks.

The Veracode researchers found that the Wink Hub runs an unauthenticated HTTP service on port 80 that is used to configure the wireless network settings, the Wink Relay runs a network-accessible ADB (Android Debug Bridge) service, the Ubi runs both an ADB and a VNC (remote desktop) service with no password, the SmartThings Hub runs a password-protected telnet server and the MyQ Garage runs an HTTPS service that exposes basic connectivity information.

In the case of the Wink Relay and the Ubi, the exposed ADB interface can provide attackers with root access and can allow them to execute arbitrary code and commands on the devices.

While they didn't directly analyze the security of the vendors' cloud services, the Veracode researchers considered several scenarios, like what would happen if attackers compromised user accounts, intercepted connections somewhere close to the service -- for example by compromising an upstream provider -- or fully breach the cloud service. They concluded that the impact of such breaches could range from attackers gaining access to sensitive data to taking control of a device and executing commands.

The reliance of these devices on cloud services is not always clearly explained to users and they should be, because not everyone realizes that when they talk to their device through a mobile app, they don't do so directly and the traffic actually passes through a service run by someone else, said Brandon Creighton, a member of the Veracode research team.

This also means that manufacturers should have security processes in place not only for the hardware devices themselves, but also for their Web services, Creighton said. "These services can be vulnerable as any other application running on the Internet -- Web service or network service -- so it's important to get those tested and reviewed as well."

Based on the results of their analysis, the Veracode team concluded that the designers of the tested devices "weren't focused enough on security and privacy, as a priority, putting consumers at risk for an attack or physical intrusion."

For example, information gathered from an Ubi device could enable criminals to know when a user is home or not based on ambient noise or light, the team said in their report. Furthermore, by exploiting vulnerabilities in the Ubi or Wink Relay devices, attackers could turn on their microphones and listen to conversations. "Using vulnerabilities found in the Chamberlain MyQ system, thieves could be notified when the garage door is opened / closed, indicating a window of opportunity to burgle the house, and then remotely open the door."

Creighton stopped short of saying that the issues they found on some of the tested devices were a universal problem in the IoT world, but he doesn't think they were anomalies either.

"I think these are common problems that would probably be shared across a lot of different embedded devices," he said.

The good news is that unlike routers for example, many of these IoT devices come with automatic update capabilities, so whenever an issue is found, the vendors can more easily distribute a fix. Veracode has already contacted the affected vendors and at least one of them, Wink, has already issued patches.

Lucian Constantin