 |
| Photo credit: engagor.com |
In a new report released by enterprise security firm Veracode,
researchers discovered during testing of common, household IoT devices
that security is not up to scratch -- paving the way for exploits, data
theft, robbery and potentially even stalking.
IoT devices have
exploded in popularity in recent years, with major tech firms and
startups alike pouring funds into developing devices ranging from smart
home security systems to sensor-laden fridges and mood lighting. It is
estimated that by 2020, 25 billion connected devices
-- including IoT products -- will be in use worldwide. While such
products appeal to the market and can make daily living more convenient,
security remains a hot topic. A quick search online and you can find
default passwords for many IoT devices -- often left unchanged or unable
to be changed by owners -- and very limited protections are often put
in place.
According to Veracode, the problem still stands. In a
security case study, the firm's team analyzed and monitored always-on
IoT devices in order to understand the real-world impact of IoT product
security. Six common household IoT devices, detailed below, were
examined:
- Chamberlain MyQ Internet Gateway: Internet-based remote control of garage doors.
- Chamberlain MyQ Garage: Internet-based remote control of garage doors, interior switches, and electrical outlets.
- SmartThings Hub: A central control device for home automaton sensors, switches and door locks.
- Ubi: The Unified Computer Intelligence Corporation is an always-on, voice-controlled device for answering questions, controlling home automaton and performing tasks such as sending emails and SMS messages.
- Wink Hub: A central control device for home automation products.
- Wink Relay: A combination hub and control device for home automation sensors and products.
All of these products were scrutinized by the company and the team
found that the impact of security vulnerabilities found in these
products could be "significant" for users.
Purchased new in late December last year
with up-to-date firmware, the devices were tested across four different
domains: user-facing cloud services, back-end cloud services, mobile
application interfaces, and device debugging interfaces.
To
begin with, when testing the devices and their security in the
user-facing cloud service arena, the team covered authentication and
communication with cloud services that are directly accessible by users,
whether they be through a web browser, custom embedded device or mobile
application. Veracode wanted to know whether the service allowed
communication to be protected through strong cryptography, whether
encryption was a requirement at all, if strong passwords were enforced
and whether server TLS certificates were properly validated.
If a product failed in these tests, this could
lead to data theft, product hijacking, cracked passwords or
man-in-the-middle (MITM) attacks.
The results are below:
The second test performed looked at back-end cloud services. The
security team asked whether the devices used strong authentication
mechanism to identify themselves to cloud services, whether encryption
was employed, whether safeguards were in place to prevent MITM attacks
and if sensitive data was protected. If a device failed in these tests,
this could lead to impersonation by attackers, MITM attacks, the passive
monitoring of networks in order to monitor devices and steal data such
as user credentials.
The third test, concerning mobile applications and IoT devices that
directly communicate with them, explored whether sensitive data was
protected and encrypted, as well as the employment of certificate
validation protocols. Without the correct protection, data can be stolen
and MITM attacks performed.
In the final test, Veracode explored device debugging interfaces and
services which run on the IoT device but are not intended to be used by
end users -- varying from debugging ports to service code. The team
chose to report only on interfaces that are accessible over a network,
whether this be LAN-based or through the Web. The security team explored
whether "hidden" service access was restricted to users with physical
access to the device, if open interfaces are protected against
unauthorized access, and whether open interfaces are designed to prevent
an attacker who gains access from running arbitrary code on the device.
If a device performed badly in these tests, that could lead to
unauthorized access, hijacking, sensitive information leaks and remote
code execution.
The range of security issues discovered in these devices is
concerning, especially as IoT devices become more widely adopted in
today's homes. As the security team puts it:
"Leveraging
information from Ubi could enable cybercriminals to know exactly when to
expect a user to be home based on when there is an increase in ambient
noise or light in the room, which could facilitate a robbery, or even
stalking in the case of a celebrity or an angry ex.
Taking
advantage of security vulnerabilities within a Wink Relay or Ubi device,
cybercriminals could turn the microphones on and listen to any
conversations within earshot of the device, supporting blackmail efforts
or capturing business intelligence from a user's employer in the case
of a home office. Applying vulnerabilities found in the Chamberlain MyQ
system, thieves could be notified when a garage door is opened or
closed, indicating a window of opportunity to rob the house."
Brandon Creighton, Veracode Security Research Architect commented:
"It's hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn't mean cybersecurity should be sacrificed in the process. We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm."Written By; By Charlie Osborne
source; zdnet.com
No comments:
Post a Comment