/apr 16, 2015

IoT security - Veracode study demonstrates the lack of security posture

By Pierluigi Paganini

The Internet of Things devices are everywhere, their diffusion is becoming capillary, but we must carefully consider the aspects related to the IoT security.

Internet of Things is the paradigm that most of all is changing our approach to the technology enlarging our surface of attack, a recent research conducted by the security firm Veracode revealed that household IoT devices are exposing users to a wide range of threats, including data theft and sabotage.

According to the findings of Veracode study titled "The Internet of Things: Security Research Study", the principal problem related to the security is represented by the lack of a proper security posture.

The researchers have tested a number of always-on consumer IoT devices to evaluate the level of security they implement and the risks for the users in term of privacy and security.

The experts focused their analysis on the security offered by devices that have a significant capability to interact with the physical environment around them (e.g., hardware sensors) or peer devices.

The results are worrying, the design of the devices put consumers at risk for a cyber attack or a physical intrusion. All but one device were affected by serious vulnerabilities across the categories analyzed.

The researchers analyzed six household IoT devices with up-to-date firmware version and performed a set of uniform tests. The tests were focused on four different domains: user-facing cloud services, back-end cloud services, mobile application interface, and device debugging interfaces.

The Six household IoT devices analyzed by the Veracode experts are:

  • Chamberlain MyQ Internet Gateway: Internet-based remote control of garage doors.
  • Chamberlain MyQ Garage: Internet-based remote control of garage doors, interior switches, and electrical outlets.
  • SmartThings Hub: A central control device for home automation sensors, switches and door locks.
  • Ubi: The Unified Computer Intelligence Corporation is an always-on, voice-controlled device for answering questions, controlling home automation and performing tasks such as sending emails and SMS messages.
  • Wink Hub: A central control device for home automation products.
  • Wink Relay: A combination hub and control device for home automation sensors and products.

The researchers evaluated the way users and other devices can interact with IoT components, the study focussed on various aspects, including the authentication mechanisms implemented to access the devices, the adoption of encryption to protect communications, and the default settings implemented by the vendors.

The failure in the design of fundamental IoT security principles could expose IoT users to sabotage, data theft, product hijacking, hacking attacks (i.e. man-in-the-middle (MITM) attacks, network takeover).

The researchers have discovered many IoT security issues, including open debugging interfaces that could allow remote attackers to run arbitrary code on the unit and protocol weaknesses that could be exploited to access sensitive data or gain the control of the devices.

Unfortunately, all the vendors for the devices analyzed not implemented to best practices in IoT security, failing, for example, to protect users' accounts against weak passwords and common password-guessing techniques.

"If the device fails to encrypt communications with its control services, an attacker with the ability to passively monitor the traffic would gain access to all sensitive data sent by the device as well as any authentication credentials or session tokens," states the report.

"Without adequate protection against man-in-the-middle attacks, an attacker with the ability to intercept and forward traffic between the device and its service could receive and modify traffic sent in both directions."

By exploiting the vulnerabilities found by the experts in Chamberlain MyQ systems, thieves could be able to control the garage door to have access to home, or more simply could have an indication of the presence of people in the house. This information exposes users to the risk of robbery.

Leveraging data managed from Ubi could enable attackers to collect a huge quantity of information on the user's habits, which can advantage a robbery, or even a stalking activity.

The exploitation of vulnerabilities affecting the Ubi device or Wink Relay could result is a serious violation of the user privacy, cyber criminals could turn the microphones on and record conversations on the environment.

The Wink Relay device runs on the Android mobile OS, the experts took advantage of Android Debug Bridge, a tool used by coders for the software debugging, to control the microphone equipped with the units.

The less insecure device was the SmartThings Hub, despite the researchers have found a Telnet server running on it, they weren't able to compromise the unit.

"We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm." Explained Brandon Creighton, Veracode Security Research Architect.

Veracode has reported the flaw to the vendors that promptly have provided fixes for the IoT security issues.

With nearly 4.9 billion connected devices in use today and an estimated 25 billion by 2020, it is time to consider IoT security by design seriously.

Enjoy the Veracode "The Internet of Things: Security Research Study".

Related Posts

By Pierluigi Paganini

Pierluigi Paganini is Chief Information Security Officer at Bit4Id, Editor-in-Chief at "Cyber Defense Magazine," a member of the DarkReading Editorial team, and a regular contributor for major publications in the cyber security field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, and The Hacker News Magazine.