IoT devices leave consumers potentially exposed

Security is not a word that frequently gets associated with IoT devices, leaving consumers potentially exposed. Symantec in its research found that many of IoT devices and services had several basic security issues

Recently American technology company Symantec analysed 50 smart home devices and found that many of them included several basic security issues, such as weak authentication and common web vulnerabilities.

According to Symantec, The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance imaginable. Research firm Gartner also predicted that there would be 2.9 billion connected IoT devices in consumer smart home environments in 2015 which not only bring huge opportunities but also many challenges including of security of the connected devices.

Security giants is of the view that despite the public’s increased acceptance of the smart home, recent studies seem to agree that “security” is not a word that frequently gets associated with IoT devices, leaving consumers potentially exposed.

Symantec analysed 50 smart home devices and took a look at how they measure up when it comes to security. The company analysed IoT devices such as Smart thermostats, Smart locks, Smart light bulbs, Smart smoke detectors, Smart energy management devices, Smart hubs.

Company also said that the findings could also apply to other IoT devices and smart home products, such as security alarms, surveillance IP cameras, entertainment systems (smart TV, TV set-top boxes, etc.), broadband routers, network attached storage (NAS) devices.

Smart home devices may use a back-end cloud service to monitor usage or allow users to remotely control these systems. Users can access this data or control their device through a mobile application or web portal.

Research found that many of these devices and services had several basic security issues.

Weak authentication
None of the devices used mutual authentication or enforced strong passwords. Even worse, some hindered the user from setting up a strong password on the cloud interface by restricting the authentication to a simple four-number PIN code. Combine this with no support for two-factor authentication (2FA) and no password brute-force attack mitigation, leaving a hole for an easy target for attackers.

Web vulnerabilities
In addition to weak authentication, many smart home web interfaces suffer from well-known web application vulnerabilities. A quick test with 15 IoT cloud interfaces revealed some severe vulnerabilities and this check only scratched the surface. Symantec found and reported ten vulnerabilities related to path traversal, unrestricted file uploading (remote code execution), remote file inclusion (RFI), and SQL injection. And it is not just only about smart light bulbs; one of the affected devices was a smart door lock, which was opened remotely over the internet without even knowing the password.

Local attacks
Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. Symantec looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices. This security faux pas allows an attacker, with the ability to sniff the home network for IoT device passwords. These stolen credentials can then be used to execute other commands and even take over the device completely by updating it with a malicious firmware update.

Potential for attacks
As yet, company says, they haven’t seen any widespread malware attacks targeting smart home devices, apart from computer-related devices such as routers and network-attached storage appliances. Currently, most proposed IoT attacks are proof-of-concepts and have yet to generate any profit for attackers. This doesn’t mean that attackers won’t target IoT devices in the future when the technology becomes more mainstream, points the research.

From the past, it is known that attackers are nothing if not creative and will always conjure up new attack methods. Even if it’s just to misuse the technology, blackmail the user, or have a persistent anchor in a home network, cyber-criminals are always ready and eager to attack any target they can.

The company suggests before one get carried away with new smart home automation projects, one should take a moment to think about how these conveniences may be exposing one and their home to cyber attacks.  Consumer should demand better security from the manufacturers of smart home and IoT devices−only then will things start to improve.

Mitigation
According to the report, it’s difficult for a user to secure their IoT devices themselves, as most devices don’t provide a secure mode of operation. Nonetheless, users should adhere to the following advice to ensure that they reduce the risk of a potential attack:

• Use strong and unique passwords for device accounts and Wi-Fi networks
• Change default passwords
• Use a stronger encryption method when setting up Wi-Fi networks, such as WPA2
• Disable or protect remote access to IoT devices when not needed
• Use wired connections instead of wireless where possible
• Use devices on a separate home network when possible
• Be careful when buying used IoT devices, as they may have been tampered with
• Research the vendor’s device security measures
• Modify the privacy and security settings of the device to your needs
• Disable features that aren’t needed
• Install updates when they become available
• Ensure that an outage, for example due to jamming or a network failure, does not result in a unsecure state of the installation
• Verify if the smart features are really required or if a normal device would be sufficient

Vendors should consider the following five fundamental tenets when developing new devices:

• Strong trust model for IoT–e.g. device authentication through SSL
• Protecting the code that drives IoT–e.g. digital code signing
• Effective host-based protection for IoT–e.g. endpoint protection and system hardening
• Safe and effective management for IoT–e.g. configuration and over-the-air updates
• Security analytics to address new and advanced threats−e.g. anomaly detection

Internet of thingsSymantec Corp
Comments (0)
Add Comment