After testing the security of six Internet of Things (IoT) devices commonly used in homes, Veracode security researchers found that product manufacturers don't put enough focus on security and privacy as a design priority; this puts users "at risk for an attack or physical intrusion." They found vulnerabilities in the devices that could potentially act as a "pathway for robbery, theft of sensitive data or even stalking."
Veracode tested the Chamberlain MyQ Internet Gateway, the Chamberlain MyQ Garage, the SmartThings Hub, the Ubi, the Wink Hub and the Wink Relay. The devices were all purchased in December 2014 with firmware that was up to date as of January 2015. The company sorted the flaws into four categories: user-facing cloud services, back-end cloud services, mobile application interface, and device debugging interfaces. The researchers said, "all but one device exhibited vulnerabilities across most categories."
Veracode released a study explaining security vulnerabilities in the devices as well as hypothetical breach scenarios involving user account compromise, network breach, and full service breach.
They found, for example, "Taking advantage of security vulnerabilities within a Wink Relay or Ubi device, cybercriminals could turn the microphones on and listen to any conversations within earshot of the device, supporting blackmail efforts or capturing business intelligence from a user's employer in the case of a home office."
Among the issues found were: open debugging interfaces that could allow remote attackers to run arbitrary code on the device itself such as spyware; serious protocol weakness that allow passive observers to access sensitive data or control of the device; and lack of adherence to best practices to protect users' accounts against weak passwords and common password-guessing techniques. The results showed that all but one device exhibited cybersecurity vulnerabilities across a majority of the categories tested.
The IoT device Ubi is always-on and voice-controlled via the wake-up phrase "Ok Ubi;" it can send emails, text messages, answer questions, perform tasks and control home automation devices. Veracode added, "In addition to a microphone, the Ubi also has onboard sensors to determine the ambient air pressure, temperature, light level and humidity. This data, along with the current ambient sound level, is sent to the Ubi service periodically."
Regarding a potential network breach, all traffic between Ubi and its back-end services are "entirely unencrypted HTTP." The study also found that "the Ubi runs an ADB (Android Debug Bridge) service and a VNC service (providing access to the Android UI) with no password. Accessing shell via ADB provides root access to the device."
The research into Ubi flaws concluded, "Leveraging information from Ubi could enable cybercriminals to know exactly when to expect a user to be home based on when there is an increase in ambient noise or light in the room, which could facilitate a robbery, or even stalking in the case of a celebrity or an angry ex." Hypothetically, if an attacker compromised Ubi, then it could result in a user's account being compromised, a network breach, and a full service breach.
Chamberlain MyQ Garage and MyQ Internet Gateway
The Chamberlain MyQ Garage wirelessly pairs with garage door openers to allow remote control of a garage door via a smartphone app; the other half of the IoT system is the Chamberlain MyQ Internet Gateway, which allows remote control of interior switches, electrical outlets, and garage doors. Veracode found security vulnerabilities that could allow thieves to be notified when a garage door opens or closes, indicating when to rob a house.
User account compromise, network breach, and full service breach were hypothetical scenarios capable if attackers exploited flaws in both Chamberlain MyQ Garage and Chamberlain MyQ Internet Gateway.
Wink Hub and Wink Relay
The Wink Hub connects to supporting cloud services and acts as a central control device for home automation products. The hub has no UI of its own, but the Wink mobile app is the control interface. The Wink Relay can be used with the Wink Hub, but the relay has a built-in touchscreen device running the Wink app and programmable switches. Both the Wink Hub and Wink Relay had vulnerabilities that could be exploited to compromise a user's account, or result in a network and full service breach.
Additionally, according to the Veracode study, "Taking advantage of security vulnerabilities within the Wink Relay (a smart home wall controller), cybercriminals could listen to sensitive conversations – in order to capture corporate intelligence from a home office."
Let's end on a happy note, happy if you have SmartThings as it did the best of the IoT devices tested by Veracode. The SmartThings Hub acts as a central control device for other home automation sensors, such as those using Z-Wave and ZigBee and other tools like door locks and switches. It has no UI of its own but it is controlled via a mobile app or through the web portal.
Although the SmartThings Hub did the best in Veracode's testing, regarding hypothetical scenarios, the researchers said an attacker could potentially access a user's account. An account compromise could allow an attacker to view and manipulate products like light switches and door sensors as well as services paired with the SmartThings Hub. Strong encryption is used for communication of its traffic, however, so that "a passive observer would gain no detailed information about the state of any paired devices." Sadly, a full service breach of SmartThings Hub's services could allow an attacker "to view and manipulate the state of all products and services paired with every SmartThings Hub user."
The Veracode IoT device security study highlights the fact that security needs to be baked into IoT devices starting in the design stage, so the devices won't be so easily hacked and won't pose so many risks to users' privacy.
*Updated testing tables graphics with new ones provided by Veracode.