Home IoT devices are wide open, security provider discovers

Vulnerable protocols, insufficient authentication and lack of encryption are among the holes found in widely used domestic IoT products

light bulb innovation electricity light inspiration000002176665

Reverse-engineering a password in a Wi-Fi-driven WeMo light switch by using the decryption code from the device is among the security debacles uncovered by IoT security hardware solution firm Bitdefender.

To add insult to injury, Bitdefender told the device maker about the discovered vulnerability last fall, when it discovered the problem, and as of February, it still hadn’t been fixed, Bitdefender says in its study Risks in the Connected Home.

And the WeMo wasn’t the only IoT device Bitdefender found lacking.

The security firm tested three other devices: a smart LED bulb called Lifx Bulb, a starter light bulb hub kit known as LinkHub and a Wi-Fi audio receiver named MUZO Cobblestone.

Amazingly, despite the companies' being notified of the vulnerabilities, three out of the four devices haven’t been fixed yet, Bitdefender says. One, MUZO Cobblestone, has been “partially fixed” the firm says.

Home IoT may be reinforcing a popular belief that it isn’t secure, says Softpedia in an article about the study. The “hacking of another four IoT devices reinforces belief that IoT is insecure,” article says.

“Current authentication mechanisms of Internet-connected devices can easily be bypassed to expose smart households and their inhabitants to privacy theft,” Bitdefender says in its report.

All of the problem devices used a smartphone to remotely control the IoT devices.

In the case of the WeMo switch, which uses an existing Wi-Fi network to control lights and wall sockets, Bitdefender discovered that the switch communicates with the smartphone without authentication. The only thing encrypted is the password using the weak 128-bit AES algorithm, Bitdefender found.

Decryption is possible, too, because the password is made up of elements of the MAC address and device ID—something already transmitted. Capture that and you can reverse-engineer the password, Bitdefender explains.

The Lifx Bulb was another Wi-Fi device tested. Its hotspot function suffered from insufficient authorization and authentication, Bitdefender says.

When setting up the mood-effect bulb, a hotspot is created to manage initial configuration with the phone. By creating an identical fake hotspot, under certain circumstances, a hacker could capture the username and password of the existing Wi-Fi network. As with the WeMo, that vulnerability has not been fixed, Bitdefender says.

LinkHub, the third device, also ran into hotspot issues. The GE Link lightbulb hub, for remote control of lighting, lacked transport encryption when configuring it through the hotspot.

The data is transmitted in clear text. That’s a “rookie mistake,” the study says.

The fourth, the MUZO Cobblestone audio receiver, has fared slightly better than the others in that some of its vulnerabilities have been repaired since the tests.

However, the initial issue was pretty scary. The device created a hotspot that never disbanded. Although users could create a password, they were not told that.

That issue is now fixed, although a second—a telnet service with the User ID of "admin" and password of "admin"—still exists. That allows access to the home’s original Wi-Fi network along with respective credentials.

“The IoT opens a completely new dimension to security,” Bitdefender concludes. “If projections of a hyperconnected world become reality and manufacturers don’t bake security into their products, consequences can become life-threatening.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.