Update 10am GMT: Statement from Chamberlain.
New research into the emerging household Internet of Things (IoT) market has emphasized that technological advances and smarter systems do not necessarily equate to better security.
In a new report released by enterprise security firm Veracode, researchers discovered during testing of common, household IoT devices that security is not up to scratch -- paving the way for exploits, data theft, robbery and potentially even stalking.
IoT devices have exploded in popularity in recent years, with major tech firms and startups alike pouring funds into developing devices ranging from smart home security systems to sensor-laden fridges and mood lighting. It is estimated that by 2020, 25 billion connected devices -- including IoT products -- will be in use worldwide. While such products appeal to the market and can make daily living more convenient, security remains a hot topic. A quick search online and you can find default passwords for many IoT devices -- often left unchanged or unable to be changed by owners -- and very limited protections are often put in place.
According to Veracode, the problem still stands. In a security case study, the firm's team analyzed and monitored always-on IoT devices in order to understand the real-world impact of IoT product security. Six common household IoT devices, detailed below, were examined:
- Chamberlain MyQ Internet Gateway: Internet-based remote control of garage doors.
- Chamberlain MyQ Garage: Internet-based remote control of garage doors, interior switches, and electrical outlets.
- SmartThings Hub: A central control device for home automaton sensors, switches and door locks.
- Ubi: The Unified Computer Intelligence Corporation is an always-on, voice-controlled device for answering questions, controlling home automaton and performing tasks such as sending emails and SMS messages.
- Wink Hub: A central control device for home automation products.
- Wink Relay: A combination hub and control device for home automation sensors and products.
All of these products were scrutinized by the company and the team found that the impact of security vulnerabilities found in these products could be "significant" for users.
Purchased new in late December last year with up-to-date firmware, the devices were tested across four different domains: user-facing cloud services, back-end cloud services, mobile application interfaces, and device debugging interfaces.
To begin with, when testing the devices and their security in the user-facing cloud service arena, the team covered authentication and communication with cloud services that are directly accessible by users, whether they be through a web browser, custom embedded device or mobile application. Veracode wanted to know whether the service allowed communication to be protected through strong cryptography, whether encryption was a requirement at all, if strong passwords were enforced and whether server TLS certificates were properly validated.
If a product failed in these tests, this could lead to data theft, product hijacking, cracked passwords or man-in-the-middle (MITM) attacks.
The results are below:
The second test performed looked at back-end cloud services. The security team asked whether the devices used strong authentication mechanism to identify themselves to cloud services, whether encryption was employed, whether safeguards were in place to prevent MITM attacks and if sensitive data was protected. If a device failed in these tests, this could lead to impersonation by attackers, MITM attacks, the passive monitoring of networks in order to monitor devices and steal data such as user credentials.
The third test, concerning mobile applications and IoT devices that directly communicate with them, explored whether sensitive data was protected and encrypted, as well as the employment of certificate validation protocols. Without the correct protection, data can be stolen and MITM attacks performed.
In the final test, Veracode explored device debugging interfaces and services which run on the IoT device but are not intended to be used by end users -- varying from debugging ports to service code. The team chose to report only on interfaces that are accessible over a network, whether this be LAN-based or through the Web. The security team explored whether "hidden" service access was restricted to users with physical access to the device, if open interfaces are protected against unauthorized access, and whether open interfaces are designed to prevent an attacker who gains access from running arbitrary code on the device. If a device performed badly in these tests, that could lead to unauthorized access, hijacking, sensitive information leaks and remote code execution.
The range of security issues discovered in these devices is concerning, especially as IoT devices become more widely adopted in today's homes. As the security team puts it:
"Leveraging information from Ubi could enable cybercriminals to know exactly when to expect a user to be home based on when there is an increase in ambient noise or light in the room, which could facilitate a robbery, or even stalking in the case of a celebrity or an angry ex.
Taking advantage of security vulnerabilities within a Wink Relay or Ubi device, cybercriminals could turn the microphones on and listen to any conversations within earshot of the device, supporting blackmail efforts or capturing business intelligence from a user's employer in the case of a home office. Applying vulnerabilities found in the Chamberlain MyQ system, thieves could be notified when a garage door is opened or closed, indicating a window of opportunity to rob the house."
Brandon Creighton, Veracode Security Research Architect commented:
"It's hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn't mean cybersecurity should be sacrificed in the process. We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm."
In response to the research, a Chamberlain spokesperson told ZDNet:
"Chamberlain has reviewed the Veracode study and confirms that the MyQ product test is out of date, as the Chamberlain Group continually reviews and makes improvements to its product security. Additionally, we disagree with some of the findings in the report and will work with Veracode to share our concerns. Chamberlain takes the safety and security of the smart home very seriously.
Our continuous security updates and processes include using industry standard encryption, applying the latest security techniques, and periodic security testing with respected outside services. This study is a good reminder to homeowners to keep their networks secure by using strong passwords and security settings."
Read on: In the world of security
- Yahoo launches password-free logins
- Feds hot on the trail of JPMorgan hackers
- EquationDrug: Sophisticated, stealthy data theft for over a decade
- Symantec research highlights security failures in the connected home
- New CryptoLocker ransomware targets gamers
Read on: In the world of innovation
- NASA, ODG explore smart glasses for space
- Samsung hopes to secure top spot in Internet of Things revolution
- FAA to impose restrictions on commercial drone use
- Pentagon to sharpen tech edge with robotics, 3D printing, weaponry
- Waze unveils government data exchange program
- Google readies Android for the connected car