Research into IoT devices has revealed poor security practices which could easily bring down your connected home.
Internet of Things (IoT) and smart home devices are based on the idea of the connected home. From smart fridges which alert you when temperature systems break down or food is going off, or smart thermostats and smartphone-controlled lighting -- the possibilities of IoT are endless. While designed to make daily life more convenient, the industry seems to be running before it can walk -- and basic device protection is being left in the dust.
Companies are churning out devices rapidly, from Google's Nest smart thermostat to Apple and Microsoft's experiments with connected cars. However, we are seeing the same problems with smart devices as we are experiencing with online services -- a lack of basic protection which places users at risk.
On Thursday, security firm Symantec released a white paper (.PDF) which explores how secure our common, connected home devices really are. In a blog post, Symantec security researcher Candid Wueest details the research, in which 50 smart home devices were scrutinised. The researchers found that many of them included basic security problems, including weak authentication and little protection against common web vulnerabilities.
The researchers analyzed smart thermostats, locks, light bulbs, smoke detectors, energy management devices and hubs, but the report's findings could also apply to other IoT devices including security alarms, surveillance camera, broadband routers and network attached storage (NAS) devices.
Symantec found that none of the 50 devices analyzed used mutual authentication or enforced strong passwords. In addition, some devices even prevented the user from setting up strong passwords on the cloud interface by restricting authentication to only a simple four-number PIN code -- and none supported two-factor authentication. Coupled with no password brute-force attack mitigation, most devices could be accessed easily by hackers.
In addition to a lack of strong authentication, many smart home web interfaces "suffer from well-known web application vulnerabilities," according to the researchers. While testing 15 IoT cloud interfaces, the team found these devices contained severe vulnerabilities. Symantec discovered and reported 10 vulnerabilities related to issues such as remote code execution, remote file inclusion (RFI), and SQL injection. One device which caused concern in particular was a smart door lock which the team was able to open remotely across the web without knowing the password.
"Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don't use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices. This security faux pas allows an attacker, with the ability to sniff the home network for IoT device passwords. These stolen credentials can then be used to execute other commands and even take over the device completely by updating it with a malicious firmware update."
As yet, Symantec has not seen any widespread malware attacks targeting IoT devices -- but just as mobile malware is on the rise, it is likely to happen in the future, especially when the technology is adopted into the mainstream.
While it can be difficult for users to secure their own devices, Symantec recommends that users use strong passwords, disable IoT devices when not needed, use devices on a separate home network when possible and research the vendor's security measures in order to protect your connected home.
Gartner predicts there will be a quarter of a billion connected devices in use by 2020.