Saturday, April 18, 2015

Security concerns with consumer IoT devices

With the increasing popularity of Internet-of-Things connected products, security of these devices and their networks is a growing concern.

Let's consider potential security vulnerabilities that can exist in Internet-of-Things appliances, and how these security threats may be mitigated. Security is a particular concern in the context of home automation devices and Internet-of-Things connected appliances in the home because hardware and/or software vulnerabilities in these devices have the potential to affect the security of homes, buildings and people.

Security vulnerabilities in these connected devices, such as home automation hubs, could potentially allow attackers to gain control of door locks or other actuators, access video cameras or otherwise compromise physical security.

Recent research from security firm Veracode has found that many of today's popular "smart home" devices have security vulnerabilities, which are open to exploitation. The researchers examined a selection of typical always-on IoT home automation appliances on the market in order to understand the real-world potential impact of security vulnerabilities in these kinds of products.

The products that were studied by the researchers included the MyQ Internet Gateway and the MyQ Garage, which provide Internet-based control of devices such as garage doors, power outlets and lighting, the SmartThings Hub, a central control device for home automation sensors, switches and devices such as door locks, the Wink Hub and Wink Relay networked home automation products, and the Ubi home automation gateway.

These devices are just a representative sample of today's popular "Internet-of-Things" appliances in the consumer market.

The Veracode researchers didn't look for vulnerabilities in the firmware of the devices they looked at, but instead analysed the implementation and security of the communication protocols they use.

The researchers looked at the front-end connections, between the users and the cloud services, as well as the back-end connections between the cloud services and the devices themselves. They wanted to know whether these services allowed communication to be protected through strong cryptography, whether encryption was a requirement at all, if strong passwords were enforced and whether server TLS certificates were properly validated.

Researchers found that of the six products examined, only one enforced the strength of user passwords at the front end, and one of the products did not enforce encryption for user connections.

This research also looked at the back-end cloud service connectivity in these products, whether the devices used strong authentication mechanisms to identify themselves to cloud services, whether encryption was employed and whether safeguards were in place to prevent man-in-the-middle attacks and if sensitive data was protected - for example by hashing clear text passwords and transmitting only the crucial data needed across the Internet service.

What they found was a general trend towards even weaker security, with two of the products tested not employing encryption for communications between the cloud service and the device.

It was also found that one of the devices did not properly secure sensitive data, and man-in-the-middle attack protection was lacking across all the devices tested, with the exception of the SmartThings Hub, either because TLS (Transport Layer Security) encryption was not used at all or because proper certificate validation was not used.

This research suggests that connected products, marketed as appliances for the household consumer, have been designed with the assumption that the local area networks that they'll be installed on are secure.

However, that seems to be a mistake since we know that if there's anything worse than the security and user configuration we see with these new connected products, it's the security of WiFi routers.

Researchers find serious vulnerabilities in consumer routers and their firmware routinely, and many of these have the potential to enable attackers to perform man-in-the-middle attacks on data going out to the Internet or to other devices on the LAN.

A quick search online and you can find default passwords for many IoT devices - often left unchanged or unable to be changed by users - and the security features in place are often very limited. User instruction and education can play a large part in minimising potential problems here - for example, choosing strong passwords, both for the Wi-Fi router as well as for devices connected to it, and regularly checking for and installing firmware or software updates provided by vendors.

This study is a good reminder to users to keep their networks secure by using strong passwords and security settings, across their PCs, phones or other devices, wireless access points and routers, as well as smart IoT devices. Furthermore, the research team also explored device debugging interfaces and services that run on these IoT devices which aren't intended to be accessed by end users.

The team only investigated interfaces that are accessible over a network, whether over the local area network or through the Web. For example, attacking a device through a hardware interface, plugging a JTAG probe into a smart light bulb, is not considered to be a significant security threat compared to network-connected services. 

This research explored whether access to these hidden services was restricted to users with physical access to the device, if open interfaces are protected against unauthorised access, and whether open interfaces are designed to prevent an attacker who gains access to these interfaces from running arbitrary code on the device.

The Veracode research found that the Wink Hub runs an unauthenticated HTTP service on port 80 that is used to configure the wireless network settings, the Wink Relay runs a network-accessible ADB (Android Debug Bridge) service, the Ubi runs both an ADB service and a VNC remote desktop service with no password, the SmartThings Hub runs a password-protected telnet server and the MyQ Garage runs an HTTPS service that exposes basic connectivity information.

It is simply assumed that all these things are secure because the wireless LAN they're on is secure, but this is commonly not true and these networks are secured poorly or not at all. For devices with exposed ADB interfaces, this can provide attackers with root access and can allow them to execute arbitrary code on the device.

At this point the casual observer may consider all these new consumer IoT-based devices to be a security risk, however if developed by the right team nothing could be further from the truth. With a great design team and user education security can become a non-issue for the end user.

The easiest part is to find the right designers for your IoT-based product - and here at the LX Group we have the team, experience and technology to bring your ideas to life.

Getting started is easy - join us for an obligation-free and confidential discussion about your ideas and how we can help bring them to life – click here to contact us, or telephone 1800 810 124.

LX is an award-winning electronics design company based in Sydney, Australia. LX services include full turnkey design, electronics, hardware, software and firmware design. LX specialises in embedded systems and wireless technologies design.

Published by LX Pty Ltd for itself and the LX Group of companies, including LX Design House, LX Solutions and LX Consulting, LX Innovations.



No comments:

Post a Comment