In an evaluation of 50 smart home based devices, this Symantec research report reveals a number of gaps in security that must be improved upon in future.
The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance available. However, despite its increasing acceptance by consumers, recent studies of IoT devices seem to agree that “security” is not a word that gets associated with this category of devices, leaving consumers potentially exposed.
To find out for ourselves how IoT devices fare when it comes to security, we analyzed 50 smart home devices that are available today. We found that none of the devices enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Almost two out of ten of the mobile apps used to control the tested IoT devices did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities.
All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices. IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyberattacks.
HIGH-LEVEL SUMMARY OF KEY FINDINGS
1. Weak authentication – None of the devices used mutual authentication or enforced strong passwords
2. Web vulnerabilities – We found and reported ten vulnerabilities related to path traversal, unrestricted file uploading (remote code execution), remote file inclusion (RFI), and SQL injection.
3. Local attack vulnerabilities – Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices.
4. Potential for future attacks — Currently, most proposed IoT attacks are proof-of-concepts and have yet to generate any profit for attackers. This doesn’t mean that attackers won’t target IoT devices in the future when the technology becomes more mainstream.