The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance imaginable. Gartner predicts that there will be 2.9 billion connected IoT devices in consumer smart home environments in 2015.*
However, despite the public’s increased acceptance of the smart home, recent studies seem to agree that “security” is not a word that frequently gets associated with IoT devices, leaving consumers potentially exposed. We recently analyzed 50 smart home devices that are available today and took a look at how they measure up when it comes to security.
The connect home landscape
For our research, we analyzed IoT devices from the following categories:
- Smart thermostats
- Smart locks
- Smart light bulbs
- Smart smoke detectors
- Smart energy management devices
- Smart hubs
Our findings could also apply to other IoT devices and smart home products, such as:
- Security alarms
- Surveillance IP cameras
- Entertainment systems (smart TV, TV set-top boxes, etc.)
- Broadband routers
- Network attached storage (NAS) devices
Smart home devices may use a back-end cloud service to monitor usage or allow users to remotely control these systems. Users can access this data or control their device through a mobile application or web portal.
Our research found that many of these devices and services had several basic security issues.
None of the devices used mutual authentication or enforced strong passwords. Even worse, some hindered the user from setting up a strong password on the cloud interface by restricting the authentication to a simple four-number PIN code. Combine this with no support for two-factor authentication (2FA) and no password brute-force attack mitigation, and you have an easy target for attackers.
In addition to weak authentication, many smart home web interfaces suffer from well-known web application vulnerabilities. A quick test with 15 IoT cloud interfaces revealed some severe vulnerabilities and this check only scratched the surface. We found and reported ten vulnerabilities related to path traversal, unrestricted file uploading (remote code execution), remote file inclusion (RFI), and SQL injection. And we’re not just talking about smart light bulbs here; one of the affected devices was a smart door lock, which we could be opened remotely over the internet without even knowing the password.
Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices. This security faux pas gives an attacker the ability to sniff the home network for IoT device passwords. These stolen credentials can then be used to execute other commands and even take over the device completely by updating it with a malicious firmware update.
Potential for attacks
As yet, we haven’t seen any widespread malware attacks targeting smart home devices, apart from computer-related devices such as routers and network-attached storage appliances. Currently, most proposed IoT attacks are proof-of-concepts and have yet to generate any profit for attackers. This doesn’t mean that attackers won’t target IoT devices in the future when the technology becomes more mainstream.
From the past, we know that attackers are nothing if not creative and will always conjure up new attack methods. Even if it’s just to misuse the technology, blackmail the user, or have a persistent anchor in a home network, cybercriminals are always ready and eager to attack any target they can.
So before you get carried away with your new smart home automation projects, take a moment to think about how these conveniences may be exposing you and your home to cyberattacks. Demand better security from the manufacturers of your smart home and IoT devices−only then will things start to improve.
If you want to read more of our analysis on smart home devices, you can read our whitepaper.
Unfortunately, it’s difficult for a user to secure their IoT devices themselves, as most devices don’t provide a secure mode of operation. Nonetheless, users should adhere to the following advice to ensure that they reduce the risk of a potential attack:
- Use strong and unique passwords for device accounts and Wi-Fi networks
- Change default passwords
- Use a stronger encryption method when setting up Wi-Fi networks, such as WPA2
- Disable or protect remote access to IoT devices when not needed
- Use wired connections instead of wireless where possible
- Use devices on a separate home network when possible
- Be careful when buying used IoT devices, as they may have been tampered with
- Research the vendor’s device security measures
- Modify the privacy and security settings of the device to your needs
- Disable features that aren’t needed
- Install updates when they become available
- Ensure that an outage, for example due to jamming or a network failure, does not result in a unsecure state of the installation
- Verify if the smart features are really required or if a normal device would be sufficient
As a security industry leader, Symantec helps various IoT device manufacturers with building secure IoT devices. Vendors should consider the following five fundamental tenets when developing new devices:
- Strong trust model for IoT–e.g. device authentication through SSL
- Protecting the code that drives IoT–e.g. digital code signing
- Effective host-based protection for IoT–e.g. endpoint protection and system hardening
- Safe and effective management for IoT–e.g. configuration and over-the-air updates
- Security analytics to address new and advanced threats−e.g. anomaly detection
*Gartner Press Release, Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015, published November 11, 2014, http://www.gartner.com/newsroom/id/2905717