The foundation of the Internet of Things (IoT) – the devices themselves plus their associated mobile applications and cloud services – are often not designed with data security or privacy in mind, putting consumers at risk for cyberattack or physical intrusion of their homes.
Veracode’s security team probed and monitored a set of always-on, consumer IoT devices to understand the real-world impact of each product’s security. The results show security vulnerabilities within these devices to be a potential pathway for robbery, theft of sensitive data or even stalking.
With around 4.9 billion connected devices in use today and an estimated 25 billion by 2020, cybersecurity is becoming a major concern. The Federal Trade Commission has warned that cyberattackers could potentially hijack and misuse sensitive information recorded by the technology or that the technology could even create physical safety risks for consumers.
Attacks on connected devices have already been reported and are likely to continue to happen if manufacturers do not bolster their cybersecurity efforts. In this light, Veracode studied six common at-home devices, including the Chamberlain MyQ Internet Gateway, the Chamberlain MyQ Garage, the SmartThings Hub, the Ubi, the Wink Hub, and the Wink Relay.
The study found that the impact of security vulnerabilities in these devices could be significant for users. Leveraging information from Ubi could enable cybercriminals to know exactly when to expect a user to be home based on when there is an increase in ambient noise or light in the room, which could facilitate a robbery, or even stalking in the case of a celebrity or an angry ex.
Taking advantage of security vulnerabilities within a Wink Relay or Ubi device, cybercriminals could turn the microphones on and listen to any conversations within earshot of the device, supporting blackmail efforts or capturing business intelligence from a user’s employer in the case of a home office. Applying vulnerabilities found in the Chamberlain MyQ system, thieves could be notified when a garage door is opened or closed, indicating a window of opportunity to rob the house.
“It’s hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn’t mean cybersecurity should be sacrificed in the process,” said Brandon Creighton, Veracode Security Research Architect. “We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm.”
Among the issues found were: open debugging interfaces that could allow remote attackers to run arbitrary code on the device itself such as spyware; serious protocol weakness that allow passive observers to access sensitive data or control of the device; and lack of adherence to best practices to protect users’ accounts against weak passwords and common password-guessing techniques. The results showed that all but one device exhibited cybersecurity vulnerabilities across a majority of the categories tested.
The devices were purchased new in late December 2014. All test findings were against versions of the firmware that were up-to-date in mid-to-late January 2015.