Identifying vulnerable IoT devices by the companion app they use

For better or worse, connected “smart” devices are springing up like mushrooms. There is no doubt that they can be very helpful but, unfortunately, most have a slew of security vulnerabilities that could turn them into a nightmare.

Until legislation catches up and manufacturers start caring about implementing security from the start, security researchers are our only hope when it comes to improving IoT security. Consequently, every approach that makes the process of identifying as many vulnerable devices as quickly as possible is more than welcome.

A group of researchers from Indiana University Bloomington and Symantec Research Labs have recently unveiled the promising result of one such approach: they’ve analyzed 2,081 IoT companion apps and confirmed that at least 164 IoT devices from 38 different vendors were definitely vulnerable.

The results of the research

Acquiring IoT devices for security testing purposes is a very costly endeavour and getting one’s hands on the accompanying firmware without buying them is time-consuming. IoT companion apps are, on the other hand, generally free and easy to get.

The researchers downloaded 2,081 such apps from Google Play and fed them into a platfom that was able to:

• Find the characteristics of a device by analyzing its companion app
• Identify clusters of devices that have similarity in some of the characteristics found in app analysis by analyzing multiple apps.

“Smart home IoT device vendors, especially small and medium-sized ones, often rely on same components (e.g., software built from open source projects, hardware components from common suppliers) to build their devices. Consequently, the same vulnerabilities or bad security practices often transfer from one IoT device to another,” the researchers noted.

The platform’s clustering capability helps identify apps that have a similar set of vulnerabilities based on shared components. The clustering was performed based on different aspects: similar software or hardware components, back-end services, and network protocols.

“Similar device interfaces, especially application interfaces, are indicative of strong connections between software components of different devices. Similarities in hardware components are sometimes re- flected in device companion apps due to the need for the app to configure or interact with the hardware component,” the researchers explained.

“We found that 39 different devices from 11 vendors are very likely to speak the SSDP protocol, which was known to be vulnerable as a reflector for DDoS attacks. As another example, we found that 32 devices from 10 vendors relied on the same cloud service to manage their devices, and the cloud service has a reported security weakness that allows attackers to take full control of the IoT devices by device ID and password enumeration.”

In total, the platform has identified 324 potentially vulnerable devices from 73 different vendors.

“During the process of validation, we could reach a decision (confirm or disapprove) about 179 devices from 43 vendors, among which 164 (91.6%) are confirmed to be vulnerable,” they pointed out.