Many connected-home devices lack robust security features, security firm claims

According to a report released this morning by security provider Veracode, many of the Internet of Things devices that consumers are buying for their increasingly connected homes are vulnerable to hacker exploits. While Veracode looked at different devices and vulnerabilities, its overall findings mirror those by Synack, which we reported on last month.

According to the Veracode report, for example, a vulnerability in the Ubi voice-controlled Internet appliance could enable criminals to monitor the ambient noise or light in a room to determine whether someone is home or away. Similarly, a weakness in the Chamberlain MyQ Garage garage door opener could alert thieves to a doors opening and closing, again giving a clue to good times to break in.

The Internet of Things is getting more and more popular, said Veracode security research architect Brandon Creighton, and its grown into a phenomenon that doesnt just exist in the realms of technical people who are buying little components and plugging them together. Its now a consumer-level thing, and you can buy most of these devices at a Target or a Home Depot. Even though theyre packaged as hardware devices, in reality theyre just like any other technological system in that theyre primarily comprised of software. And software can be hacked if its properly protected.

Compromising the Chamberlain MyQ Garage could give thieves information about whether the door is open or closedor even let them open it themselves.

In designing the study, Creighton said we wanted to choose devices that had an impact in the real world, or at least the potential for it. To that end, his team looked at always-on systems that are marketed to end users who dont possess any particular technical expertise. In addition to the Chamberlain MyQ Garage and the Ubi, the firm tested the Chamberlain MyQ Internet Gateway, the SmartThings Hub, the Wink Hub, and the Wink Relay.

Researchers conducted 10 tests, classifying the results into four categories: user-facing cloud services, back-end cloud services, mobile application interfaces, and device-debugging interfaces. They found vulnerabilities across most categories in all but one of the devices.

The SmartThings hub did pretty well on the tests we applied, Creighton said. We didnt do an in-depth security review on every aspect of the devicewe didnt go into the firmware. Were not saying theyre secure, were saying that for these tests, they did pretty well.

The Veracode report looks at the hypothetical effects of drastic security breaches of the systems tested. An Ubi attacker, for example, could learn a lot about the targets personal life and habits.

Veracode installed and configured the devices according to their included documentation, and then monitored and captured all the communication between the devices and their surroundings. When youre thinking about IoT devices as a consumer, its important to think about the fact that these are not just isolated things sitting in your house, Creighton said, there are any number of services they may be communicating with.

And the security of the system as a whole often relies on those services being secure as well. We didnt have permission to scan those services, so the flaws we did find were mostly in the devices themselves, and related to the communication between the devices and the servers.

Follow this link:
Many connected-home devices lack robust security features, security firm claims