Symantec has issued a damning indictment of the security of smart home devices. It analysed 50 currently available products and says: “We found that none of the devices enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks.”
Symantec has published its findings in a free report Insecurity in the Internet of Things. It found that almost two out of ten of the mobile apps used to control the tested IoT devices did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities.
“All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices,” Symantec said. “IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyber attacks.”
And Australian users are likely to prime targets for IoT hackers, according to Nick Savvides, senior principal systems engineer with Symantec’s Cyber Security group. He told IoT Australia: “With the prevalence of high speed Internet, general ubiquity of connectivity and a high penetration of gadgets, Australia is definitely a market that will be targeted by malicious actors. It has all the ingredients to make their attacks successful.”
He said that, at present, IoT devices were used mainly to gain network access to enable conventional attacks against IT systems, but added: “We are going to start seeing attacks directly against the things themselves. What about compromising someone’s security cameras or baby monitors and using those to make ransom demands? It’s very creepy when you think about it.”
Device manufacturers lack security expertise
He blamed the problem to a large extent on the lack of security expertise among smart home device manufacturers. “The people making these devices are not security people. Security is often an afterthought, and they don’t think like modern attackers think.”
In summary, Symantec found that:
- none of the analysed devices provided mutual authentication between the client and the server;
- some devices offered no enforcement and often no possibility of strong passwords;
- some IoT cloud interfaces did not support two-factor authentication;
- many IoT services did not have lockout or delaying measures to protect users’ accounts against brute-force attacks;
- some devices did not implement protections against account harvesting;
- many of the IoT cloud platforms included common web application vulnerabilities;
- most of the IoT services did not provide signed or encrypted firmware updates, if updates were provided at all;
- fifteen of the web portals used to control IoT devices did not perform any deep tests, six of them were serious issues, allowing unauthorised access to the backend systems.
Symantec detailed two of its successful hacks. However both required that the hacker had gained access to the WiFi network to which they were connected. Symantec as able to load rogue firmware onto a LightwaveRF smart hub because it checks for firmware updates every 15 minutes via a connection that is neither encrypted nor authenticated.
“We chose to use Address Resolution Protocol (ARP) poisoning to redirect the smart hub’s request to our own server,” Symantec said. “Since the firmware update is an unsigned blob in a raw format, it is easy to unpack and modify it. Once the modified firmware update is served to the device and installed, the attacker gets full control over the smart hub device and could start attacking other connected devices from there.”
No excuse for lax security
Savvides said there was really no excuse for devices being so vulnerable. “To validate a digital signature on a firmware payload costs them nothing. It’s not hard to implement, it’s not complicated. It is simply an oversight because they have never thought that way.”
He expects things to change rapidly. “It’s like the early days of computing right now. People are creating new devices with no consideration for security. That will quickly change as the vendors that take security seriously and build it into their products start promoting that to their advantage.”
In the mean time, he said people should recognise that the prime targets are their traditional computer systems and take all the usual steps to protect them.
For the devices themselves, he said: “If you are using an app to control things, make sure that is up to date. Keep a register of everything you have. And change the default password. That is a big one. When an attacker is looking to comprise your IoT devices there are so many to pick from that you only need to make it a bit harder than the next guy’s.”