Pierluigi Paganini March 17, 2015

A research conducted by experts at Symantec highlights disturbing security failures in the IoT devices present in today connected home.

The purpose of IoT is connect all type of devices that we have at home, let’s say I am at my work and I want to arrive at home and have my air conditioner at exactly 22 degrees, and having my favorite music playing, my TV on Eurosport, so my devices communicate between each other based on the same protocol to have all that I ordered prepared at my arrival.

You would say that IoT it’s the future, but I disagree, because IoT it’s already the present, but it will get better in the future. For IoT to get better, companies need to take serious security.

The last Thursday Symantec release a white paper addressing security issues related IoT devices, and honestly, it’s not a surprise for me since disregarding security it’s something that comes from the past.

For the tests, Symantec used 50 smart home devices, including thermostats, locks, light bulbs, smoke detectors, energy management devices, etc.

“For our test, we used the precondition that the attacker has successfully cracked the Wi-Fi password and has access to the local network. ” was the precondition for the tests.

What they found out was shocking, from the 50 devices:

• None of the analyzed devices provided mutual authentication between the client and the server.
• Around 19 percent of all tested mobile apps that are used to control IoT devices did not use SSL connections to the cloud.
• Some devices offered no enforcement and often no possibility of strong passwords.
• Some IoT cloud interfaces did not support two-factor authentication (2FA).
• Many IoT services did not have lock-out or delaying measures to protect users’ accounts against brute-force attacks.
• Some devices did not implement protections against account harvesting.
• Many of the IoT cloud platforms included common web application vulnerabilities.
• It was found ten security issues in fifteen web portals used to control IoT devices without performing any deep tests.
• Most of the IoT services did not provide signed or encrypted firmware updates, if updates were provided at all

The findings of the study published by Symantec have serious repercussions on the security of smart objects that crowd our homes:

“Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices.”

By exploiting one of the above security flaws, an attacker could sniff the home network for IoT device passwords. These stolen credentials can then be used to execute other commands and even take over the device completely by updating it with a malicious firmware update.”

The good news is that until now Symantec didn’t find any widespread malware attacks targeting IoT devices, but it is a question of time according the experts.

For end users there are some tips provided by Symantec that can be helpful:

• Use strong passwords for device accounts and Wi-Fi networks
• Change default passwords
• Use a stronger encryption method when setting up Wi-Fi networks such as WPA2
• Disable or protect remote access to IoT devices when not needed
• Use wired connections instead of wireless where possible
• Be careful when buying used IoT devices, as they could have been tampered with
• Research the vendor’s device security measures
• Modify the privacy and security settings of the device to your needs
• Disable features that are not being used
• Install updates when they become available
• Use devices on separate home network when possible
• Ensure that an outage, for example due to jamming or a network failure, does not result in a unsecure state of the installation
• Verify if the smart features are really required or if a normal device would be sufficient

The IoT devices aim to make our life easier, but this is possible if manufacturers and vendors will start to think security by design, because as explained by the researchers at Symantec:

“Any code that is run on a smart device, be it the firmware or application, should be verified through a chain of trust.”

About the Author Elsio Pinto

and Pierluigi Paganini

(Security Affairs –  cyber attacks, cyber security)