Pierluigi Paganini
March 17, 2015
The purpose of IoT is connect all type of devices that we have at home, let’s say I am at my work and I want to arrive at home and have my air conditioner at exactly 22 degrees, and having my favorite music playing, my TV on Eurosport, so my devices communicate between each other based on the same protocol to have all that I ordered prepared at my arrival.
You would say that IoT it’s the future, but I disagree, because IoT it’s already the present, but it will get better in the future. For IoT to get better, companies need to take serious security.
The last Thursday Symantec release a white paper addressing security issues related IoT devices, and honestly, it’s not a surprise for me since disregarding security it’s something that comes from the past.
For the tests, Symantec used 50 smart home devices, including thermostats, locks, light bulbs, smoke detectors, energy management devices, etc.
“For our test, we used the precondition that the attacker has successfully cracked the Wi-Fi password and has access to the local network. ” was the precondition for the tests.
What they found out was shocking, from the 50 devices:
The findings of the study published by Symantec have serious repercussions on the security of smart objects that crowd our homes:
“Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices.”
By exploiting one of the above security flaws, an attacker could sniff the home network for IoT device passwords. These stolen credentials can then be used to execute other commands and even take over the device completely by updating it with a malicious firmware update.”
The good news is that until now Symantec didn’t find any widespread malware attacks targeting IoT devices, but it is a question of time according the experts.
For end users there are some tips provided by Symantec that can be helpful:
The IoT devices aim to make our life easier, but this is possible if manufacturers and vendors will start to think security by design, because as explained by the researchers at Symantec:
“Any code that is run on a smart device, be it the firmware or application, should be verified through a chain of trust.”
About the Author Elsio Pinto
(Security Affairs – cyber attacks, cyber security)
