IoT security is still a pipe dream

A research conducted by experts at Symantec highlights disturbing security failures in the IoT devices present in today connected home.

The purpose of IoT is connect all type of devices that we have at home, let’s say I am at my work and I want to arrive at home and have my air conditioner at exactly 22 degrees, and having my favorite music playing, my TV on Eurosport, so my devices communicate between each other based on the same protocol to have all that I ordered prepared at my arrival.

You would say that IoT it’s the future, but I disagree, because IoT it’s already the present, but it will get better in the future. For IoT to get better, companies need to take serious security.

The last Thursday Symantec release a white paper addressing security issues related IoT devices, and honestly, it’s not a surprise for me since disregarding security it’s something that comes from the past.

For the tests, Symantec used 50 smart home devices, including thermostats, locks, light bulbs, smoke detectors, energy management devices, etc.

“For our test, we used the precondition that the attacker has successfully cracked the Wi-Fi password and has access to the local network. ” was the precondition for the tests.

What they found out was shocking, from the 50 devices:

  • None of the analyzed devices provided mutual authentication between the client and the server.
  • Around 19 percent of all tested mobile apps that are used to control IoT devices did not use SSL connections to the cloud.
  • Some devices offered no enforcement and often no possibility of strong passwords.
  • Some IoT cloud interfaces did not support two-factor authentication (2FA).
  • Many IoT services did not have lock-out or delaying measures to protect users’ accounts against brute-force attacks.
  • Some devices did not implement protections against account harvesting.
  • Many of the IoT cloud platforms included common web application vulnerabilities.
  • It was found ten security issues in fifteen web portals used to control IoT devices without performing any deep tests.
  • Most of the IoT services did not provide signed or encrypted firmware updates, if updates were provided at all

The findings of the study published by Symantec have serious repercussions on the security of smart objects that crowd our homes:

“Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices.”

By exploiting one of the above security flaws, an attacker could sniff the home network for IoT device passwords. These stolen credentials can then be used to execute other commands and even take over the device completely by updating it with a malicious firmware update.”

The good news is that until now Symantec didn’t find any widespread malware attacks targeting IoT devices, but it is a question of time according the experts.

For end users there are some tips provided by Symantec that can be helpful:

  • Use strong passwords for device accounts and Wi-Fi networks
  • Change default passwords
  • Use a stronger encryption method when setting up Wi-Fi networks such as WPA2
  • Disable or protect remote access to IoT devices when not needed
  • Use wired connections instead of wireless where possible
  • Be careful when buying used IoT devices, as they could have been tampered with
  • Research the vendor’s device security measures
  • Modify the privacy and security settings of the device to your needs
  • Disable features that are not being used
  • Install updates when they become available
  • Use devices on separate home network when possible
  • Ensure that an outage, for example due to jamming or a network failure, does not result in a unsecure state of the installation
  • Verify if the smart features are really required or if a normal device would be sufficient

The IoT devices aim to make our life easier, but this is possible if manufacturers and vendors will start to think security by design, because as explained by the researchers at Symantec:

“Any code that is run on a smart device, be it the firmware or application, should be verified through a chain of trust.”

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

and Pierluigi Paganini

(Security Affairs –  cyber attacks, cyber security)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

FIN7 targeted a large U.S. carmaker with phishing attacks

BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…

5 hours ago

Law enforcement operation dismantled phishing-as-a-service platform LabHost

An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…

10 hours ago

Previously unknown Kapeka backdoor linked to Russian Sandworm APT

Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…

15 hours ago

Cisco warns of a command injection escalation flaw in its IMC. PoC publicly available

Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…

17 hours ago

Linux variant of Cerber ransomware targets Atlassian servers

Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…

1 day ago

Ivanti fixed two critical flaws in its Avalanche MDM

Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…

2 days ago

This website uses cookies.