Commercial IoT Devices Vulnerable to Privacy Theft
With concerns over the security of the Internet of Things (IoT) continuing to make the headlines, Bitdefender has investigated a set of randomly selected but commonly used consumer IoT devices to gauge their security standard in the home, identifying four which are all vulnerable to privacy theft.
Once seen as a 'fad' by many in the industry, IoT is now very much a real thing that is not only significantly impacting our lives today, but expected to play an ever-growing role in the home over the coming years. With Gartner predicting that there will be as many as four billion internet-connected devices in use in households this year, the need to ensure they are secure is imperative.
After all, whilst IoT in the home can offer unprecedented levels of comfort and convenience, inadequate security means it also has the potential to lead to infringements on not only sensitive data like bank details, passwords and usernames, but also human rights issues.
Things like a person’s eating habits, sleeping patterns, location and lifestyle serve as prime examples of the type of information many household IoT devices survey and record, and although this type of fragmented data would not generally be considered high-risk, when you consider the possibility of cyber-criminals accessing and amassing such details to generate an invasive digital portrait of an individual, they take on a whole new light.
In the paper ‘The Internet of Things: Risks in the Connected Home’ Bitdefender researchers examined the way selected devices connect to the internet and to the cloud, as well as the communication between the device and corresponding mobile application. The findings show that the current authentication mechanisms of many IoT devices can easily be bypassed to expose smart households and their inhabitants to privacy theft, outlining specific concerns over the four following appliances:
LIFX Bulb: a smart LED bulb that allows users to control house lighting with the use of a smartphone app. Bitdefender found a hacker can target the device, reset it by switching it on and off five times and then use it to create a new hotspot which captures the username and password of the user’s Wi-Fi network.
MUZO Cobblestone audio receiver: this Wi-Fi audio receiver can be used to stream music from various sources via a home router, embedded with a Telnet service so it can be accessed remotely. With the use of basic password brute-forcing, researchers discovered the initial credentials of the device were set to admin/ admin. However, Bitdefender has pointed out that this issue has been partially fixed.
LinkHub: another smart lighting appliance using an adapter and two bulbs that can be managed remotely. A lack of authentication mechanisms means data is sent in plain text, allowing attackers to obtain the username and password of a Wi-Fi network.
WeMo switch: this can remotely turn plugged-in electronics on or off and includes automation capabilities, but it is vulnerable to weak access point authentication which can leave users’ Wi-Fi credentials at risk.
Clearly then, current consumer IoT services are failing in terms of security and according to Matthew Aldridge, Solutions Architect at Webroot, there is much work to be done to put this right.
“It is not surprising this research has found that current authentication mechanisms can be easily bypassed,” he told Infosecurity. “It is the latest in a long line of such discoveries and we anticipate that huge numbers of devices have similar security and privacy issues.”
“We are still in the early days of household IoT devices and capability is foremost in the goals of the producers and purchasers of such equipment – security and privacy have a long way to go in order to catch up.”
For Aldridge, the best approach right now is to make users aware of the risks so they can take precautions. Meanwhile, “industry organizations and regulatory bodies are beginning to step up and continue with the formulation of standards to address many of these issues, but these initiatives will take time to come to fruition,” he added.
Source: Information Security Magazine