A study conducted by cybersecurity company Symantec has found that inadequate security of smart home devices leave consumers “wide open to cyber-attack”.
The analysis of 50 Internet of Things (IoT) devices suggests that many smart home devices fail on basic security issues.
Symantec states that many consumers have been quick to adopt smart devices such as smart thermostats, locks, energy management devices in a bid to create a more energy and time efficient home, however, homeowners fail to sufficiently secure these devices.
Symantec conducted a series of tests to establish the weak spots of devices which could provide the pathway for malicious hacker interception.
IoT security testing
Generally, smart home devices use back-end cloud services to monitor usage or allow users to remotely control these systems. Users commonly access this data or control their device through a mobile application or web portal.
Some smart devices under the Symantec analysis prevented the user from setting up a strong enough password on the cloud interface by restricting the authentication to a simple four-number PIN code.
In addition, the smart devices did not make use of mutual authentication (security feature in which a client process must prove its identity to a server, and the server must prove its identity to the client, before any application traffic is sent over the client-to-server connection).
The Symantec study also revealed that users were susceptible to attack through smart home device web application vulnerabilities. A test performed on 15 IoT interfaces found more than 10 vulnerabilities which could give hackers access to the home through eg. smart door lock “which we could be opened remotely over the internet without even knowing the password.”
Common communications technology used to connect smart devices to a home user’s network, include WiFi, Ethernet, or through Bluetooth, Zigbee or Z-wave. Smart hubs which act as a management system for devices in the home, are typically supported by Zigbee or Z-wave technology.
Symantec states: “Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don’t use any authentication at all.”
The company adds: “The use of unsigned firmware updates is also a common trait among IoT devices. This security faux pas allows an attacker, with the ability to sniff the home network for IoT device passwords. Stolen credentials can then be used to execute other commands and even take over the device completely by updating it with a malicious firmware update.”
Symantec mitigation recommendations
The cybersecurity company stated that while there has been no widespread malware attacks targeting smart home devices, its does not mean that attackers won’t target IoT devices as they become mainstream home technology.
Symantec provides mitigation recommendations for users of IoT devices in its white paper “Insecurity in the Internet of Things”.
Researchers at Symantec told eWEEK: “While vulnerabilities do exist, we haven’t seen any actively exploited threats in the wild,” they said. “That doesn’t mean smart home hacking won’t occur in the near future. Once hackers find motivation, it’s inevitable these devices will be hacked unless security measures are implemented by manufacturers.”
Picture credit: Symantec “Insecurity in the Internet of Things” report.