<p> <i> 20.10 pm </i> Is IoT in the Smart Home giving away the keys to your kingdom?

The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance imaginable. Gartner predicts that there will be 2.9 billion connected IoT devices in consumer smart home environments in 2015.

However, despite the public’s increased acceptance of the smart home, recent studies seem to agree that “security” is not a word that frequently gets associated with IoT devices, leaving consumers potentially exposed. Symantec recently analyzed 50 smart home devices that are available today and took a look at how they measure up when it comes to security.

For their research, Symantec analyzed IoT devices from the following categories:

Smart thermostats
Smart locks
Smart light bulbs
Smart smoke detectors
Smart energy management devices
Smart hubs

The findings could also apply to other IoT devices and smart home products, such as:

Security alarms
Surveillance IP cameras
Entertainment systems (smart TV, TV set-top boxes, etc.)
Broadband routers
Network attached storage (NAS) devices

Smart home devices may use a back-end cloud service to monitor usage or allow users to remotely control these systems. Users can access this data or control their device through a mobile application or web portal.

Research found that many of these devices and services had several basic security issues.

Weak authentication

None of the devices used mutual authentication or enforced strong passwords. Even worse, some hindered the user from setting up a strong password on the cloud interface by restricting the authentication to a simple four-number PIN code. Combine this with no support for two-factor authentication (2FA) and no password brute-force attack mitigation, and you have an easy target for attackers.

Web vulnerabilities

In addition to weak authentication, many smart home web interfaces suffer from well-known web application vulnerabilities. A quick test with 15 IoT cloud interfaces revealed some severe vulnerabilities and this check only scratched the surface. Symantec found and reported ten vulnerabilities related to path traversal, unrestricted file uploading (remote code execution), remote file inclusion (RFI), and SQL injection. And we’re not just talking about smart light bulbs here; one of the affected devices was a smart door lock, which could be opened remotely over the internet without even knowing the password.

Local attacks

Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. Symantec looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices. This security faux pas allows an attacker, with the ability to sniff the home network for IoT device passwords. These stolen credentials can then be used to execute other commands and even take over the device completely by updating it with a malicious firmware update.

Potential for attacks

As yet, Symantec hasn’t seen any widespread malware attacks targeting smart home devices, apart from computer-related devices such as routers and network-attached storage appliances. Currently, most proposed IoT attacks are proof-of-concepts and have yet to generate any profit for attackers. This doesn’t mean that attackers won’t target IoT devices in the future when the technology becomes more mainstream.

From the past, Symantec knows that attackers are nothing if not creative and will always conjure up new attack methods. Even if it’s just to misuse the technology, blackmail the user, or have a persistent anchor in a home network, cybercriminals are always ready and eager to attack any target they can.

So before you get carried away with your new smart home automation projects, take a moment to think about how these conveniences may be exposing you and your home to cyber attacks. Demand better security from the manufacturers of your smart home and IoT devices−only then will things start to improve.

Mitigation

Unfortunately, it’s difficult for a user to secure their IoT devices themselves, as most devices don’t provide a secure mode of operation. Nonetheless, users should adhere to the following advice to ensure that they reduce the risk of a potential attack:

- Use strong and unique passwords for device accounts and Wi-Fi networks
- Change default passwords
- Use a stronger encryption method when setting up Wi-Fi networks, such as WPA2
- Disable or protect remote access to IoT devices when not needed
- Use wired connections instead of wireless where possible
- Use devices on a separate home network when possible
- Be careful when buying used IoT devices, as they may have been tampered with
- Research the vendor’s device security measures
- Modify the privacy and security settings of the device to your needs
- Disable features that aren’t needed
- Install updates when they become available
- Ensure that an outage, for example due to jamming or a network failure, does not result in a unsecure state of the installation
- Verify if the smart features are really required or if a normal device would be sufficient

Vendors should consider the following five fundamental tenets when developing new devices:

- Strong trust model for IoT–e.g. device authentication through SSL
- Protecting the code that drives IoT–e.g. digital code signing
- Effective host-based protection for IoT–e.g. endpoint protection and system hardening
- Safe and effective management for IoT–e.g. configuration and over-the-air updates
- Security analytics to address new and advanced threats−e.g. anomaly detection.</p>