Half of IoT devices let down by vulnerable apps

Testing Internet of Things (IoT) devices for security weaknesses can often resemble a large fist punching a wet paper bag. Researchers report a litany of firmware vulnerabilities, insecure wireless communications, and consumer complacency about the risks of connecting smart devices to a home network.

With so much bad press, might things be improving?

Not as fast as they should be, according to a test by researchers from Brazil’s Federal University of Pernambuco and the University of Michigan, who took a closer look at 32 smartphone apps used to configure and control the 96 top-selling Wi-Fi and Bluetooth-enabled devices sold on Amazon.

There’s a lot for IoT makers to secure, including the apps themselves, their connection to cloud proxies (typically used during initial setup), and the subsequent wireless connection and authentication to and from the IoT device.

It’s also a lot of equipment to test, which is why the researchers in this study started by inferring potential weaknesses using heuristic analysis of the apps themselves.

Disappointingly, 31% of the apps (corresponding to 37 devices out of 96) had no encryption at all while another 19% had hard-coded encryption keys an attacker might be able to reverse engineer even if they’d been obfuscated.

The researchers backed up their findings by developing proof-of-concept attacks against five devices controlled by four apps: TP-Link’s Kasa app used with multiple devices, LIFX app used with that company’s Wi-Fi enabled light bulbs, Belkin’s WeMo for IoT, and Broadlink’s e-Control app.

Three used no encryption, and three communicated riskily via broadcast messages that would give an attacker a way of monitoring the nature of app-device communication with a view to compromise.

Based on our in-depth analysis of 4 of the apps, we found that leveraging these weaknesses to create actual exploits is not challenging. A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network.

One of the vulnerable devices assessed with the Kasa app was TP-Link’s Smart Plug, which the reviewers point out has been reviewed 12,000 times on Amazon, achieving a star rating of 4.4 out of 5:

TP-Link shares the same hard-coded encryption key for all the devices of a given product line and that the initial configuration of the device is established through the app without proper authentication.

IoT utopia

Interestingly, the researchers pull out one smart device – Google’s Nest thermostat app – as an example of how IoT security might be done (if the user, of course, applies their own basic security), for example by conducting all configuration secured with SSL/TLS to the cloud or via Wi-Fi with WPA (the Nest has the advantage of a display to help configure this which many other types IoT devices might not).

Summing up the test, half of the apps are insecure in a variety of ways. Clearly, some vendors are better than others, an impression reinforced by the lack of response the researchers received from affected vendors in the detailed test of five devices.

Write the authors:

None of them have sent any response to our disclosures and to the best of our knowledge, have not released patches relative to these vulnerabilities.

Given the wider reputation IoT devices have for iffy security, this sounds dangerously like heads stuck in the sand.