How Connected Consumer Devices Fail The Security Test

The Internet of Things leverages the same, basic infrastructure as the original Internet – making use of protocols like TCP/IP, HTTP, Telnet and FTP. But the devices look and act very differently from traditional PCs, desktops and servers. Many IoT devices run embedded operating systems or variants of the open source Linux OS. And many are low-power and many are single function: designed to simply listen and observe their environment, then report that data to a central (cloud based repository).

But IoT devices are still susceptible to hacking and other malicious attacks, including brute force attacks to crack user names and passwords, injection attacks, man in the middle attacks and other types of spoofing.  Despite almost 20 years experience dealing with such threats in the context of PCs and traditional enterprise networks, however, too many connected devices that are sold to consumers lack even basic protections against such threats.

That’s the conclusion of Nitesh Dhanjani, an independent researcher (he has a day job, too) who delves into the security of Internet of Things products as a hobby. We wrote about Dhanjani’s research on Philips HUE “smart” lightbulbs back in August, when he demonstrated how the HUE wi-fi enabled bulbs could be hijacked by a remote attacker. 

I caught up with Dhanjani at last week’s Amphion Forum in San Francisco, where he was reprising his HUE demonstration and also talking about similar research on a range of Belkin devices, including an Internet connected baby monitor.

In this podcast, recorded at the show, he says that many of the connected home products he analyzes make similar mistakes. Chief among them: an abundance of trust that the local (wi-fi) network that the devices are deployed on is trustworthy. That could cause big problems down the road, once malware authors begin tweaking their creations to start looking for connected consumer devices, not just PCs, Dhanjani warns. “The next generation malware authors will abuse this trust to invade our privacy or even cause physical harm.”

Check out the podcast below. You can listen on Security Ledger, or check out the interview on Soundcloud.com using the link provided.