In-brief: A Symantec survey of smart home products found a raft of common security mistakes, from weak (or missing) authentication to exploitable software vulnerabilities.
Research by the security firm Symantec Inc. has found that connected and “smart” home technology suffers from a raft of common security ailments that could result in the theft- or inadvertent loss of consumer data.
The company this week issued a report on the findings of research on 50 smart home devices that are available for sale today and found a host of problems, from a failure to use strong authentication to an absence of protections for common threats like so-called “brute force” password guessing attacks.
Among Symantec’s findings:none of the devices enforced strong passwords or used mutual authentication. In around 20 percent of the devices, no encryption was used to secure communications between the device and the cloud, Symantec found.
Application code running the devices was rife with software vulnerabilities, Symantec found when it edited the products. A sample test of 15 cloud interfaces for the smart home products revealed severe vulnerabilities, including ten vulnerabilities related to path traversal, unrestricted file uploading (remote code execution), remote file inclusion (RFI), and SQL injection.
That’s a worrying result, given the cursory nature of the application code audit, Symantec said.
Within local environments, the company found data (including passwords) transmitted in cleartext and other dangerous security faux pas. Signed firmware updates were rare, allowing an attacker who could access a smart home device to install a modified version of the operating system that gave them total access to the device or otherwise implanted malicious software on it.
The products tested were not all low risk devices like smart light bulbs, either. Symantec said it included a smart door lock in its tests- noting that its researchers found they could trigger the lock remotely without needing to know the password.
Symantec said that while attacks against in-home connected products are still more theory than practice, a population of loosely secured devices storing sensitive data will ultimately prove to be an attractive target for hackers.
More attention to security is needed from device makers. In the meantime, users can take some steps to protect the devices they have already deployed, such as using strong passwords to protect home networks and devices. Users should also try to use wired connection to power IoT devices rather than wireless connections and disable remote access on IoT devices when possible.