Research: IoT Hubs Expose Connected Homes to Hackers

Veracode found connected home gateways like the Wink often ship with exploitable vulnerabilities that could expose home networks to attacks or privacy violations.
Veracode found connected home gateways like the Wink often ship with exploitable vulnerabilities that could expose home networks to attacks or privacy violations.

In-brief: A study of common connected home gateways finds lax security that could expose consumers to snooping or even malicious attacks, according to the application security firm Veracode. 

Home gateways that are the nerve centers for connected homes could be exposing them to forays by malicious hackers and other online adversaries, according to a study by the firm Veracode.*

The company, which specializes in application security, published a study of six common Internet of Things hubs for the home. Veracode researchers found significant security vulnerabilities in each of the devices that could be used to facilitate robberies or invasions of privacy, the company said. The findings suggest that companies selling technology for the connected home are not putting security at the top of their priorities list, Veracode says.

[Read more Security Ledger coverage of the Internet of Things.]

Veracode studied six common home gateways or “hubs”: the Chamberlain MyQ Internet Gateway, the Chamberlain MyQ Garage, the SmartThings Hub, the Ubi, the Wink Hub, and the Wink Relay. The hubs act as management points for deployed IoT devices such as garage door openers (MyQ), home surveillance cameras (DropCam) or environmental controls (Google’s Nest). Veracode identified security flaws in each, ranging from weak authentication schemes to improper use of encryption to unprotected debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code on the gateway.

Click to download Veracode's IoT Report.
Click to download Veracode’s IoT Report.

The devices were purchased new in late December 2014. All test findings were against versions of the firmware that were up-to-date in mid-to-late January 2015, Veracode said.

Many of the most serious flaws revealed a kind of sloppiness in the design and production of the devices, Brandon Creighton, Veracode’s research architect, told The Security Ledger. For example: both the Ubi and Wink Relay devices left debugging interfaces exposed and unsecured in their shipped product.  That could provide an avenue for attackers who had access to the same network as the device to steal information or bypass other security controls.

Exposed debugging interfaces are useful during product testing, but have little or no utility to consumers. That suggests that the companies merely forgot to restrict access to them before shipping, Creighton said.

“The point about the debugging interfaces is that it sounds obscure, but it really isn’t. All you need to do is go to the Android developer site, download a toolkit and within five minutes have full access to the Ubi device,” he said.

With control of the Ubi, cyber criminals could secretly surveil a home and know exactly when to expect a user to be home based on when there is an increase in ambient noise or light in the room, Veracode said.

Similarly, Veracode researchers found widespread problems securing communications between connected devices and the vendor’s management servers in the cloud. Five of the six devices tested were vulnerable to so-called “man in the middle” attacks that would allow an attacker on the same network as a device to intercept, modify and forward traffic between the device and its cloud based service. Many of the devices tested failed to properly validate the TLS or SSL certificate used to encrypt that traffic, Creighton said.

Once again, the discovery pointed at poor quality controls by the manufacturer – including a lack of secure design and security auditing and testing prior to release.

“You might disable ssl certificate validation as part of testing. But it’s one of those things that – if you don’t catch it – its easy for that to slip from development environment to the real world and ship on an actual device,” he said.

Creighton said that security needs to be a priority in the design of Internet of Things products for the home.

“We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm,” he said in a statement

Veracode isn’t the first company to delve in to the security of smart hubs. Specifically: the firm Xipiter analyzed the VeraLite home gateway in October and found many issues that are similar to those reported by Veracode. Among other things, the VeraLite device shipped with embedded SSH private keys in the firmware used on all devices: basically creating a skeleton key to access any deployed VeraLite device.

The U.S. Federal Trade Commission has explicitly warned Internet of Things device makers to pay attention to issues of security and privacy as part of the design and testing of their products. In a report in January. The Internet of Things is “already impacting the daily lives of millions of Americans,” the FTC said. The Commission called on companies to “build security into devices” early in the design and development process. That includes educating employees about the importance of security and making it a priority for management within the company.

(*) Veracode is a sponsor of The Security Ledger.