Companies creating smart devices for the home promise a more energy- and time-efficient future, but are failing to secure their products, potentially making the homes of early adopters less secure, according to a study of some 50 consumer smart devices by security firm Symantec.
In a report published on March 12, Symantec examined a variety of devices, including smart thermostats, locks, light bulbs, smoke detectors, energy management devices, and smart hubs, which link together the various smart products and allow the user to manage them.
All of the devices failed to check whether they were communicating with an authorized server, leaving them open to man-in-the-middle attacks. One out of five devices did not encrypt communications and many did not lock out attackers after a certain number of password attempts, further weakening their security, Symantec stated in the report.
“All of the potential weaknesses that could afflict Internet of things systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices,” Symantec researchers stated in the report.
The lack of security comes as consumers are increasingly adopting a variety of connected devices and using them in their homes. An estimated 2.9 billion devices will be used by consumers in 2015, according to market research group Gartner.
“Security and privacy of IoT devices and data should be a mandate for device manufacturers,” researchers with Symantec’s security response group, said in an email interview with eWEEK. “It would be unfortunate if a large scale, singular incident was the turning point for IoT security. These vulnerabilities are easily fixed, and with proper security methods in place, a potential disaster scenario is easily avoidable.”
Symantec’s research into the security of smart devices mainly focused on local vulnerabilities. Smart devices typically connect to a home user’s network through common communications technology, such as WiFi, Ethernet, or through newer low-power local networking technology, such as Bluetooth, Zigbee or Z-Wave. Smart hubs, which manage devices in the home, typically support Zigbee or Z-Wave communications.
Most of the smart-home technology tested by Symantec assumes that the local wireless network is secure. An attacker that has gained access to the local network—via proximity or via malware installed on a local computer system—can further compromise the local smart devices. In one experiment, researchers were able to update a LightwaveRF smart hub with their own software, for example, because the device does not encrypt nor authenticate its update requests. In another possible attack, researchers found they could just send commands to a Belkin WeMo hub, because the devices took no security measures against traffic on the local network.
“The device did not require the user to provide authentication in order to connect to it,” the researchers stated. “If the attacker is on the same network as the device, they can send any commands they want to the connected switch.”
More than two-thirds of devices tested had an associated cloud service. Some services were just used to collect data from the device, but many allowed the remote management of smart home devices. Almost all the services allowed users to set weak passwords and many had insecure password recovery methods.
The saving grace of today’s IoT is that there is no obvious way to profit from the most devices’ insecurities, Symantec researchers stated in the email interview.
“While vulnerabilities do exist, we haven’t seen any actively exploited threats in the wild,” they said. “That doesn’t mean smart home hacking won’t occur in the near future. Once hackers find motivation, it’s inevitable these devices will be hacked unless security measures are implemented by manufacturers.”