IoT devices continue to be plagued with porous security, according to researchers.
Researchers working at Princeton University has discovered a number of flaws in many IoT products that could allow hackers to access and control devices.
The researchers at the Researchers at the Center for Information Technology Policy looked at a number of IoT devices and how data is shared among them. The devices looked at ranges included the Belkin WeMo Switch, the Nest Thermostat, Sharx Security Camera, Ubi Smart Speaker, and many more. Researchers found that these devices were transmitting data without being secured in some way.
According to the researchers’ blog, the Nest thermostat was revealing location information of the home and weather station, including the user’s zip code, in the clear. (Nest has since fixed this bug).
The Ubi Smart Speaker used unencrypted HTTP to communicate information to its portal, including voice chats and sensor readings. The Sharx security camera was found to transmit video over an unencrypted FTP connection and all traffic to and from the PixStar photo frame was sent unencrypted, revealing many user interactions with the device.
Nick Feamster, writing on Princeton University’s Freedom To Tinker blog, said that a natural reaction to some of these findings might be that these devices should encrypt all traffic that they send and receive.
“Encryption may be a good starting point, but by itself, it appears to be insufficient for preserving user privacy. For example, user interactions with these devices generate traffic signatures that reveal information, such as when power to an outlet has been switched on or off. It appears that simple traffic features such as traffic volume over time may be sufficient to reveal certain user activities,” he said.
He said a way forward from this mess would be to work with manufacturers to improve the transparency of these IoT devices, so that consumers (and possibly ISPs) have more visibility into what software the devices are running, and what traffic they are sending and receiving.
“This, of course, is a Herculean effort, given the vast quantity and diversity of device manufacturers; an alternative would be trying to infer what devices are connected to the network based on their traffic behaviour, but doing so in a way that is both comprehensive, accurate, and reasonably informative seems extremely difficult,” said Feamster.
In a separate development, Ars Technica reported that IoT search engine Shodan had launched a new section of its website dedicated to allowing users browse for unsecured webcams. The video feeds showed footage from banks, homes, shops, and even marijuana plantations and sleeping children.
The feeds were discovered by Dan Tentler, a security researcher. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter port:554 has_screenshot:true, according to the report.
IoT: Powerful, but insecure
Alex Chapman, principal security consultant at Context Information Security, told Internet of Business that a lot of these IoT devices are as powerful as the computers we had on our desks ten years ago.
“While for cyber-criminals, the pay-off for hacking home devices is not obvious, as standard tool kits appear the risk of attacks will increase. If there are a million printers on the Internet all with the same vulnerability, then it’s worth the effort. You could also create a botnet for spamming, DDoS attacks or simply to hide your traffic.
“High profile hacks may seriously damage consumer trust in IoT technology before it has a chance to take off. And in the enterprise there must be lessons learned from these experiences with consumer devices before the Internet of Things starts to pervade our corporate networks.”
Ken Munro, senior partner at Pen Test Partners, told Internet of Business that the security problem surrounding these devices is compounded by the fact that many IoT innovators tend to be start-ups who are both inexperienced and commercially restricted.
“By 2017 Gartner estimates more than half of IoT products will be brought to market by companies less than three years old. For them, security is often perceived as an added cost and many don’t understand why anyone would want to hack domestic appliances,” he said.
He said the IoT industry has, on the whole, been “remarkably tardy” to embrace responsible disclosure.
“Many manufacturers simply aren’t geared to build-in the ability to make post-hack security changes to devices. They either don’t know about the risks that IoT devices present, or they disregard them. If a device can be compromised there’s the problem of product updates or recalls. The sheer scale of numbers involved and the implications for their stockists make can coming clean a daunting prospect,” he warned.