Maksim Pasko - stock.adobe.com
Alarm bells ring, the IoT is listening
With Christmas bearing down on us, a series of vulnerability disclosures has drawn attention to the parlous state of IoT security, and serves as a timely warning to people planning to buy smart devices as gifts
As the holiday season approaches, a number of flaws have been identified in popular internet of things (IoT) devices, prompting renewed warnings over consumer security, with millions of people set to find some kind of smart device under the tree.
Among the products vulnerable to attack are the KeyWe Smart Lock, the Belkin WeMo Insight Switch plug socket, Amazon’s Blink XT2 home security cameras, and an alarming number of children’s toys.
Krzysztof Marciniak, a security consultant at F-Secure, who developed the KeyWe hack, said it had been easy for him to bypass the product’s protection mechanisms to intercept the unlock password passing between it and its attendant smartphone app, and many of the other vulnerabilities are relatively simple for an attacker to exploit.
The KeyWe product also contains a rather more serious vulnerability in that it cannot receive firmware updates, so the original flaw can’t be fixed. This means people who have bought it should either replace it, or live with the risk.
“There’s no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack,” said Marciniak. “All attackers need is a little know-how, a device to help them capture traffic – which can be purchased from many consumer electronic stores for as little as $10 – and a bit of time to find the lock owners.”
F-Secure said it was withholding some of the crucial technical detail that is commonly released in such disclosures on the basis that the vulnerability is unfixable.
“Security isn’t one size fits all,” said Marciniak. “It needs to be tailored to account for the user, environment, threat model, and more. Doing this isn’t easy, but if IoT device vendors are going to ship products that can’t receive updates, it’s important to build these devices to be secure from the ground up.”
Plug and play
Meanwhile, researchers at BitDefender have uncovered two vulnerabilities in the Belkin WeMo Insight Switch – which have now been patched.
This product connects appliances and electronic devices to a domestic Wi-Fi network, enabling the user to turn them on or off, program customised notifications, set rules and permissions for usage by children, and monitor electricity consumption, all from the comfort of their smartphones.
However, it too essentially gave hackers an open door into the home network, and as IoT devices are generally not checked by conventional anti-malware products, the victim would be oblivious, said BitDefender.
Because the device communicates via HTTP and no authentication is needed, any device on the network can send commands or query the plug for information. The team found a stack-based buffer overflow vulnerability which, when combined with the lack of authentication, could allow an attacker on the Wi-Fi network to obtain code execution on the target device.
Furthermore, given physical access to the plug, an attacker can gain root access to its filesystem by interrupting the boot process and modifying the boot parameters to overwrite its root password.
This would open up possibilities such as planting a backdoor to remotely sniff connections, mapping consumer behaviour, and assessing if people are at home or not.
BitDefender stressed that as a local attack, an attacker would need to be present inside the device’s network and this naturally limited the possibility of exploitation, but there were several scenarios where an attacker could use it to legitimately join a public Wi-Fi network.
Don’t blink
In Amazon’s Blink XT2 security camera systems, Tenable threat researchers unearthed a total of seven severe vulnerabilities that could give attackers full control of the device, letting them view camera footage and listen to audio, and co-opt the device into an IoT botnet of the sort used to conduct distributed denial of service (DDoS) attacks or spam campaigns.
The most serious vulnerability spotted was a command injection flaw that stems from the sync module update in Blink’s cloud communication endpoints used for pushing updates to devices or obtaining network information.
As per good practice in disclosures, the flaws have now been patched, but with over 50 million smart home cameras (from various brands) sold in 2018 alone, there will inevitably be more unsecured devices out there. For Blink XT2 owners, it is critical to ensure their devices are updated to firmware version 2.13.11 or later.
“Connected devices, like Blink cameras, are everywhere. Precisely for that reason, cybercriminals are focused on compromising them,” noted Renaud Deraison, co-founder and CTO at Tenable, which is working on building what it hopes will be the largest vulnerability intelligence knowledge bases in the industry – at the time of writing it has discovered 100 zero day exploits this year.
Which one to pick?
Consumer advocacy group Which?, meanwhile, has exposed a number of serious flaws in smart toys sold in the UK by the likes of Amazon, Argos, John Lewis and Smyths.
Working with threat hunters at NCC Group, Which? found many of the toys were lacking in basic security leaving them open to being hacked, and possibly endangering the well-being of children.
For example, the Vtech KidiGear Walkie Talkie enabled somebody to start a two-way conversation with a child from up to 200 metres away. Two karaoke products tested, Xpassion/Tenva’s Karaoke Microphone and Singing Machine’s Singing Machine SMK250PP lacked any Bluetooth authentication, allowing recorded messages to be sent to the devices.
Elsewhere, interactive artificial intelligence robot, the Boxer Robot, and Mattel’s Bloxels board game and online portal were found to have policy issues that left them open to hacking because users do not have to create strong passwords for their online accounts. This also affected the Singing Machine and Sphero’s Mini robot, an app-controlled robot ball which ironically is designed to help children learn to code.
In addition, Mattel Bloxels and Sphero Mini had no filters to prevent offensive language or explicit images being uploaded to their online platforms.
Read more about IoT security
- Integrated security platform claimed to enable IoT device manufacturers and providers to connect devices to Microsoft’s cloud-based IoT services at scale.
- Focusing the right people, processes and technology on IoT cyber security is a win-win; it can improve security operations and the success of IoT initiatives.
- Security concerns are preventing many businesses from adopting IoT-based technologies, but with a bit of planning, the business benefits can be realised by mitigating the risk.
Which? contacted each of the manufacturers but received varying responses, with vTech pointing out that its walkie-talkies use industry-standard AES encryption, and that the pairing process cannot be initiated by one handset device on its own, rather it requires both devices to consent to pairing within a 30 second window.
However, others were not so forthcoming, notably Tenva, the seller of the Xpassion karaoke product, which appears to be a Manchester-based Amazon seller. Which? said it was unable to contact the seller, even when it requested help from Amazon.
Srinivasan CR, Tata Communications chief digital officer and a specialist in IoT security, said that the hackable toys were probably rather more likely to result in an attacker breaching a home network to steal personal data or financial details than to result in an incident of grooming or child abuse.
Nevertheless, he added, manufacturers of connected toys still need to pay attention to security, even if the worst-case scenario is less likely to play out.
DCMS code unobserved
Which? said that its findings were of particular concern given the establishment over a year ago of a voluntary code of practice for IoT security by the Department for Digital, Culture, Media and Sport (DCMS).
It said most of the manufacturers whose products it tested had failed to sign up for the code, and called on the next government to make it a legal requirement for IoT device manufacturers to ensure their products meet appropriate standards in order to be sold in the UK.
It also urged the industry to do a better job of taking the issue seriously by introducing default basic security features, such as strict password requirements, data encryption, and updates and patches.
Natalie Hitchins, Which? head of home products and services, said: “While there is no denying the huge benefits smart gadgets can bring to our daily lives, the safety and security of users should be the absolute priority.
“The next government must ensure manufacturers design connected tech products with security as paramount if it is going to prevent unsecure products ending up in people’s homes.”
Hitchins also called on parents to shoulder some of the responsibility, properly researching toys before buying them to see what they actually do and conducting online due diligence to learn if any concerns have been previously raised about them.
Parents may also wish to try to avoid, as much as possible, cheap products from off-brand suppliers and unknown sellers.
Security by design
Max Heinemeyer, Darktrace threat hunting director, highlighted the scale of the threat to security, privacy and safety from the IoT. He said: “The explosion in IoT and the security issues this introduces is forcing us to rethink how we do security. We need a radically different approach to cyber security with artificial intelligence.
“The reality is that all internet connected devices, from mobile phones to smart toys, are vulnerable to some extent.“
“Unlike PCs and smartphones that have the benefit of over 10 years’ security innovation and evolution to fall back on, IoT devices are in their infancy. Some smart home products and connected toys aren’t designed to hold obviously sensitive data that a hacker would want to get hold of, so security standards on these devices are not yet fully formed,” said Srini CR at Tata.
“Furthermore, the industry is still developing and collating R&D to find the best ways of securing these devices, but not compromising on their functionality and ease-of-use.”
“The advice for consumers is to do their research, check out reviews on reputable websites and only buy products from trusted retailers and manufacturers, checking the specifications to ensure that they come with robust built-in security. They are also advised to speak to the manufacturer about their security policy and seek advice from their Internet Service Provider [ISP].
“However, consumers can’t be expected to shoulder all of the burden. It is the responsibility of the manufacturers and ISPs to ensure that this information is readily available, in an easily understandable form,” he said.
Baked-in security
Tenable’s Deraison added: “Manufacturers of IoT devices have an opportunity and an obligation to ensure that effective security is baked into the overall design from the start and not bolted on as an afterthought. This is especially critical when the device in question is a security camera.”
Jonathan Knudsen, senior security strategist at Synopsys, also called for greater focus on security by design.
“In the long term, of course, neglecting security during product development always ends in tears – or in this case, bad headlines,” said Knudsen. “The long-term consequences of ignoring security will always outweigh the short term gains. Savvy manufacturers use a secure development life cycle (SDLC) to minimise their risk when creating software products.”