Research Finds Shoddy Security On Connected Home Gateways

chicksdaddy writes Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ 'smart' garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode may make you think twice about deploying one of these IoT gateways in your home. As The Security Ledger reports, Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing. The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode's research architect, told The Security Ledger. This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.

No kidding ...

[gstoddart]

suggesting that manufacturers are giving short shrift to security considerations during design and testing

Well, that gets a big frickin' DUH.

Until companies bear legal liability for writing shitty security code, this is exactly what will happen.

The Internet of Stuff is lots of hype, and little security.

The overwhelming majority of consumer products which want to connect to the internet have absolutely crap security, because companies want to get products out the door and don't care if they have lousy security.

The solution is to treat the Internet of Stuff as exactly what it is ... a marketing term, driving products geared towards analytics and ad revenue, implemented by companies who don't give a crap about your security.

Just don't buy it if you want security.

I am completely un-surprised by this. In fact, I expected it.

Re:No kidding ...

[gstoddart]

And your thermostat? Your TV? Your TV? Your fridge?

Sorry, but I've pretty much decided that the overwhelming majority of things (like anything which isn't a computer) have no damned need to be connected to the internet.

They don't have cables plugged into them, they don't know the wifi passwords, and they never will.

I have zero interest in an internet connected toaster or thermostat, so I'm simply not buying the damned things.

A couple we know was telling us about these awesome new locks they got they can unlock their house with an app on their phone. I just bit my tongue until they asked a very specific question which made me respond "if you can open it from your phone who else can?"

Essentially you have put the security of your home in the hands of a 3rd party. You might choose to trust that, but I don't.

This was after I told her about the creepy "Hello Barbie" which wants to upload the conversations little girls have with their dolls to the internet so it can talk back to them.

They'd immediately recognized they didn't want their grandchildren with one of those, but for some reason the lock thing didn't occur to them.

Pretty much I just assume the people who write the "security" for consumer products are incompetent, lazy, or indifferent -- the net result is pretty much the same. You should simply expect the security is non-existent.

Re:No kidding ...

[gstoddart]

Well, I'll tell you what ... you buy any fucking piece of technology you like.

Me? I think the trend to have this Internet of Stuff is mostly garbage products by people who think the world operates on a smart phone ... and that the 'security' on those products is incompetently written by people who don't care.

I think until we get smart and apply data protection and security laws which says corporations have a legal responsibility to both protect your data and your security ... you should assume both your privacy and your security are in the hands of some asshole in marketing, and that the asshole in marketing doesn't give a crap about anything but his bonus.

Because, that's pretty much what it is.

Re:No kidding ...

My point is, does an app like that REALLY change your risk at all given how easy it already is to get in?

Yes, it really makes it easier.

If for nothing else than for not needing to make any harsh sounds and/or strange movements when breaking in. And for being able to do that thru the front door instead of having to find the physical weakest spot of the house. Might even make it look as if a housekey is used to enter. That means the breaking-and-entering might take place in broad daylight, with neighbours looking on and suspecting nothing.

Also, there is something else you're probably forgetting: That burglar will now being able to "google" all vunerable houses from his comfy chair. Than he just needs to let his computer monitor a few of the IoT devices in those houses for a few days, and he'll even know when the occupants are most likely to be away from home.

This is not news

[Avidiax]

Anyone that understands the economics of software/embedded device development understands that it's a market for lemons with respect to security (https://en.wikipedia.org/wiki/The_Market_for_Lemons).

The customer can't easily distinguish between a secure and insecure product, so even if they cared, they'd have no way to provide an economic force to cause developers to prioritize security.