Slashdot Mirror


Research Finds Shoddy Security On Connected Home Gateways

chicksdaddy writes Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ 'smart' garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode may make you think twice about deploying one of these IoT gateways in your home. As The Security Ledger reports, Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing. The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode's research architect, told The Security Ledger. This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.

3 of 88 comments (clear)

  1. No kidding ... by gstoddart · · Score: 5, Insightful

    suggesting that manufacturers are giving short shrift to security considerations during design and testing

    Well, that gets a big frickin' DUH.

    Until companies bear legal liability for writing shitty security code, this is exactly what will happen.

    The Internet of Stuff is lots of hype, and little security.

    The overwhelming majority of consumer products which want to connect to the internet have absolutely crap security, because companies want to get products out the door and don't care if they have lousy security.

    The solution is to treat the Internet of Stuff as exactly what it is ... a marketing term, driving products geared towards analytics and ad revenue, implemented by companies who don't give a crap about your security.

    Just don't buy it if you want security.

    I am completely un-surprised by this. In fact, I expected it.

    --
    Lost at C:>. Found at C.
    1. Re:No kidding ... by gstoddart · · Score: 3, Insightful

      And your thermostat? Your TV? Your TV? Your fridge?

      Sorry, but I've pretty much decided that the overwhelming majority of things (like anything which isn't a computer) have no damned need to be connected to the internet.

      They don't have cables plugged into them, they don't know the wifi passwords, and they never will.

      I have zero interest in an internet connected toaster or thermostat, so I'm simply not buying the damned things.

      A couple we know was telling us about these awesome new locks they got they can unlock their house with an app on their phone. I just bit my tongue until they asked a very specific question which made me respond "if you can open it from your phone who else can?"

      Essentially you have put the security of your home in the hands of a 3rd party. You might choose to trust that, but I don't.

      This was after I told her about the creepy "Hello Barbie" which wants to upload the conversations little girls have with their dolls to the internet so it can talk back to them.

      They'd immediately recognized they didn't want their grandchildren with one of those, but for some reason the lock thing didn't occur to them.

      Pretty much I just assume the people who write the "security" for consumer products are incompetent, lazy, or indifferent -- the net result is pretty much the same. You should simply expect the security is non-existent.

      --
      Lost at C:>. Found at C.
  2. This is not news by Avidiax · · Score: 3, Insightful

    Anyone that understands the economics of software/embedded device development understands that it's a market for lemons with respect to security (https://en.wikipedia.org/wiki/The_Market_for_Lemons).

    The customer can't easily distinguish between a secure and insecure product, so even if they cared, they'd have no way to provide an economic force to cause developers to prioritize security.