Slashdot Mirror

← Back to Stories (view on slashdot.org)

Research Finds Shoddy Security On Connected Home Gateways

Posted by timothy on from the junction-box-is-open dept.

chicksdaddy writes Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ 'smart' garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode may make you think twice about deploying one of these IoT gateways in your home. As The Security Ledger reports, Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing. The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode's research architect, told The Security Ledger. This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.

2 of 88 comments (clear)

  1. Sigh by ledow · · Score: 3, Interesting

    Every single time something wants to cross the boundary between "sheltered device" and "available to the Internet", you have to see what it's doing or you'll run into this.

    This is the whole problem with things like UPnP, default "ALLOW ALL OUT" rules, etc. Devices want to talk out, and they'll punch holes to do it, and you don't have to be a genius here - connect their capabilities to find out what COULD happen.

    The Chromecast dongle has your wifi password in it. It has access to your network. It has access to your Google account. It has access to the HDMI port of your TV (which may include Ethernet?). Three of those are DANGEROUS (the fourth probably isn't but a lot of people have said similar things and been wrong).

    Now consider that it doesn't even need to be be Google that's malicious / incompetent to be a problem. Oh, look, all Chrome browsers on your local net can discover Chromecasts. And send data. Data encoded in complicated codecs which I've often seen in Changelogs because they allow overflows. Oh, look, third-party apps in Chrome are allowed to jump onto the Chromecast too.

    Join the dots. Unless you have security against those steps in the chain, there's nothing stopping the mere presence of a Chromecast dongle on your network being a vulnerability. They cost £30 so I doubt they could have a massively-overarching security audit that covers them for years in the future.

    Now apply that to your Nest equipment. To the apps on your phone (that game can read from SD card, allow in-app purchases, send text messages to your friends, whatever.... join the dots on ALL that it can do and see what could potentially happen!). To the junk that you plug into the network or wireless. It's a nightmare. And as soon as you break the line and let those things talk out (or be port-forwarded to) you have an Internet-facing vulnerability that amplifies everything a thousand-fold.

    This isn't shocking, unless you've been blind to the potential for the fifty years.

  2. Re:No kidding ... by Mr+D+from+63 · · Score: 3, Interesting

    I love my net connected thermostats. When I take vacation, I can turn the heat or AC down to save energy, then can connect on my way home and have the house at a comfortable temperature when I arrive. I have them programmed to lower the heat/AC during the work or school day, but can make a change on the fly if someone is home for the day. I can adjust the temperatures without getting out of bed if I have my tablet nearby. Programming for daily/weekly settings & seasonal modes via a web interface is much better than button pushing.

    I find it very useful and convenient. I know it has very limited security, but I also know the probability of that being exploited is extremely low as are the severity of the consequences. And I can check as often as I like and know if the settings were changed.

    I can't think of any reason to connect an appliance or lighting that would be nearly as useful or worth the cost.