Slashdot Mirror

← Back to Stories (view on slashdot.org)

Research Finds Shoddy Security On Connected Home Gateways

Posted by timothy on from the junction-box-is-open dept.

chicksdaddy writes Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ 'smart' garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode may make you think twice about deploying one of these IoT gateways in your home. As The Security Ledger reports, Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing. The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode's research architect, told The Security Ledger. This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.

17 of 88 comments (clear)

  1. No kidding ... by gstoddart · · Score: 5, Insightful

    suggesting that manufacturers are giving short shrift to security considerations during design and testing

    Well, that gets a big frickin' DUH.

    Until companies bear legal liability for writing shitty security code, this is exactly what will happen.

    The Internet of Stuff is lots of hype, and little security.

    The overwhelming majority of consumer products which want to connect to the internet have absolutely crap security, because companies want to get products out the door and don't care if they have lousy security.

    The solution is to treat the Internet of Stuff as exactly what it is ... a marketing term, driving products geared towards analytics and ad revenue, implemented by companies who don't give a crap about your security.

    Just don't buy it if you want security.

    I am completely un-surprised by this. In fact, I expected it.

    --
    Lost at C:>. Found at C.
    1. Re:No kidding ... by jbmartin6 · · Score: 2

      A better way to say this might be: the effort the manufacturer puts into security will be equal to the perceived risk. Since my garage door is already easy to open with a crowbar, the manufacturer might perceive that the risk of some wireless vulnerability is no worse than the risk I am already accepting by having a garage door in the first place. The same with vulnerabilities in my thermostat. What is the risk of someone hacking it and goofing with my temperature settings? They might feel this is not a real threat since there is no money involved for the theoretical attacker. And of course, as you point out, the risk to the manufacturer of lawsuits, etc. enters into the picture. As it stands now, they might plan to go into court and argue that since it was already easy to open the standard garage door there is no reason to make the wireless opener any more secure than that.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    2. Re:No kidding ... by gstoddart · · Score: 3, Insightful

      And your thermostat? Your TV? Your TV? Your fridge?

      Sorry, but I've pretty much decided that the overwhelming majority of things (like anything which isn't a computer) have no damned need to be connected to the internet.

      They don't have cables plugged into them, they don't know the wifi passwords, and they never will.

      I have zero interest in an internet connected toaster or thermostat, so I'm simply not buying the damned things.

      A couple we know was telling us about these awesome new locks they got they can unlock their house with an app on their phone. I just bit my tongue until they asked a very specific question which made me respond "if you can open it from your phone who else can?"

      Essentially you have put the security of your home in the hands of a 3rd party. You might choose to trust that, but I don't.

      This was after I told her about the creepy "Hello Barbie" which wants to upload the conversations little girls have with their dolls to the internet so it can talk back to them.

      They'd immediately recognized they didn't want their grandchildren with one of those, but for some reason the lock thing didn't occur to them.

      Pretty much I just assume the people who write the "security" for consumer products are incompetent, lazy, or indifferent -- the net result is pretty much the same. You should simply expect the security is non-existent.

      --
      Lost at C:>. Found at C.
    3. Re:No kidding ... by jbmartin6 · · Score: 2

      "if you can open it from your phone who else can?"

      And who else can walk up and simply kick the door in? Is the risk of a break-in significantly changed by using the phone app? Why wouldn't anyone who wanted in simply kick in the door or just break a window? Some guy in a different country has no interest in unlocking my front door. My point is, does an app like that REALLY change your risk at all given how easy it already is to get in? Now if you are running a gold repository or something the equation is different, but for the typical wooden house owner I don't see it is any different.

      But I generally agree with you, I don't want Internet connected appliances of any sort. Even my 'smart' TV is disconnected.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    4. Re:No kidding ... by gstoddart · · Score: 2, Insightful

      Well, I'll tell you what ... you buy any fucking piece of technology you like.

      Me? I think the trend to have this Internet of Stuff is mostly garbage products by people who think the world operates on a smart phone ... and that the 'security' on those products is incompetently written by people who don't care.

      I think until we get smart and apply data protection and security laws which says corporations have a legal responsibility to both protect your data and your security ... you should assume both your privacy and your security are in the hands of some asshole in marketing, and that the asshole in marketing doesn't give a crap about anything but his bonus.

      Because, that's pretty much what it is.

      --
      Lost at C:>. Found at C.
    5. Re:No kidding ... by Mr+D+from+63 · · Score: 3, Interesting

      I love my net connected thermostats. When I take vacation, I can turn the heat or AC down to save energy, then can connect on my way home and have the house at a comfortable temperature when I arrive. I have them programmed to lower the heat/AC during the work or school day, but can make a change on the fly if someone is home for the day. I can adjust the temperatures without getting out of bed if I have my tablet nearby. Programming for daily/weekly settings & seasonal modes via a web interface is much better than button pushing.

      I find it very useful and convenient. I know it has very limited security, but I also know the probability of that being exploited is extremely low as are the severity of the consequences. And I can check as often as I like and know if the settings were changed.

      I can't think of any reason to connect an appliance or lighting that would be nearly as useful or worth the cost.

    6. Re:No kidding ... by gstoddart · · Score: 2

      Really, the availability of programmers isn't the main problem.

      Corporations bear no liability for writing crap security, which means they have no penalty for doing so. They might try a small amount of security to look good, but at the end of the day they simply don't need to care.

      So the security of these things is as inherently insecure as anything is which is doing on a "meh, whatever" level of effort.

      Marketing wants the product out the door, management wants to do it as cheaply as possible, and sales is already trying to figure out who all they're going to sell your data to.

      As long as they have no penalty, you should assume they're too lazy or incompetent to have any real security in place.

      I just simply don't buy devices which want to connect to the internet. Because I simply don't trust them.

      --
      Lost at C:>. Found at C.
    7. Re:No kidding ... by Anonymous Coward · · Score: 2, Insightful

      My point is, does an app like that REALLY change your risk at all given how easy it already is to get in?

      Yes, it really makes it easier.

      If for nothing else than for not needing to make any harsh sounds and/or strange movements when breaking in. And for being able to do that thru the front door instead of having to find the physical weakest spot of the house. Might even make it look as if a housekey is used to enter. That means the breaking-and-entering might take place in broad daylight, with neighbours looking on and suspecting nothing.

      Also, there is something else you're probably forgetting: That burglar will now being able to "google" all vunerable houses from his comfy chair. Than he just needs to let his computer monitor a few of the IoT devices in those houses for a few days, and he'll even know when the occupants are most likely to be away from home.

    8. Re:No kidding ... by gstoddart · · Score: 2

      They'll do a hell of a lot more if the corporation can face punishment than if all they have to do is say "aww, shucks, we're not actually sorry".

      Because without penalties, you can pretty much guarantee they will do the barest minimum they can justify ... and that will range between "nothing at all" and "not very much".

      --
      Lost at C:>. Found at C.
    9. Re:No kidding ... by Noah+Haders · · Score: 2

      this is why I'm looking forward to the homekit framework. It handles security and connection of the multiple devices in the home, reducing the danger from any individual device that may be insecure. as long as a device is designed to be homekit compatible, then much of the risk will be gone. compare this to something like android in the home (or even worse, android in the car), where everything is open to haxors and other bad actors. imagine if android had access to your CAN bus in the car? those are some scary thoughts.

    10. Re:No kidding ... by JoeZeppy · · Score: 2
      This.

      Your ex-wife gets a restraining order and has the locks changed because shes tired of you beating her up. If you try to get in with a brick, she'll have time to call 911, or the neighbors will, but if you can slip in late at night when no one is looking, well, Bobs your uncle, eh mate?

    11. Re:No kidding ... by cusco · · Score: 2

      If someone is standing outside my door kicking it in there's a good chance one of the neighbors will call the cops, and if they see a broken window it's the same story. If someone walks up to the door and just walks in the neighbors will assume that they belong there. Some guy in a different country might be very interested in unlocking doors for his cousin/friend/business partner, or opening the garage door so that the moving van can back right in, especially if they have verified on your cameras that you're not home, your guard dog is a chihuahua, and the thermostat is set low enough that it's certain you won't be home for a number of hours.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    12. Re:No kidding ... by cusco · · Score: 2

      Kiddie porn sites have been found on Internet-connected multi-function printers, and at least one has been used as an entrance into a corporate network. An HVAC system was the point of entry for the Target attack. IoT junk will be used, probably sooner rather than later.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  2. This is not news by Avidiax · · Score: 3, Insightful

    Anyone that understands the economics of software/embedded device development understands that it's a market for lemons with respect to security (https://en.wikipedia.org/wiki/The_Market_for_Lemons).

    The customer can't easily distinguish between a secure and insecure product, so even if they cared, they'd have no way to provide an economic force to cause developers to prioritize security.

  3. Sigh by ledow · · Score: 3, Interesting

    Every single time something wants to cross the boundary between "sheltered device" and "available to the Internet", you have to see what it's doing or you'll run into this.

    This is the whole problem with things like UPnP, default "ALLOW ALL OUT" rules, etc. Devices want to talk out, and they'll punch holes to do it, and you don't have to be a genius here - connect their capabilities to find out what COULD happen.

    The Chromecast dongle has your wifi password in it. It has access to your network. It has access to your Google account. It has access to the HDMI port of your TV (which may include Ethernet?). Three of those are DANGEROUS (the fourth probably isn't but a lot of people have said similar things and been wrong).

    Now consider that it doesn't even need to be be Google that's malicious / incompetent to be a problem. Oh, look, all Chrome browsers on your local net can discover Chromecasts. And send data. Data encoded in complicated codecs which I've often seen in Changelogs because they allow overflows. Oh, look, third-party apps in Chrome are allowed to jump onto the Chromecast too.

    Join the dots. Unless you have security against those steps in the chain, there's nothing stopping the mere presence of a Chromecast dongle on your network being a vulnerability. They cost £30 so I doubt they could have a massively-overarching security audit that covers them for years in the future.

    Now apply that to your Nest equipment. To the apps on your phone (that game can read from SD card, allow in-app purchases, send text messages to your friends, whatever.... join the dots on ALL that it can do and see what could potentially happen!). To the junk that you plug into the network or wireless. It's a nightmare. And as soon as you break the line and let those things talk out (or be port-forwarded to) you have an Internet-facing vulnerability that amplifies everything a thousand-fold.

    This isn't shocking, unless you've been blind to the potential for the fifty years.

  4. Bigger problem - Re:No kidding ... by UnderCoverPenguin · · Score: 2

    The biggest problem I have seen with these connected devices is that many of them need to "call the mothership". While that does make it easier for the device vendors to support their products, it also means that could be used to determine when you are least likely to be home is being sent over the Internet.

    I have 3, separate, wired networks in my house. One is for the home automation system, and has NO connection to the Internet.

    The system does have IR receivers, so could be vulnerable to a phone or tablet app that sends IR signals using something like an IRED, so the IR receivers accept a very limited set of commands. BUT, the IR communications are one-way: Simple commands in, nothing out.

    --
    Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
  5. Re:Home Automation can be secure by YrWrstNtmr · · Score: 2

    I personally use a Crestron system behind a Cisco router and remotely connect through SSL VPN.

    To 99% of the population, that is complete gibberish.