Research Finds Shoddy Security On Connected Home Gateways

chicksdaddy writes Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ 'smart' garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode may make you think twice about deploying one of these IoT gateways in your home. As The Security Ledger reports, Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing. The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode's research architect, told The Security Ledger. This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.

No kidding ...

[gstoddart]

suggesting that manufacturers are giving short shrift to security considerations during design and testing

Well, that gets a big frickin' DUH.

Until companies bear legal liability for writing shitty security code, this is exactly what will happen.

The Internet of Stuff is lots of hype, and little security.

The overwhelming majority of consumer products which want to connect to the internet have absolutely crap security, because companies want to get products out the door and don't care if they have lousy security.

The solution is to treat the Internet of Stuff as exactly what it is ... a marketing term, driving products geared towards analytics and ad revenue, implemented by companies who don't give a crap about your security.

Just don't buy it if you want security.

I am completely un-surprised by this. In fact, I expected it.

Re:No kidding ...

[gstoddart]

And your thermostat? Your TV? Your TV? Your fridge?

Sorry, but I've pretty much decided that the overwhelming majority of things (like anything which isn't a computer) have no damned need to be connected to the internet.

They don't have cables plugged into them, they don't know the wifi passwords, and they never will.

I have zero interest in an internet connected toaster or thermostat, so I'm simply not buying the damned things.

A couple we know was telling us about these awesome new locks they got they can unlock their house with an app on their phone. I just bit my tongue until they asked a very specific question which made me respond "if you can open it from your phone who else can?"

Essentially you have put the security of your home in the hands of a 3rd party. You might choose to trust that, but I don't.

This was after I told her about the creepy "Hello Barbie" which wants to upload the conversations little girls have with their dolls to the internet so it can talk back to them.

They'd immediately recognized they didn't want their grandchildren with one of those, but for some reason the lock thing didn't occur to them.

Pretty much I just assume the people who write the "security" for consumer products are incompetent, lazy, or indifferent -- the net result is pretty much the same. You should simply expect the security is non-existent.

Re:No kidding ...

[Mr+D+from+63]

I love my net connected thermostats. When I take vacation, I can turn the heat or AC down to save energy, then can connect on my way home and have the house at a comfortable temperature when I arrive. I have them programmed to lower the heat/AC during the work or school day, but can make a change on the fly if someone is home for the day. I can adjust the temperatures without getting out of bed if I have my tablet nearby. Programming for daily/weekly settings & seasonal modes via a web interface is much better than button pushing.

I find it very useful and convenient. I know it has very limited security, but I also know the probability of that being exploited is extremely low as are the severity of the consequences. And I can check as often as I like and know if the settings were changed.

I can't think of any reason to connect an appliance or lighting that would be nearly as useful or worth the cost.

This is not news

[Avidiax]

Anyone that understands the economics of software/embedded device development understands that it's a market for lemons with respect to security (https://en.wikipedia.org/wiki/The_Market_for_Lemons).

The customer can't easily distinguish between a secure and insecure product, so even if they cared, they'd have no way to provide an economic force to cause developers to prioritize security.

Sigh

[ledow]

Every single time something wants to cross the boundary between "sheltered device" and "available to the Internet", you have to see what it's doing or you'll run into this.

This is the whole problem with things like UPnP, default "ALLOW ALL OUT" rules, etc. Devices want to talk out, and they'll punch holes to do it, and you don't have to be a genius here - connect their capabilities to find out what COULD happen.

The Chromecast dongle has your wifi password in it. It has access to your network. It has access to your Google account. It has access to the HDMI port of your TV (which may include Ethernet?). Three of those are DANGEROUS (the fourth probably isn't but a lot of people have said similar things and been wrong).

Now consider that it doesn't even need to be be Google that's malicious / incompetent to be a problem. Oh, look, all Chrome browsers on your local net can discover Chromecasts. And send data. Data encoded in complicated codecs which I've often seen in Changelogs because they allow overflows. Oh, look, third-party apps in Chrome are allowed to jump onto the Chromecast too.

Join the dots. Unless you have security against those steps in the chain, there's nothing stopping the mere presence of a Chromecast dongle on your network being a vulnerability. They cost £30 so I doubt they could have a massively-overarching security audit that covers them for years in the future.

Now apply that to your Nest equipment. To the apps on your phone (that game can read from SD card, allow in-app purchases, send text messages to your friends, whatever.... join the dots on ALL that it can do and see what could potentially happen!). To the junk that you plug into the network or wireless. It's a nightmare. And as soon as you break the line and let those things talk out (or be port-forwarded to) you have an Internet-facing vulnerability that amplifies everything a thousand-fold.

This isn't shocking, unless you've been blind to the potential for the fifty years.