Updated Evaluating the security of IoT devices can be difficult, particularly if you’re not adept at firmware binary analysis. An alternative approach would be just to assume IoT security is generally terrible, and a new study has shown that’s probably a safe bet.
In a paper distributed last week through preprint service ArXiv, computer scientists Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d’Amorim, and Atul Prakash from the Federal University of Pernambuco, Brazil, and the University of Michigan describe how they analyzed the security of apps accompanying IoT devices as indication of the overall security of the associated hardware.
“Our intuition is that if this interaction between the companion app and device firmware is not implemented with good security principles, the device’s firmware is potentially insecure and vulnerable to attacks,” they explain in their paper.
That intuition appears to be sound. The five researchers looked at the smartphone apps associated with 96 IoT devices and found almost 31 per cent use no encryption at all while 19 per cent rely on using hardcoded encryption keys that are easy to find.
This means about half of the apps (corresponding to 38 per cent of the devices) are potentially exploitable through protocol analysis. Because between 40 per cent and 60 per cent of the apps use local communication or local broadcast communication, there’s a potential attack path.
The researchers conducted a detailed study of four different smartphone apps associated with five devices – two devices used the same app – and created exploits for them. They focused on Android apps rather than iOS.
The quintet examined the Kasa for Mobile app for TP-Link devices, the LIFX app for LIFX Wi-Fi enabled light bulbs, the WeMo app for Belkin IoT devices, and the e-Control app for Broadlink kit. And they managed to create exploits for each.
“We find that an Amazon top-seller smart plug from TP-Link shares the same hard-coded encryption key for all the devices of a given product line and that the initial configuration of the device is established through the app without proper authentication,” the researchers explain in their paper. “Using this information, we were able to create a spoofing attack to gain control of this device.”
A silent video demonstrates the vulnerability. The boffins claim that this issue exists in all other TP-Link devices because the company’s hardware use the same mobile app.
The researchers went on to analyze 32 smartphone apps associated with 96 of the top-selling Wi-Fi and Bluetooth-enabled devices on Amazon and found similar flaws, though they did not attempt to create exploit code for these.
They claim they informed the relevant firms of their findings in advance of the release of their paper, providing them with explanations of their findings and suggested mitigations. So far, there’s been no response.
“None of them have sent any response to our disclosures and to the best of our knowledge, have not released patches relative to these vulnerabilities,” they say.
The Register asked each of the affected companies for comment.
In a statement emailed to The Register, a spokesperson for LIFX said, “The vulnerabilities outlined in the Limited Results report have been addressed at the end of 2018. We have added security measures, including the introduction of encryption.”
We’re told the Limited Results report refers to a different set of flaws. We’ve asked LIFX to clarify.
Belkin, Broadlink, and TP-Link did not immediately respond, but we’re hopeful they’ve taken action as well. ®
Updated to add
In a statement emailed to The Register on Monday, a spokesperson for Belkin said, “UPnP was chosen for its ubiquity and ease of use and because the local home network provides a good amount of security.
“We are however always working on improving and heightening the security of our products, especially due to increasing threats from malware from phishing scams and malicious web sites. We are working on introducing user accounts later this year, which will secure local network communications and provide better accessibility.”
In response to The Register’s follow-up query, LIFX acknowledged that it’s still working on the issues described in the research paper.
“We are aware of this report. As a general statement, consumers should be aware that all IoT devices are on a vulnerability spectrum,” a company spokesperson said. “We are always attempting to strike the right balance between tight security and ease of use.
“In this case, we do use unencrypted messaging to communicate with our lights over local LAN. This is not hidden by LIFX: our LAN protocol is publicly documented to help facilitate use by partners and 3rd party developers.
“Importantly though, access to the network is required in order to control the lights. So it is not the lights being hacked to get access to the Wi-Fi, but the Wi-Fi being hacked to gain access to the lights.”