Insecure apps put half of IoT devices at risk
IoT apps lack encryption and leave devices vulnerable to hackers
As the Internet of Things (IoT) has grown in popularity with consumers adding more devices to build out their smart homes, new research has revealed that vulnerable apps are putting users at risk.
To better gauge the security of IoT devices, researchers from Brazil's Federal University of Pernambuco and the University of Michigan examined 32 apps used to configure and control the 96 best selling Wi-Fi and Bluetooth-enabled devices from Amazon.
IoT app developers need to secure the apps themselves, their connection to cloud proxies which are used during their initial setup and the wireless connection and authentication to and from each IoT device. For this reason, the study's researchers started by inferring potential weaknesses using heuristic analysis of each app.
- Japanese government will hack citizens' IoT devices
- Open source may be the key to securing IoT
- IoT devices now a top priority for cybercriminals
The researchers found that 31 percent of the apps (corresponding to 37 devices out of 96) had no encryption at all while another 19 percent had hard-coded encryption keys that could be reverse engineered by potential attackers.
Insecure apps
The researchers even developed proof-of-concept attacks for TP-Link's Kasa app, LIFX's smart light app, Belkin's WeMo for IoT and Broadlink's e-Control app to back up their findings further.
Three of the four apps used no encryption whatsoever and three communicated using broadcast messages that could provide an attacker with a way of monitoring the app-device communication to find vulnerabilites.
The researchers explained their findings in a report, saying:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“Based on our in-depth analysis of four of the apps, we found that leveraging these weaknesses to create actual exploits is not challenging. A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network.”
While many IoT apps have a ways to go when it comes to securing their devices, the researchers highlighted Google's Nest thermostat app as an example of how IoT security should be done with its entire configuration process secured with SSL/TLS to the cloud or via Wi-Fi with WPA.
Via Naked Security
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.