IoT Devices Lack Basic Security: Study

by CXOtoday News Desk    May 08, 2015


IoT devices are driving cases of robbery, stalking and cybercrime. That’s a clear conclusion of a new study by app security firm Veracode, which discuses the insecurity of connected devices. The researchers stated that while IoT devices have exploded in popularity in recent years, with major tech firms and startups pouring funds into developing devices that can make daily living more convenient, security remains a hot topic.

With around 4.9 billion connected devices in use today and an estimated 25 billion by 2020, cybersecurity is becoming a major concern. The report states, attacks on connected devices have already been reported and are likely to continue to happen if manufacturers do not bolster their cybersecurity efforts.

In this light, Veracode studied six common at-home devices, including the Chamberlain MyQ Internet Gateway, the Chamberlain MyQ Garage, the SmartThings Hub, the Ubi, the Wink Hub, and the Wink Relay. The study found that the impact of security vulnerabilities in these devices could be significant for users. 

For example, taking advantage of security vulnerabilities within a Wink Relay or Ubi device, cybercriminals could turn the microphones on and listen to any conversations within earshot of the device, supporting blackmail efforts or capturing business intelligence from a user’s employer in the case of a home office. Applying vulnerabilities found in the Chamberlain MyQ system, thieves could be notified when a garage door is opened or closed, indicating a window of opportunity to rob the house.

Among the issues found were open debugging interfaces that could allow remote attackers to run arbitrary code on the device itself such as spyware; serious protocol weakness that allow passive observers to access sensitive data or control of the device; and lack of adherence to best practices to protect users’ accounts against weak passwords and common password-guessing techniques. The results showed that all but one device exhibited cybersecurity vulnerabilities across a majority of the categories tested.

“It’s hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn’t mean cybersecurity should be sacrificed in the process,” said Brandon Creighton, Veracode Security Research Architect in a statement.

“We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm,” he summed up.