Vulnerable Apps Puts Half Of IoT Gadgets On Security Risk – Study
Smart Home Gadgets based on IoT technology empower our house to live an innovative life. Be it a smart bell, smart lighting, smart lock, etc these gadgets bring an extra layer of technological advancement to our lifestyle. IoT gadgets use internet functionality to stay connected with us, through a smartphone app we can control an array of features with ease. But are they secure enough?
Researchers from Brazil’s Federal University of Pernambuco and the University of Michigan came out with new research that points towards the darker side of IoT devices. They tested 32 Smartphones Apps used to control 96 top-selling IoT gadgets on Amazon which uses Wi-fi and Bluetooth. The test results revealed around 31% apps (corresponding 37 devices from 96) had no encryption, while 19% of them had hard-coded encryption keys, but an attacker can reverse engineer them to manipulate their security.
The data was backed by developing proof-of-concept attacks on 5 devices controlled by 4 apps. They are:
- TP-Links Kasa App – Used to control multiple IoT devices.
- LIFX App – Controls Light Bulbs through Wi-Fi.
- Belkin’s WeMO App – Used to control multiple IoT devices.
- Broadlink’s e-Control App – For SP(Smart Socket), RM(e-Remote), A1(e-Air), and other DNA Products.
Extract from Sophos NakeSecurity Blog:
Based on our in-depth analysis of 4 of the apps, we found that leveraging these weaknesses to create actual exploits is not challenging. A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network.
TP-Link Smart Plug App Vulnerability: Rated 4.4/5 and reviewed around 12,000 times:
TP-Link shares the same hard-coded encryption key for all the devices of a given product line and that the initial configuration of the device is established through the app without proper authentication.
Researchers also pointed towards a Smart Device App that holds a good example of IoT security. It is Google Nest Thermostat App, that uses SSL/TLS. This is a tip of an iceberg, there are tons of apps and IoT devices sold openly. Many are coming in future, this research reveals a key improvement for IoT companies to strictly follow and secure their apps/devices.
Source: Sophos NakedSecurity