An interesting announcement for manufacturers of home security systems this week was the news that a technical investigation by Bitdefender discovered that four commonly used Internet of Things (IoT) consumer devices are vulnerable to cyberattack. The analysis reveals that current authentication mechanisms of many internet-connected devices can easily be bypassed to expose smart households and their inhabitants to privacy theft.
The Bitdefender Labs researchers choose devices that were both popular and affordable in order to understand the security stance of each device. The team analysed the way each device connects to the internet and to the cloud, as well as the communication between the device and its corresponding mobile application. Three of the four IoT devices in question are currently still at risk, whereas one has been partially resolved:
- LIFX Bulb: a smart LED bulb that connects to a Wi-Fi network and allows users to control house lighting via a smartphone app. An attacker is able to switch the device on and off five times to reset the device and create a new hotspot. As a result, victims will be connected to an attacker’s fake hotspot and leak the username and password of their Wi-Fi network, allowing further penetration.
- MUZO Cobblestone audio receiver: a Wi-Fi audio receiver that can be connected to home routers to allow music streaming from multiple sources. The device comes embedded with a Telnet service that allows users to access the device remotely. Bitdefender researchers attempted basic password brute-forcing and observed that the initial credentials were set to admin/ admin.
- LinkHub: a smart adapter and two bulbs that allow users to remotely manage household lighting. A lack of transport encryption means data is sent in plain text, allowing attackers to obtain the username and password of a Wi-Fi network.
- WeMo switch: a Wi-Fi enabled device that can turn plugged-in electronic devices on or off remotely, and includes scheduling and IFTTT (If This Then That) automation capabilities. The device is vulnerable to weak access point authentication and may leave users’ Wi-Fi credentials vulnerable.
“Four billion internet-connected devices promise to take our homes to an unprecedented level of comfort, however, this digital convenience is taking its toll on our private lives,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “As we have seen in the early stages of IoT development, gadgets designed for the home can talk with each other, yet they risk being overheard when communicating sensitive data.”
Radu Basaraba, Malware Researcher at Bitdefender, states, “IoT vendors need to prioritise security before their devices become hugely popular, leaving millions of people at risk from cyberattacks. The IoT opens a completely new dimension to security where the internet meets the physical world. If projections of a hyper-connected world become reality and manufacturers don’t bake security into their products, consequences can becoming life-threatening.”
In order to prevent this, IoT security must take an integrated home cybersecurity approach. That means shifting from device-orientated security to a solution able to protect an unlimited number of gadgets by intercepting attacks at the network.