Jump to content

Insecure apps put half of IoT devices at risk


sincity

Recommended Posts

As the Internet of Things (IoT) has grown in popularity with consumers adding more devices to build out their smart homes, new research has revealed that vulnerable apps are putting users at risk.

To better gauge the security of IoT devices, researchers from Brazil's Federal University of Pernambuco and the University of Michigan examined 32 apps used to configure and control the 96 best selling Wi-Fi and Bluetooth-enabled devices from Amazon.

IoT app developers need to secure the apps themselves, their connection to cloud proxies which are used during their initial setup and the wireless connection and authentication to and from each IoT device. For this reason, the study's researchers started by inferring potential weaknesses using heuristic analysis of each app.

The researchers found that 31 percent of the apps (corresponding to 37 devices out of 96) had no encryption at all while another 19 percent had hard-coded encryption keys that could be reverse engineered by potential attackers.

Insecure apps

The researchers even developed proof-of-concept attacks for TP-Link's Kasa app, LIFX's smart light app, Belkin's WeMo for IoT and Broadlink's e-Control app to back up their findings further.

Three of the four apps used no encryption whatsoever and three communicated using broadcast messages that could provide an attacker with a way of monitoring the app-device communication to find vulnerabilites.

The researchers explained their findings in a report, saying:

“Based on our in-depth analysis of four of the apps, we found that leveraging these weaknesses to create actual exploits is not challenging. A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network.”

While many IoT apps have a ways to go when it comes to securing their devices, the researchers highlighted Google's Nest thermostat app as an example of how IoT security should be done with its entire configuration process secured with SSL/TLS to the cloud or via Wi-Fi with WPA.

Via Naked Security

http://feeds.feedburner.com/~r/techradar/digital-home/~4/fRfxH4u9UpA
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...