The Internet of things (IoT), devices connected to each other over the Internet, are quickly finding their way to our homes and making our lives easier. But despite the comfort they offer, these sensor or chip equipped-devices continue to be a topic of concern among security researchers as vulnerabilities are found across the category. Security firm Kaspersky has laid bare many more such vulnerabilities and shared some of the fundamental reasons behind these flaws.
The firm has revealed a range of vulnerabilities in many widely used devices such as Google's media streaming dongle Chromecast, smart coffee makers, baby monitors, and home security cameras. Underscoring the sad state of security in the IoT lineup, the firm appeals to the companies that invest resources in or around IoT devices to put more thought into the security aspects. Kaspersky adds that the concept of IoT is still not mature enough.
"These devices and their vendors are new to the market and only just starting to gain an understanding of what and how it should be done," a Kaspersky spokesperson told Gadgets 360. "Also there are no common standards for security of such devices yet, and not enough best practices."
The security firm assessed a baby monitor and found many vulnerabilities in its apps as well as the device's firmware. If exploited, an attacker could take over the device and obtain access to the video and audio feeds. This was possible because before streaming data, the device sent the session ID to the cloud service via an unencrypted form, with the session ID in plaintext.
A vulnerability was also found in the firmware of the device. Because of the nature of the software - powered by Linux - could gain root (all priviligies) access to the device over remote login protocol SSH.
Many of these IoT devices don't have an auto-update option, which makes it unlikely that a user would ever manually download and install a new firmware. "We've seen situations when issues are found, acknowledged and fixed by a vendor, but still remain in place because there is no auto update feature, and users rarely download updates on their own initiative," the spokesperson told Gadgets 360.
An Internet-enabled coffee maker device was also found to have vulnerabilities. It allowed anyone close to the device to not only get access to it, which in itself is not as hazardous, but access to the credential of the Wi-Fi network, which could allow the attacker to gain access to every device connected on it, or at least see all the traffic going through that network.
"As we've seen in the example of a coffee maker, sometimes it is really hard to fix an issue when the device is already on the market. But a very basic measure (the one to start with) could be the implementation of an auto update feature. This would raise the overall security of IoT remarkably as it would allow fast implementation of security patches," the spokesperson added.
Many of these flaws reside in the device because of the components used to manufacture the product. Several companies, in order to lower the overall price of the device, use low-quality product that are not as sophisticated from security standpoint. "There are also pragmatic reasons for the insecurity of such devices: the hardware used in connected devices (processors, RAM, disk space) is usually not powerful enough to run proven and secure software. That's why vendors often create their own software that would fit in the device computing power, but would have multiple security holes," the spokesperson told us over email.
"Companies with a new product try to make it pretty, easy to use, and low-cost, but typically neglect security," Sam Bowne, Computer Networking and Ethical Hacking faculty at City College, San Francisco told Gadgets 360. "They can get away with that because the customers have no easy way to tell which products are more secure. Since customers can't demand security, the manufacturers have little incentive to provide it."
But these cases are not just limited to unknown companies that make cheap-priced IoT devices. Kaspersky also found a vulnerability in Google's Chromecast. A flaw named "rickrolling" allows an attacker to push the dongle to disconnect from the registered devices, and then make it connect to a different device, presumably owned by the attacker. Kaspersky says the said flaw is yet to be patched by Google. Gadgets 360 has reached out to Google for a comment, and we will update the story if and when we hear from the company.
Kaspersky's findings are far from isolated. In July, HP reported several vulnerabilities in smartwatches. Earlier this year, we also saw researchers remotely take over control of a moving car. Last month, several vulnerabilities were reported on Fitbit fitness trackers, including one that allegedly allowed an attacker to manipulate with the data.
So what should be done? Should we just stop using connected devices? Kaspersky says that a user should do proper research before buying a device, including checking with the vendor to see if any vulnerabilities have been reported in the past. Bowne, on the other hand, advises keeping a distance from the first generation of any of these products.
"The simplest way for an end-user to avoid insecure products is to not be an early adopter - wait for version 2," he says. "The first version of anything will have flaws, which may be fixed in later versions."