Evaluating the security of IoT devices can be difficult, particularly if you're not adept at firmware binary analysis. An alternative approach would be just to assume IoT security is generally terrible, and a new study has shown that's probably a safe bet.
In a paper distributed last week through preprint service ArXiv, computer scientists Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d’Amorim, and Atul Prakash from the Federal University of Pernambuco, Brazil, and the University of Michigan describe how they analyzed the security of apps accompanying IoT devices as indication of the overall security of the associated hardware.
"Our intuition is that if this interaction between the companion app and device firmware is not implemented with good security principles, the device’s firmware is potentially insecure and vulnerable to attacks," they explain in their paper.
That intuition appears to be sound. The five researchers looked at the smartphone apps associated with 96 IoT devices and found almost 31 per cent use no encryption at all while 19 per cent rely on using hardcoded encryption keys that are easy to find.
This means about half of the apps (corresponding to 38 per cent of the devices) are potentially exploitable through protocol analysis. Because between 40 per cent and 60 per cent of the apps use local communication or local broadcast communication, there's a potential attack path.
The researchers conducted a detailed study of four different smartphone apps associated with five devices – two devices used the same app – and created exploits for them. They focused on Android apps rather than iOS.
The quintet examined the Kasa for Mobile app for TP-Link devices, the LIFX app for LIFX Wi-Fi enabled light bulbs, the WeMo app for Belkin IoT devices, and the e-Control app for Broadlink kit. And they managed to create exploits for each.
"We find that an Amazon top-seller smart plug from TP-Link shares the same hard-coded encryption key for all the devices of a given product line and that the initial configuration of the device is established through the app without proper authentication," the researchers explain in their paper. "Using this information, we were able to create a spoofing attack to gain control of this device."
A silent video demonstrates the vulnerability. The boffins claim that this issue exists in all other TP-Link devices because the company's hardware use the same mobile app.
The researchers went on to analyze 32 smartphone apps associated with 96 of the top-selling Wi-Fi and Bluetooth-enabled devices on Amazon and found similar flaws, though they did not attempt to create exploit code for these.
They claim they informed the relevant firms of their findings in advance of the release of their paper, providing them with explanations of their findings and suggested mitigations. So far, there's been no response.
"None of them have sent any response to our disclosures and to the best of our knowledge, have not released patches relative to these vulnerabilities," they say.
The Register asked each of the affected companies for comment.
In a statement emailed to The Register, a spokesperson for LIFX said, "The vulnerabilities outlined in the Limited Results report have been addressed at the end of 2018. We have added security measures, including the introduction of encryption."
We’re told the Limited Results report refers to a different set of flaws. We’ve asked LIFX to clarify.
Belkin, Broadlink, and TP-Link did not immediately respond, but we're hopeful they've taken action as well. ®