IoT devices are slowly but surely making progress in our lives and their security is directly related to ours. Security researchers at Bitdefender found vulnerabilities in four new IoT devices during a two-month hackathon in September and October 2015. Out of which only one was partially fixed after the developer was intimidated.
WeMo Switch was the first device in which the vulnerability was found. It is an Internet-accessible switch allowing users to turn their electronic devices on and off in their homes. The device is still using the same insecure channel for communication between the smartphone and the switch with no authentication whatsoever. Only the device’s password is encrypted with an easily breakable 128-bit AES algorithm, everything else is transmitted in cleartext.
The second device in scrutiny was Lifx Bulb which is used to adjust the color and intensity of user home’s lighting system via an Android app. By forcing the user’s Android app to reconnect to their home network, a crook can intercept the user’s home WiFi network credentials. All a hacker needs to do is set up a fake hotspot and then intercept the user’s WiFi login credentials.
The similar issue was found in LinkHub starter kit which includes two GE Link lightbulbs and a central management hub, both controlled via an Android app. Since, the device doesn’t make use of encryption, employing above trick will easily reveal WiFi credentials to the hacker.
The last and the only device to receive partial fix on the list was MUZO Cobblestone Wi-Fi Audio Receiver. This very device was using an always-open hotspot, which Bitfender researchers could brute-force, and from where they could extract the WiFi password for the local WiFi network. And thereon, any crook with knowledge or access to home WiFi network can easily perform malicious activities.
“This research reminds us of the imperative to embed a proper security architecture in the lifecycle of devices,” Bitdefender’s team concludes after their research. “The IoT opens a completely new dimension to security […]. If projections of a hyper-connected world become reality and manufacturers don’t bake security into their products, consequences can become life-threatening.”
The complete report is available for download at The Internet of Things: Risks in the Connected Home on Bitfender’s website.