Half of IoT gadgets at risk due to app vulnerabilities
In recent times, much has been made of the importance of security when it comes to Internet of Things (IoT) devices, with efforts being made to improve protections in place on this equipment.
Indeed, the UK government recently pledged £70 million in additional funding to ensure future IoT hardware is secure by design. However, new research suggests it is not only the devices themselves users have to worry about.
A study by researchers at Brazil’s Federal University of Pernambuco and the University of Michigan has found that the apps used to control IoT gadgets may often be the weak point.
It looked at 32 popular smartphone apps used to configure and control the 96 top-selling Wi-Fi and Bluetooth-enabled devices sold on Amazon, and found half of them had some form of security weakness that could allow hackers to access data or take control of devices.
For instance, almost a third of apps (31 per cent) had no encryption protection at all, while a further 19 per cent had hard-coded encryption keys an attacker might be able to reverse engineer even if they’d been obfuscated.
To test the security of the IoT apps, the researchers developed proof of concept attacks to be used against five devices that were controlled by four apps – TP-Link’s Kasa app used with multiple devices; LIFX app used with that company’s Wi-Fi-enabled light bulbs; Belkin’s WeMo for IoT; and Broadlink’s e-Control app.
Three of these apps had no encryption, while three communicated riskily via messages that would allow an attacker to monitor the nature of app-device communication.
“Based on our in-depth analysis of four of the apps, we found that leveraging these weaknesses to create actual exploits is not challenging,” the team wrote. “A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network.”
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.