Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Communications Encryption Hardware

Research Finds Shoddy Security On Connected Home Gateways 88

chicksdaddy writes Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ 'smart' garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode may make you think twice about deploying one of these IoT gateways in your home. As The Security Ledger reports, Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing. The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode's research architect, told The Security Ledger. This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.
This discussion has been archived. No new comments can be posted.

Research Finds Shoddy Security On Connected Home Gateways

Comments Filter:
  • No kidding ... (Score:5, Insightful)

    by gstoddart ( 321705 ) on Tuesday April 07, 2015 @10:48AM (#49423025) Homepage

    suggesting that manufacturers are giving short shrift to security considerations during design and testing

    Well, that gets a big frickin' DUH.

    Until companies bear legal liability for writing shitty security code, this is exactly what will happen.

    The Internet of Stuff is lots of hype, and little security.

    The overwhelming majority of consumer products which want to connect to the internet have absolutely crap security, because companies want to get products out the door and don't care if they have lousy security.

    The solution is to treat the Internet of Stuff as exactly what it is ... a marketing term, driving products geared towards analytics and ad revenue, implemented by companies who don't give a crap about your security.

    Just don't buy it if you want security.

    I am completely un-surprised by this. In fact, I expected it.

    • by Anonymous Coward

      It just reminds me of the people who have bought certain cheap networked cameras for watching babies or light surveillance work.

      While there are security features, they all shipped with a default password and with guest access as "on" by default.

      There was a site (maybe still is), where you could connect to people's cameras with your browser and stare over their shoulder into their office, or watch their kids play.

      Creepy as fuck, and a lesson about what manufacturers of small electronic items think of securit

      • The biggest problem I have seen with these connected devices is that many of them need to "call the mothership". While that does make it easier for the device vendors to support their products, it also means that could be used to determine when you are least likely to be home is being sent over the Internet.

        I have 3, separate, wired networks in my house. One is for the home automation system, and has NO connection to the Internet.

        The system does have IR receivers, so could be vulnerable to a phone or tablet

        • The biggest problem I have seen with these connected devices is that many of them need to "call the mothership". While that does make it easier for the device vendors to support their products,

          I've given up trying to find a router that doesn't have hardwired network connections to mama. The last router I bought makes repeated connections to an NTP server run by the company that makes it, to the point that there is no manual way to set the date and time and no way to change the configuration for NTP.

          I wanted to use this device behind a slow network connection where I already have a stratum 2 server of my own. The only way to do this was to hard-configure the first DNS nameserver to the nameserv

      • by hitmark ( 640295 )

        http://www.shodanhq.com/ [shodanhq.com] ?

    • Trouble is, all of the gadget geeks that willingly fork over huge sums of money to have all this home automation stuff have no idea how vulnerable they are. Sadly, it's going to take someone using the gaping security holes to break into the house and do physical harm to one or more of the people in the house before anyone starts to pay attention.

      • this is why I'm looking forward to the homekit framework. It handles security and connection of the multiple devices in the home, reducing the danger from any individual device that may be insecure. as long as a device is designed to be homekit compatible, then much of the risk will be gone. compare this to something like android in the home (or even worse, android in the car), where everything is open to haxors and other bad actors. imagine if android had access to your CAN bus in the car? those are some s

    • A better way to say this might be: the effort the manufacturer puts into security will be equal to the perceived risk. Since my garage door is already easy to open with a crowbar, the manufacturer might perceive that the risk of some wireless vulnerability is no worse than the risk I am already accepting by having a garage door in the first place. The same with vulnerabilities in my thermostat. What is the risk of someone hacking it and goofing with my temperature settings? They might feel this is not a rea
      • Re:No kidding ... (Score:4, Insightful)

        by gstoddart ( 321705 ) on Tuesday April 07, 2015 @11:04AM (#49423183) Homepage

        And your thermostat? Your TV? Your TV? Your fridge?

        Sorry, but I've pretty much decided that the overwhelming majority of things (like anything which isn't a computer) have no damned need to be connected to the internet.

        They don't have cables plugged into them, they don't know the wifi passwords, and they never will.

        I have zero interest in an internet connected toaster or thermostat, so I'm simply not buying the damned things.

        A couple we know was telling us about these awesome new locks they got they can unlock their house with an app on their phone. I just bit my tongue until they asked a very specific question which made me respond "if you can open it from your phone who else can?"

        Essentially you have put the security of your home in the hands of a 3rd party. You might choose to trust that, but I don't.

        This was after I told her about the creepy "Hello Barbie" which wants to upload the conversations little girls have with their dolls to the internet so it can talk back to them.

        They'd immediately recognized they didn't want their grandchildren with one of those, but for some reason the lock thing didn't occur to them.

        Pretty much I just assume the people who write the "security" for consumer products are incompetent, lazy, or indifferent -- the net result is pretty much the same. You should simply expect the security is non-existent.

        • You should simply expect the security is non-existent.

          That depends on where you draw the boundaries. People have locks on their houses but hide a key in the yard. You can say that is no security, but it is really reduced security.

          Just because there may be easier circumvention methods doesn't mean there is no security. And until there are actual attackers and not just potential attack paths, minimal security might be enough, or at least statistically better than someone breaking in the back door with a 4x4 (an actual experience of mine). When folks start hea

          • Re: (Score:3, Insightful)

            by gstoddart ( 321705 )

            Well, I'll tell you what ... you buy any fucking piece of technology you like.

            Me? I think the trend to have this Internet of Stuff is mostly garbage products by people who think the world operates on a smart phone ... and that the 'security' on those products is incompetently written by people who don't care.

            I think until we get smart and apply data protection and security laws which says corporations have a legal responsibility to both protect your data and your security ... you should assume both your pr

            • Fine, and you can continue to live with your fears and general hatred for anything corporate, while others enjoy little conveniences at very little real risk.
          • by sjames ( 1099 )

            The key in the yard is probably safer. I can scan their house from miles away and nobody will know. Skulking around someone's front yard may bring hard questions.

          • When folks start hearing stories of houses being accessed via these means, they will raise their bars.

            Waiting to hear "stories" would be of no use if, for example, attackers choose to wait until a nationwide cold-snap and then simultaneously brick one million thermostats.

            • There is a small possibility it would go down that way, but much more likely we'd see various other attacks beforehand.

              And if that is the worst case, then its really not that bad. Having a heating system break down during a cold snap is nothing new, and the fix for a bricked thermostat is quick and easy compared to a mechanical problem.
              • by cusco ( 717999 )

                What percentage of the population will be competent to take the thermostat off the wall and cross the wires? My wife would be afraid that she would be electrocuted, even if I were on the phone reassuring her that she wouldn't. A lot of people don't even have a screwdriver in the house. Really sad, but true.

                • I was just saying its a simple fix compared to a mechanical breakdown. A repair guy can do it in a few minutes if that is what it takes. If it is mechanical, it could take days for a part, or be very expensive.

                  The point is that, given it being a low probability thing to start with, and coupled with the limited severity of the risk, its certainly an acceptable risk.
        • "if you can open it from your phone who else can?"

          And who else can walk up and simply kick the door in? Is the risk of a break-in significantly changed by using the phone app? Why wouldn't anyone who wanted in simply kick in the door or just break a window? Some guy in a different country has no interest in unlocking my front door. My point is, does an app like that REALLY change your risk at all given how easy it already is to get in? Now if you are running a gold repository or something the equation is different, but for the typical wooden house owner I

          • Re:No kidding ... (Score:4, Interesting)

            by Mr D from 63 ( 3395377 ) on Tuesday April 07, 2015 @11:34AM (#49423379)
            I love my net connected thermostats. When I take vacation, I can turn the heat or AC down to save energy, then can connect on my way home and have the house at a comfortable temperature when I arrive. I have them programmed to lower the heat/AC during the work or school day, but can make a change on the fly if someone is home for the day. I can adjust the temperatures without getting out of bed if I have my tablet nearby. Programming for daily/weekly settings & seasonal modes via a web interface is much better than button pushing.

            I find it very useful and convenient. I know it has very limited security, but I also know the probability of that being exploited is extremely low as are the severity of the consequences. And I can check as often as I like and know if the settings were changed.

            I can't think of any reason to connect an appliance or lighting that would be nearly as useful or worth the cost.
          • Re: (Score:2, Insightful)

            by Anonymous Coward

            My point is, does an app like that REALLY change your risk at all given how easy it already is to get in?

            Yes, it really makes it easier.

            If for nothing else than for not needing to make any harsh sounds and/or strange movements when breaking in. And for being able to do that thru the front door instead of having to find the physical weakest spot of the house. Might even make it look as if a housekey is used to enter. That means the breaking-and-entering might take place in broad daylight, with neighbours

            • This.

              Your ex-wife gets a restraining order and has the locks changed because shes tired of you beating her up. If you try to get in with a brick, she'll have time to call 911, or the neighbors will, but if you can slip in late at night when no one is looking, well, Bobs your uncle, eh mate?

          • by 0123456 ( 636235 )

            And who else can walk up and simply kick the door in? Is the risk of a break-in significantly changed by using the phone app? Why wouldn't anyone who wanted in simply kick in the door or just break a window?

            Let's see.

            1. Joe Burglar walks up to your front door, unlocks it, walks in. Neighbours assume he's just a friend as he walks out again with a bag full of your stuff and locks the door behind him.
            2. Joe Burglar walks up to your front door, kicks it in. Neighbours call 911.

            See the tiny little difference?

            I honestly can't understand why anyone would even think this 'Internet Of Things' crap is a good idea unless they make money from selling it.

            • Joe Burglar walks up to the front door with a bump key. Spends 15 seconds opening it, and walks out with a bag of your stuff and locks the door behind him. Maybe we just shouldn't have doors at all!

          • by sjames ( 1099 )

            Given a few tries and a good bit of determination, my door could be kicked in. It would be much easier to break the window. However, both of those are noisy and look like someone is doing something wrong. Pressing a couple keys on a phone and then going right in looks like nothing out of the ordinary.

          • by cusco ( 717999 )

            If someone is standing outside my door kicking it in there's a good chance one of the neighbors will call the cops, and if they see a broken window it's the same story. If someone walks up to the door and just walks in the neighbors will assume that they belong there. Some guy in a different country might be very interested in unlocking doors for his cousin/friend/business partner, or opening the garage door so that the moving van can back right in, especially if they have verified on your cameras that yo

        • My regular locks can be bypassed by any idiot with a brick. If you've got enough intelligence to bypass a connected lock, then you've got enough intelligence to get into my house past my normal locks and probably just as quietly.
          • Seriously? Are you actually saying that because someone can break your door with a brick, then it's ok to not have secure internet connected things?

            Also, it's not about intelligence......script kiddies don't need to be intelligent, especially now that every exploit gets posted into metasploit.
            • Manufacturers should be investing in security, but me avoiding IoT devices that I find useful over security issues is pretty pointless.
              • Fascinating. Do you also not care if your computer is secure?
                • Do I care if my valuables that can only be accessed virtually are protected by virtual security? Yes. Do I care that my valuables that can only be accessed physically have a virtual security flaw that is not any bigger than the security flaws with my existing traditional physical security? Not one bit.
              • That depends on if you have to give the devices Internet access, because someone can potentially take over your whole network via a non-secure IOT device. This stuff needs to stay inside your firewall with no outside connection until manufacturers take security seriously. I don't care if someone messes with my light bulbs, I do care if they wipe my servers via an IOT exploit.
                • by cusco ( 717999 )

                  Kiddie porn sites have been found on Internet-connected multi-function printers, and at least one has been used as an entrance into a corporate network. An HVAC system was the point of entry for the Target attack. IoT junk will be used, probably sooner rather than later.

              • by Rakarra ( 112805 )

                Manufacturers should be investing in security

                But they won't, until consumers choose a security-first mindset, which they won't.

                but me avoiding IoT devices that I find useful over security issues is pretty pointless

                Thanks for contributing to a less secure world! Yes, that's snarky, but the IoT so far has shown little upside in favor of creating yet more attack vectors. I like opening my fridge knowing that there's NO possibility that some worm found it's way in and raised the temperature, and now the food is spoiled. I don't need an internet-connected coffee pot, or oven, or any of things. Better yet, my regular devices don't slowly use

          • My regular locks can be bypassed by any idiot with a brick. If you've got enough intelligence to bypass a connected lock, then you've got enough intelligence to get into my house past my normal locks and probably just as quietly.

            Breaking an insecure internet lock is not like throwing a brick through the window. A thief who knows how to break the internet lock can sit quietly at home and search the net for easy locks, rather like going up to your door and trying the handle, except he can do thousands of doors from his bedroom. Or drive down the street looking for the right broadcast./response. To someone who knows how to break the security, broken security is more like a bright neon "Rob Me" sign than a fragile glass window. You

        • A couple we know was telling us about these awesome new locks they got they can unlock their house with an app on their phone. I just bit my tongue until they asked a very specific question which made me respond "if you can open it from your phone who else can?"

          Exactly
          I recently bought a keypad deadbolt for my new front door. Specifically one without any wifi or smartphone connection crap. You actually have to touch it to open. Coworker of mine was extolling the virtues of the one he was going to buy, w
      • A better way to say this might be: the effort the manufacturer puts into security will be equal to the perceived risk.

        That might be a reasonable approach at some level, but I think the fundamental issue is deeper (and it is a serious issue for the IoT going forward):

        The problem is there aren't enough high-quality developers who understand security. To get security right, you can't just write code until it works. You can't copy code from SO and if it passes your test case, release. To write secure software, you have to think of everything that can go wrong (or at least try, it's sad how many programmers don't even try. Th

        • Really, the availability of programmers isn't the main problem.

          Corporations bear no liability for writing crap security, which means they have no penalty for doing so. They might try a small amount of security to look good, but at the end of the day they simply don't need to care.

          So the security of these things is as inherently insecure as anything is which is doing on a "meh, whatever" level of effort.

          Marketing wants the product out the door, management wants to do it as cheaply as possible, and sales is

          • Really, the availability of programmers isn't the main problem. Corporations bear no liability for writing crap security, which means they have no penalty for doing so. They might try a small amount of security to look good, but at the end of the day they simply don't need to care.

            I disagree. Because even if corporations did bear liability, they would merely increase prices to cover the problem (that is what banks do.....if accounts get hacked or something, and they can't blame it on someone else, it's just the cost of doing business).

            Fundamentally, it doesn't matter how much you punish corporations, if there aren't programmers who know how to write secure software, they won't have secure software.

            • They'll do a hell of a lot more if the corporation can face punishment than if all they have to do is say "aww, shucks, we're not actually sorry".

              Because without penalties, you can pretty much guarantee they will do the barest minimum they can justify ... and that will range between "nothing at all" and "not very much".

              • If you want to make laws that "software needs to be secure," I'm in favor, it will only increase my salary.

                But as mentioned earlier, in industries where there already are such laws, it's just the cost of doing business. Medical systems are some of the scariest insecure systems you'll find, as another example.
                • by cusco ( 717999 )

                  Much of (if not most of) the medical equipment was never intended to be put on the larger corporate network. For example MRI devices were supposed to write to a DVD and be sneaker-netted to wherever the images were to be analyzed because transferring that much data over a 10 megabit network was unreasonable. Gigabit networks changed the scenery, and manufacturers just slapped a network interface on them and foisted the security issue on hospital IT staff.

            • by sjames ( 1099 )

              There are programmers who know how to write secure software, they just aren't found in the bargain basement.

              • Yes, I agree. I would also believe that you are one of those programmers who knows how to write secure software.

                However, my point is, there aren't enough quality programmers like you for all the projects that people want to build. There are more projects that need securing than people who are capable of securing them.
      • "A better way to say this might be: the effort the manufacturer puts into security will be equal to the perceived risk. Since my garage door is already easy to open with a crowbar, the manufacturer might perceive that the risk of some wireless vulnerability is no worse than the risk I am already accepting"

        Half true.

        The effort a manufacturer puts into security will be equal to the percieved risk... to them, not to you.

        People buy because of features, not because security and there's basically no liability for

      • The trouble, of course, is that once you connect something to the internet(especially if every single unit phones home to one half-assed 'cloud management' server that can get cracked and compromise everyone without all the tedious IP-guessing), you make attacks in bulk, without regard for geography, trivial.

        Weak security on things that you need to be quite nearby to exploit certainly isn't good(and can make things like car theft or burglary easier); but they inherently limit the number of people you nee
    • by Anonymous Coward

      ^: This.
      Consumers aren't willing to pay for security. Companies will compromise on security/profit at every corner that isn't regulated (and on those that are :/). As the saying goes: Cheap, Good, Fast. Pick two.

  • This is not news (Score:3, Insightful)

    by Avidiax ( 827422 ) on Tuesday April 07, 2015 @10:48AM (#49423029)

    Anyone that understands the economics of software/embedded device development understands that it's a market for lemons with respect to security (https://en.wikipedia.org/wiki/The_Market_for_Lemons [wikipedia.org]).

    The customer can't easily distinguish between a secure and insecure product, so even if they cared, they'd have no way to provide an economic force to cause developers to prioritize security.

    • The customer can't easily distinguish between a secure and insecure product, so even if they cared, they'd have no way to provide an economic force to cause developers to prioritize security.

      And maybe they just don't care, and won't until there are actual reported cases of intrusion or whatever. Then more consumers will either become educated, get expert advice, or demand some type of warranty. That is how the market works.

  • Instead of just fucking around on someone's wifi, the 21st-century's wardriving kids will be heating your house to 90 F, freezing your vegetables, and ruining your coffee!

  • I've been looking at OpenHAB [openhab.org]. It is pretty comprehensive and compatible with many current IoT protocols. Being OSS it's open to peer/security revue. I am hoping it or something like it will gain mass scale adoption.
    • Open source gaining widespread adoption over commercial packages? You can hope in one hand and crap in the other. Guess which one will get filled up first.

      • The thing is this works with the most popular commercial packages, is cross platform (It''s JAVA based), and has clients for almost any use case. It's a pretty good glue for incompatible systems.
        • I'm not sure the language it's written in makes any difference. But being standards based hasn't helped any other OSS project thus far. Why do you think this one will be any different? I know you want it to succeed. But why will it?

    • and compatible with many current IoT protocols

      How many of these protocols support adequate security?

      Unfortunately, simply not supporting unsecure devices is likely to severely limit the market for a "secure IoT Hub". Manufacturers know this, so are very likely to to make "communicate with any device" the default setting..

  • Sigh (Score:4, Interesting)

    by ledow ( 319597 ) on Tuesday April 07, 2015 @11:18AM (#49423283) Homepage

    Every single time something wants to cross the boundary between "sheltered device" and "available to the Internet", you have to see what it's doing or you'll run into this.

    This is the whole problem with things like UPnP, default "ALLOW ALL OUT" rules, etc. Devices want to talk out, and they'll punch holes to do it, and you don't have to be a genius here - connect their capabilities to find out what COULD happen.

    The Chromecast dongle has your wifi password in it. It has access to your network. It has access to your Google account. It has access to the HDMI port of your TV (which may include Ethernet?). Three of those are DANGEROUS (the fourth probably isn't but a lot of people have said similar things and been wrong).

    Now consider that it doesn't even need to be be Google that's malicious / incompetent to be a problem. Oh, look, all Chrome browsers on your local net can discover Chromecasts. And send data. Data encoded in complicated codecs which I've often seen in Changelogs because they allow overflows. Oh, look, third-party apps in Chrome are allowed to jump onto the Chromecast too.

    Join the dots. Unless you have security against those steps in the chain, there's nothing stopping the mere presence of a Chromecast dongle on your network being a vulnerability. They cost £30 so I doubt they could have a massively-overarching security audit that covers them for years in the future.

    Now apply that to your Nest equipment. To the apps on your phone (that game can read from SD card, allow in-app purchases, send text messages to your friends, whatever.... join the dots on ALL that it can do and see what could potentially happen!). To the junk that you plug into the network or wireless. It's a nightmare. And as soon as you break the line and let those things talk out (or be port-forwarded to) you have an Internet-facing vulnerability that amplifies everything a thousand-fold.

    This isn't shocking, unless you've been blind to the potential for the fifty years.

  • In order to be consumer-friendly, they cannot be complex devices. Good security w/out complexity would lock most users out of their stuff. Good security w/out locking users out of their stuff requires complexity.
  • Simplicity.
    Interoperability.
    Security.

    Pick two.

    Companies want to turn a profit - security makes things complicated for typical end users, which translates into profit-sapping support calls and product returns.

    Why does anyone find this attitude surprising?
  • Would it have been too hard to have explained "IoT" in TFS? I spent a long time trying to parse it until I hit on "Internet of Things". Really? What we used to call a bridge or router, is now a "IoT" hub or gateway (maybe both? TFS is vague). IoT is NOT widespread enough to be dropped like this.

    Come on, guys. At least make TFS standalone.

    • actually, IoT -is- a thing and has been for a while, now.

      one vendor has more levels, one of which is EioT (enterprise iot). enterprise, meaning wired cat5/6 cable with PoE and once you have network and power, you can put sensors all over the place, easily, with existing cables already in your building. at least, that's their push for -e- iot.

      iot is a new buzzword, its true. but its also implying 'cloud stuff' when it comes to consumers. that's the part I object the most to. the iot stuff I work on (my

      • by cusco ( 717999 )

        So you're saying there needs to be an Identification level of Internet of Things, an ID-IoT.

  • Unless we're talking about base stations that connect to some online cloud service so you can control it from work, I want less security, not more. Really, the job of security should be left up to the router/gateway between my network and the internet. If the attacker's on my local wifi, I'm already hosed anyway.

    More importantly, leaving these devices open is good for extensibility. If the devices become secure, they become locked down. As it is, if my smartbrand a doorbell goes off I can have it tell my

  • by T.E.D. ( 34228 )

    What does that really hurt? I suppose if a neighbor mooches off my wifi, that hurts my ISP, but not really me.

    If it becomes a problem, at best I might wanna put up a wifi password to keep my neighbors off, but I don't really understand why my wifi (not the computers on it but the wifi itself) needs to have industrial-strength security.

  • But isn't this mostly alleviated if you secure your home WiFi network?
    • by ledow ( 319597 )

      Visit a web page.

      That pages loads iframes etc. from the local network.

      Say, the router configuration page. Let's say certain models of router fail to adequately validate credentials before they apply setting changes you request, etc. and that you can request those settings change via HTTP POST/GET methods.

      Yes, some of this SHOULD generate security warnings. But it doesn't always. And that's the problem.

      People have had their home routers "hacked" by visiting a webpage which changed their home router DNS se

  • Because you are trying to balance reasonable security with some ability to manage all the stuff in your house, including locking doors and closing garages that your kids leave open. If you think of absolute security as a currency, you spend some of it to get the convenience of remote lock/unlock.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...