New Jersey, Jan. 22, 2016: A research team at the Center for Technology Information Policy (CITP), University of Princeton, United States, has found several security flaws in a range of Internet of Things (IoT) devices, according to its report that was made public a few days ago.
Over the past several months, Ph.D. student Sarthak Grover and fellow Roya Ensafi were investigating various security and privacy vulnerabilities of IoT devices in the home network, to get a better sense of the current state of smart devices that many consumers have begun to install in their homes.
For this, the duo said, they had purchased a collection of some of the popular IoT devices, connected them to a laboratory network at CITP, and monitored the traffic that the devices exchanged with the public Internet. These included a Belkin WeMo Switch, the Nest Thermostat, an Ubi Smart Speaker, a Sharx Security Camera, a PixStar Digital Photoframe, and a Smartthings hub.
The team presented a summary of its research findings to the Federal Trade Commission, last week at PrivacyCon. What they found during its research shook up the researchers, though kind of expected.
According to a post by fellow student Nick Feamster on the University blog, here’s what the team found, among other things:
- The Nest thermostat was revealing location information of the home and weather station, including the user’s zip code, in the clear. (Nest promptly fixed this bug after it was notified.)
- The Ubi used unencrypted HTTP to communicate information to its portal, including voice chats, sensor readings (sound, temperature, light, humidity). It also communicates to the user using unencrypted email. Much of this information, including the sensor readings, could reveal critical information, such as whether the user was home, or even movements within a house.
- The Sharx security camera was transmitting video over unencrypted FTP; if the server for the video archive was outside of the home, this traffic could also be intercepted by an eavesdropper.
All traffic to and from the PixStar photoframe was sent unencrypted, revealing many user interactions with the device.
In a sense, said the post, these were old problems with new constraints. Many of the security and privacy problems that were associated with the IoT devices sounded familiar, but these problems arose in a new, unique context, which presented unique challenges:
Fundamentally insecure: Manufacturers of consumer products had little interest in releasing software patches and may even design the device without any interfaces for patching the software in the first place, said the writer. There were various examples of insecure devices that ordinary users may connect to the network without any attempts to secure them (or any means of doing so). Occasionally, these insecure devices can result in “stepping stones” into the home for attackers to mount more extensive attacks. A recent study identified more than 500,000 insecure, publicly accessible embedded networked devices.
Diverse: Consumer IoT settings brought a diversity of devices, manufacturers, firmware versions, and so forth. This diversity could make it difficult for a consumer (or the consumer’s ISP) to answer even simple questions such as exhaustively identifying the set of devices that are connected to the network in the first place, let alone detecting behavior or network traffic that might reveal an anomaly, compromise, or attack.
Constrained: Many of the devices in an IoT network were severely resource-constrained: the devices may have limited processing or storage capabilities, or even limited battery life, and they often lack a screen or intuitive user interface. In some cases, a user may not even be able to log into the device.
The way forward was that multiple stakeholders should start the discussion about how to improve the security for networks with IoT devices, said the post. This discussion will include both policy aspects (including who bears the ultimate responsibility for device insecurity, whether devices need to adopt standard practices or behavior, and for how long their manufacturers should continue to support them), as well as technical aspects (including how we design the network to better monitor and control the behavior of these often-insecure devices).
According to Nick, devices should be more transparent. The first step towards improving security and privacy for IoT should be to work with manufacturers to improve the transparency of these IoT devices, so that consumers (and possibly ISPs) have more visibility into what software the devices are running, and what traffic they are sending and receiving. This, he says, of course, is a Herculean effort, given the vast quantity and diversity of device manufacturers; an alternative would be trying to infer what devices are connected to the network based on their traffic behavior, but doing so in a way that is both comprehensive, accurate, and reasonably informative seems extremely difficult.
Instead, some IoT device manufacturers might standardize on a manifest protocol that announces basic information, such as the device type, available sensors, firmware version, the set of destinations the device expects to communicate with (and whether the traffic is encrypted), and so forth. (Of course, such a manifest poses its own security risks.)
Network infrastructure could play a role. Given such basic information, anomalous behavior that was suggestive of a compromise or data leak would be more evident to network intrusion detection systems and firewall.