Report: Half of IoT device apps leave users vulnerable

Report: Half of IoT device apps leave users vulnerable
Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter: @Gadget_Ry

A paper distributed on ArXiv last week analysed the concerning lack of security when it comes to IoT device apps.

The security issues plaguing IoT devices themselves are well-documented. Security often seems to be an afterthought in the rush to market.

While there’s been a recent explosion in connected devices, app development has been around much longer. The mature development industry has created best practices to help ensure security, but it seems the note hasn’t reached IoT device app developers.

IoT Tech Expo World Series

Five computer scientists – Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d’Amorim, and Atul Prakash – analysed smartphone apps for 96 IoT devices as part of their research.

31 percent of the apps used no encryption whatsoever. 19 percent used hardcoded keys that are easy to discover.

The results show about 50 percent of IoT device apps can be exploited. Put like that, and considering the sheer number of devices, it’s little surprise the IoT has become the number one target for hackers.

If you’ve built a smart home, you have a 50/50 chance whether the app you’re using has even basic security based on these results.

Let’s be honest, you probably don’t expect a high level of security if you've shipped a cheap IoT device from China. Some of the apps put under the microscope, however, are household names that many would expect better from.

The LIFX app, WeMo app for Belkin devices, ‘Kasa for Mobile’ app for TP-Link devices, and the ‘e-Contro’ app for Broadlink gear were all vulnerable. The researchers were able to create exploits for each.

In their paper, the researchers wrote:

"We find that an Amazon top-seller smart plug from TP-Link shares the same hard-coded encryption key for all the devices of a given product line and that the initial configuration of the device is established through the app without proper authentication."

The researchers claim to have informed each of the companies about their findings prior to publishing, including possible ways to mitigate the risks identified. Apparently, they’ve received no response so far.

You can find a copy of the paper here (PDF)

(Photo by Bernard Hermant on Unsplash)

Interested in hearing industry leaders discuss subjects like this? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published.