Report: Half of IoT device apps leave users vulnerable
A paper distributed on ArXiv last week analysed the concerning lack of security when it comes to IoT device apps.
The security issues plaguing IoT devices themselves are well-documented. Security often seems to be an afterthought in the rush to market.
While there’s been a recent explosion in connected devices, app development has been around much longer. The mature development industry has created best practices to help ensure security, but it seems the note hasn’t reached IoT device app developers.
Five computer scientists – Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d’Amorim, and Atul Prakash – analysed smartphone apps for 96 IoT devices as part of their research.
31 percent of the apps used no encryption whatsoever. 19 percent used hardcoded keys that are easy to discover.
The results show about 50 percent of IoT device apps can be exploited. Put like that, and considering the sheer number of devices, it’s little surprise the IoT has become the number one target for hackers.
If you’ve built a smart home, you have a 50/50 chance whether the app you’re using has even basic security based on these results.
Let’s be honest, you probably don’t expect a high level of security if you've shipped a cheap IoT device from China. Some of the apps put under the microscope, however, are household names that many would expect better from.
The LIFX app, WeMo app for Belkin devices, ‘Kasa for Mobile’ app for TP-Link devices, and the ‘e-Contro’ app for Broadlink gear were all vulnerable. The researchers were able to create exploits for each.
In their paper, the researchers wrote:
"We find that an Amazon top-seller smart plug from TP-Link shares the same hard-coded encryption key for all the devices of a given product line and that the initial configuration of the device is established through the app without proper authentication."
The researchers claim to have informed each of the companies about their findings prior to publishing, including possible ways to mitigate the risks identified. Apparently, they’ve received no response so far.
You can find a copy of the paper here (PDF)
Interested in hearing industry leaders discuss subjects like this? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.
- » Why multi-site facilities cannot miss out on untapped IoT data
- » Contractors targeted homeless with ‘dark skin’ to train Google’s facial recognition
- » How big data and IoT initiatives render the ‘garbage in, garbage out’ theory invalid
- » IoT-focused SaaS provider EMnify secures €8 million in series A funding
- » IOTAS secures $8.5 million in series A funding to further enterprise ‘IoT as a service’ mission