Vulnerabilities a Pathway for Robbery, Theft of Sensitive Information or Stalking
Veracode, a leader in protecting enterprises from today’s pervasive Web and mobile application threats, released a report finding that the foundation of the Internet of Things (IoT) – the devices themselves plus their associated mobile applications and cloud services – are often not designed with data security or privacy in mind, putting consumers at risk for cyberattack or physical intrusion of their homes. Veracode’s security team probed and monitored a set of always-on, consumer IoT devices to understand the real-world impact of each product’s security. The results show security vulnerabilities within these devices to be a potential pathway for robbery, theft of sensitive data or even stalking.
This not only puts consumers at risk for cyberattacks, but also could facilitate physical intrusion of their homes and stalking.
The report finds:
- The Ubi could enable cybercriminals to know exactly when to expect a user to be home based on when there is an increase in ambient noise or light in the room, which could facilitate a robbery, or even stalking in the case of a celebrity or an angry ex.
- The microphone on a Wink Relay could be turned on by cybercriminals to listen in on any conversations within earshot of the device, supporting blackmail efforts or capturing business intelligence
- Using vulnerabilities in a Chamberlain MyQ system, thieves could be notified when a garage door is opened or closed, indicating a window of opportunity to rob the house.
With around 4.9 billion connected devices in use today and an estimated 25 billion by 2020[1], cybersecurity is becoming a major concern. The Federal Trade Commission has warned that cyberattackers could potentially hijack and misuse sensitive information recorded by the technology or that the technology could even create physical safety risks for consumers. [2] Attacks on connected devices have already been reported[3] likely to continue to happen if manufacturers do not bolster their cybersecurity efforts. In this light, Veracode studied six common at-home devices, including the Chamberlain MyQ Internet Gateway, the Chamberlain MyQ Garage, the SmartThings Hub, the Ubi, the Wink Hub, and the Wink Relay.
The study found that the impact of security vulnerabilities in these devices could be significant for users. Leveraging information from Ubi could enable cybercriminals to know exactly when to expect a user to be home based on when there is an increase in ambient noise or light in the room, which could facilitate a robbery, or even stalking in the case of a celebrity or an angry ex. Taking advantage of security vulnerabilities within a Wink Relay or Ubi device, cybercriminals could turn the microphones on and listen to any conversations within earshot of the device, supporting blackmail efforts or capturing business intelligence from a user’s employer in the case of a home office. Applying vulnerabilities found in the Chamberlain MyQ system, thieves could be notified when a garage door is opened or closed, indicating a window of opportunity to rob the house.
“It’s hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn’t mean cybersecurity should be sacrificed in the process,”
said Brandon Creighton, Veracode Security Research Architect.
“We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm.”
Among the issues found were: open debugging interfaces that could allow remote attackers to run arbitrary code on the device itself such as spyware; serious protocol weakness that allow passive observers to access sensitive data or control of the device; and lack of adherence to best practices to protect users’ accounts against weak passwords and common password-guessing techniques. The results showed that all but one device exhibited cybersecurity vulnerabilities across a majority of the categories tested.
The devices were purchased new in late December 2014. All test findings were against versions of the firmware that were up-to-date in mid-to-late January 2015.
To View the full report click here.
About Veracode
Veracode delivers the most widely used cloud-based platform for securing web, mobile, legacy and third-party enterprise applications. By identifying critical application-layer threats before cyber-criminals can find and exploit them, Veracode helps enterprises deliver innovation to market faster – without sacrificing security.
Veracode’s powerful cloud-based platform, deep security expertise and programmatic, best practices approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.
Recognised as a Gartner Magic Quadrant Leader since 2010, Veracode secures hundreds of the world’s largest global enterprises, including 3 of the top 4 banks in the Fortune 100 and more than 25 of the world’s top 100 brands. Learn more at www.veracode.com, on the Veracode blog and on Twitter.
[1] Gartner, 2014, http://www.gartner.com/newsroom/id/2905717
[2] “Internet of Things, Privacy and Security in a Connected World”, https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf
[3] “Russian webcam hackers spy on bedrooms and offices”, http://www.cnbc.com/id/102202954
