Tripwire finds security flaws in popular Smart Home Hubs
Following an extensive piece of research, Tripwire’s Vulnerability and Exposure Research Team (VERT) can confirm it has discovered Zero-day vulnerabilities in three of the top-selling ‘Smart Home Hub’ products available on Amazon.
Smart Home Hubs are used to control lighting, heating, locks and cameras in people’s homes, however many security experts worry about the privacy and safety risks associated because the technology is in relative infancy.
In order to understand the risks associated with Smart Home Hubs, Tripwire carried out a security analysis on three top-selling devices and found zero-day flaws in each. These flaws could allow hackers to identify when people are out of their home, change alarm settings, open locks without authorization, access local area networks and turn Smart Hubs into Zombies, or use them for DDoS purposes.
“Smart Home Hubs are steadily growing in popularity, however as with many consumer technology products, functionality has trumped security. Smart Home Hubs enable you to have control over the connected devices you have in your house, even when you are not home. However they also open new doors for criminals,” said Craig Young, security researcher for Tripwire. “The threat is relatively low just now but I believe it will increase as malicious actors recognize how much information can be gained by attacking these devices.”
As part of Tripwire’s Responsible Disclosure Policy all three Smart Home Hub vendors have been notified of the security flaws. Currently two out of the three vendors have patched the reported flaws. Left unpatched, some of the vulnerabilities revealed in VERT’s analysis can be exploited by malicious web pages or smartphone applications to execute commands with system level access.
With the poor track record consumers have for keeping consumer devices up to date with patches, Tripwire suspects that a substantial portion of units in the field will always be vulnerable.[su_box title=”About Tripwire” style=”noise” box_color=”#336588″]Tripwire, Inc., a global provider of risk-based security and compliance management solutions, today announced Tripwire® Enterprise™ version 8.3 featuring a new, stand-alone Policy Manager™. Tripwire Policy Manager provides the detailed visibility into system configurations critical to minimizing security risks and ensuring compliance.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.