During a two-month hackathon in September and October 2015, security researchers from Bitdefender found vulnerabilities in four new IoT devices, of which only one has been partially fixed after the developer was notified.
Researchers found the first issue in the WeMo Switch, an Internet-accessible switch that lets users turn electronic devices in their home on and off.
This device was (and still is) using an insecure communications channel between the switch and the smartphone app that features no authentication. Everything is transmitted in cleartext, except for the device's password, which is encrypted with an easily breakable 128-bit AES algorithm, using an encryption key derived from the device's ID and its MAC address. "Manufacturers have failed to address security issues in the last six months". The second tested device was the Lifx Bulb, a Nest-compatible smart LED system that allows users to adjust the color and intensity of their home's lighting system via an Android app.
This device has a design vulnerability that allows an external attacker to intercept the user's home WiFi network credentials by forcing the user's Android app to reconnect to their home network. The attacker can set up a fake hotspot and then intercept the user's Wi-Fi login credentials.
The same issue affects the LinkHub starter kit, which includes two GE Link lightbulbs and a central management hub, both controlled via an Android app. Employing the attack technique described above and because the device doesn't use encryption, sending network packets in cleartext, an attacker can catch WiFi credentials in a short amount of time and with no considerable effort.
"Only one vendor (partially) has bothered to implement a fix"
Last on the list and the only device that has received a (partial) fix is the MUZO Cobblestone Wi-Fi Audio Receiver, which lets users stream music from their devices to a local sound system. Bitdefender researchers discovered that the device was setting up an always-open hotspot, which they could brute-force, and from where they could extract the WiFi password for the local WiFi network.
An attacker with access to the local WiFi network can sniff the user's traffic, follow browsing habits, catch authentication credentials for other insecure services, or even poison the user's data with malware.
"This research reminds us of the imperative to embed a proper security architecture in the lifecycle of devices," Bitdefender's team concludes after their research. "The IoT opens a completely new dimension to security [...]. If projections of a hyper-connected world become reality and manufacturers don’t bake security into their products, consequences can become life-threatening."