Study: Internet of Things Poses Multitude of Cybersecurity Risks

A new report by Veracode details why connected devices and their mobile apps are vulnerable to robbery, theft of sensitive information and stalking.

BURLINGTON, Mass. – Veracode, an automated cloud-based service for securing Web, mobile and third-party enterprise applications, released a report finding that the foundation of the Internet of Things (IoT) – the devices themselves plus their associated mobile applications and cloud services – are often not designed with data security or privacy in mind, putting consumers at risk for cyberattack or physical intrusion of their homes.

Veracode’s security team studied a set of always-on, consumer IoT devices to understand the real-world impact of each product’s security. The results show security vulnerabilities within these devices to be a potential pathway for robbery, theft of sensitive data or even stalking.

RELATED: Integrators Meet Cybersecurity Challenges Head-on at New PSA Security Network Event

With around 4.9 billion connected devices in use today and an estimated 25 billion by 2020, cybersecurity is becoming a major concern. The Federal Trade Commission (FTC) has warned that cyberattackers could potentially hijack and misuse sensitive information recorded by the technology or that the technology could even create physical safety risks for consumers. Attacks on connected devices have already been reported and are likely to continue to happen if manufacturers do not bolster their cybersecurity efforts.

Veracode studied six common at-home devices, including the Chamberlain MyQ Internet Gateway, the Chamberlain MyQ Garage, the SmartThings Hub, the Ubi, the Wink Hub, and the Wink Relay. The study found that the impact of security vulnerabilities in these devices could be significant for users. Leveraging information from Ubi could enable cybercriminals to know exactly when to expect a user to be home based on when there is an increase in ambient noise or light in the room, which could facilitate a robbery, or even stalking in the case of a celebrity or an angry ex, according to the report.

Taking advantage of security vulnerabilities within a Wink Relay or Ubi device, cybercriminals could turn the microphones on and listen to any conversations within earshot of the device, supporting blackmail efforts or capturing business intelligence from a user’s employer in the case of a home office. Applying vulnerabilities found in the Chamberlain MyQ system, thieves could be notified when a garage door is opened or closed, indicating a window of opportunity to rob the house.

RELATED: Remote Surveillance System Catches Burglars Red-Handed

“It’s hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn’t mean cybersecurity should be sacrificed in the process,” says Brandon Creighton, Veracode’s security research architect. “We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm.”

Among the issues found were: open debugging interfaces that could allow remote attackers to run arbitrary code on the device itself such as spyware; serious protocol weakness that allow passive observers to access sensitive data or control of the device; and lack of adherence to best practices to protect users’ accounts against weak passwords and common password-guessing techniques. The results showed that all but one device exhibited cybersecurity vulnerabilities across a majority of the categories tested.

The devices were purchased new in late December 2014. All test findings were against versions of the firmware that were up-to-date in mid-to-late January 2015. For more information about the study findings, methodology and recommendations, the full report can be downloaded here.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.

A FREE subscription to the top resource for security and integration industry will prove to be invaluable.

Subscribe Today!

Get Our Newsletters