Technology security firm Veracode alerted that consumers are at risk of cyber attack or physical intrusion of their homes as IoT enabled devices, associated mobile applications and cloud services do not feature the required security systems.
In order to understand the real-world impact of each product’s security issue, which could lead to robbery, theft of sensitive data or stalking, the company monitored a set of always-on, consumer IoT machines.
According to Gartner, there are currently 4.9 billion connected devices in use and the information technology guru predicted the number to soar to 25 billion by 2020 incrementing the necessity to better protect equipment from cyber attacks.
The US Federal Trade Commission warned in January that designers should take security seriously in order to avoid cyber attackers potentially hijacking and misusing sensitive information recorded by the technology or that the technology could even create physical safety risks for consumers.
In November last year, CNBC reported Russian webcam hackers spying on thousands of users across the world and transmitting their lives live on the internet.
Footage was broadcasted from over 250 countries, including 4,591 feeds from the U.S., 2,058 from France and 584 from the U.K. as well as 563 from Hong Kong and 182 from China.
Veracode warned that similar assaults could become reality and studied six common at-home devices, including the Chamberlain MyQ Internet Gateway, the Chamberlain MyQ Garage, the SmartThings Hub, the Ubi, the Wink Hub, and the Wink Relay.
The research found that consumers are at risk if these security vulnerabilities are not fixed.
For example, leveraging information from Ubi could enable cybercriminals to know exactly when to expect a user to be home based or when there is an increase in ambient noise or light in the room, which could facilitate a robbery.
The results also led researches to fear for celebrities as they could increasingly become more vulnerable to stalking.
The Chamberlain MyQ system also failed the security tests. Veracode revealed a fault that could notify thieves when a garage door is opened or closed, indicating a window of opportunity to rob a house.
The final report listed the main issues found within IoT cyber security including open debugging interfaces could allow remote attackers to run arbitrary code on the device itself such as spyware.
Serious protocol weakness that would allow passive observers to access sensitive data or control of the device were also highlighted.
Furthermore, a lack of adherence to best practises by manufactures to protect users’ accounts against weak passwords and common password-guessing techniques were pointed as a cause for the problem.
Brandon Creighton, Security Research Architect at Veracode, said: "It’s hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn’t mean cyber security should be sacrificed in the process.
"We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm."
