University researchers have proved that work is still needed to secure internet of things smart home devices after they found unpatched vulnerabilities in gadgets, including Google’s Nest thermostat, that were leaking data.
Speaking at the PrivacyCon 2016 in Washington DC, researchers from Princeton University’s Centre for Information Technology Policy (CITP) revealed that some smart home devices leak user information, including user activity and behaviour, as well as the type of device being used.
Postdoctoral researcher Sarthak Grover said that there is reason to "be afraid" and explained that it is very difficult to enforce security standards. This is due to the multiple manufacturers currently in the market, low capability devices, and use of non-standard protocols and ports.
Grover, together with fellow researcher Nick Feamster, dubbed the IoT as the Internet of Unpatched Things as it still lags on security features, stating that the IoT is difficult to maintain and patch due to low workforce and/or expertise.
As the IoT black market is predicted to be worth $5 billion by 2020, information from smart home devices like the ones tested by Grove and Feamster will become valuable to burglars and other intruders.
Grove and Feamster said that there is a low capability when it comes to hardware and not enough security protocols to protect users as most data goes to an online server on the cloud.
Further challenges faced in the smart home space include limited encryption capabilities, resources (including RAM and ROM), limited clock synchronisation, and lack of constant firmware updates.
"The devices inside the home send all of the information to the cloud," Grove said. "In fact, if you have two devices in the home and they want to talk to each other, currently they will talk to the cloud and the information will get back to the home."
The warning followed unpatched security flaws found in some smart home devices, including Google’s Nest. Despite considering Nest quite secure when compared to other devices, researchers said that some of the incoming updates had unencrypted data that was transmitted or stored. Having contacted Nest, postdoctoral researcher Sarthak Grover said they confirmed it was a security bug, fixed it and "thanked us".
Grover said: "Outgoing traffic from the Nest device was secure but incoming traffic such as updates where not that secure. They were in clear text and included some information regarding the location."
He explained that the device was not giving users’ personal information away, however, some weather information, including weather stations location and post codes, was not encrypted becoming visible to outsiders.
The security flaw has come less than a week after a software bug was causing Nest thermostats to shut down across the world.
At the time, Nest, who was acquired by Google in 2014 by £2.2 billion, said that it was aware of a software bug impacting some Nest Thermostat owners. "In some cases, this may cause the device to respond slowly or become unresponsive. We are working on a solution that we expect to roll out in the coming weeks."
Researchers also looked into Samsung’s Smartthings Hub. They found that almost all traffic going in and out of the device was secure as it was being transmitted over a transport layer security (TLS) system, with no clear text being created.
Grove said: "Even though this device is in itself secure, there is still some background information, such as three or four packets every ten seconds going to smartthings.com which lets [other people in the network] somehow fingerprint the device."
They also found that DNS query identifies the hub, however, it does not identify individual devices.
Other devices tested include PixStar’s Digital Photoframe. Grover said: "We found that all traffic sent form the photo frame is sent over in clear text, there is absolutely no encryption happing."
He explained that the device holds some privacy issues including the user’s email ID being visible when syncing with the account. "What this potentially means is that it is leaking account data and that everyone in the network part can actually have a look at this email," he said.
Secondly, if people press a button on the photo frame, such as the contacts list button or the radio, everyone in the network can have a look at what that user presses. Grover said: "You can find about the user activity as well as the user account information just by looking at the network."
The researchers also looked into Sharx’s Security IP Camera used for security monitoring in homes with motion detection.
Despite requiring a login password, the security camera was also sending out data in clear text. However, despite the need for a password, the camera’s streaming is not encrypted allowing those in the network to visualise recordings.
Some privacy issues around the device include the fact that videos can be recovered from FTP data traffic by network eavesdropper. DNS query, HTTP headers, and ports can also identify a specific Sharx security camera.
Grover and Feamster also analysed an Ubi speaker, "a predecessor of Amazon’s Echo". Grover explained that all the voice-to-text traffic gets converted into text and is sent out to a server outside in clear text.
He said: "When we interfaced this device with Nest, it used encryption, but when it was talking to its server, it used HTTP. Cleary this device has the capability of enforcing security. However, the policy they have has not forced encryption in all device streams."
An eavesdropper can intercept all voice chats and sensor readings to Ubi’s main portal and obtain sensor values such as sound, temperature, light, humidity that identify if the user is home and currently active. Email addresses are also in the cleat and can identify the user.
Speaking to CBR on smart home security, Dean Adkins, CTO at Ampersand Mobile, said that security needs to be approached from many angles.
"Firstly, you have the occupant personal home security measures, cameras, door locks, window sensors etc. All of these need to be connected so the home occupants can constantly monitor their home from anywhere and at anytime.
"People must trust and have the confidence that these systems are effectively a closed circuit, that they are hack proof. After all, no one is going to trust their safety, and that of their family, to anything less."
He said that next comes the security of the devices themselves. Connections to the hub by the occupants need to be secure, especially when transmitting data from apps to the hub, the same goes for the hub connecting to the cloud and machine learning.
Adkins said: "No one should be able to intercept transmissions to or from the hub; if someone hacks their way into the hub they would have full control of your home.
"From the perspective of IoT, this is as bad as someone hacking into your bank account, or more accurately hacking an entire bank. The result is a complete loss of confidence and trust in the connected home from consumers."