View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

IoT security flaws give hackers total smart control

Security vulnerabilities expose risk of hackers taking total control of IoT devices, while connected solutions can send out data for miles.

By Joao Lima

Security flaws exposed in a the ZigBee standard reveal that hackers can compromise ZigBee networks and take control of all connected devices on a network.

A security watchdog said that the ZigBee standard requires that an unsecure initial key transport has to be supported, making it possible to compromise ZigBee networks and take control of all connected devices on the network.

Speaking at Black Hat 2015 in Las Vegas, NV, Cognosec said that solutions designed with ZigBee lack configuration possibilities for security and perform a vulnerable device pairing procedure that allows external parties to sniff the exchanged network key.

The firm added that this represents a critical vulnerability, as the security of the solution is solely reliant on the secrecy of this network key.

ZigBee is an IoT standard created by ZigBee Alliance’s members including companies like Samsung, Philips, Motorola, AT&T, Bosch and Silicon Labs.

The solution was designed for personal-area networks with the aim of providing low-cost, low-power consumption, two-way, reliable, wireless communications standard for short range applications, according to the organisation.

The standard is used in different smart solutions, including remote control, input devices, home automation, healthcare, smart energy and retail services, for example.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Tobias Zillner, Senior IS Auditor at Cognosec, said: "The shortfalls and limitations we have discovered in ZigBee have been created by the manufacturers.

"Unfortunately the security risk in this last tier wireless communication standard can therefore be considered as very high."

Also at the Back Hat event, researchers from Red Ballon Security, in a joint investigation with Columbia University, found that IoT devices can be used as transmission channels to steal data from compromised networks.

Researcher Ang Cui said that devices like printers and washing machines, have the ability to transmit invisible inaudible signals for miles.

The research team infected a Pantum laser printer and worked around its circuits, founding that the device could emit electromagnetic radiation by quickly switching a chip’s energy output back and forth. The research team dubbed the security flaw as "funtenna".

Speaking about security and standards to CBR, Amol Sarwate, director of engineering at Qualys explained that there is a range of different devices, connections and software that goes to make up an IoT service.

He said: "Each device should be secure by default – by this I mean that it should only perform specific tasks and stop unauthorised activities from being carried out.

"Unfortunately, many IoT developers don’t have this mindset in place from the start. Too often, devices are released and not updated when components or standards are updated. Responsibility for this should be included within each IoT device, and considered as part of wider services as well."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.