View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Veracode warns IoT a pathway for cybercrime

Lack of in-built security in IoT enabled devices could lead to robbery, theft and stalking.

By Joao Lima

Technology security firm Veracode alerted that consumers are at risk of cyber attack or physical intrusion of their homes as IoT enabled devices, associated mobile applications and cloud services do not feature the required security systems.

In order to understand the real-world impact of each product’s security issue, which could lead to robbery, theft of sensitive data or stalking, the company monitored a set of always-on, consumer IoT machines.

According to Gartner, there are currently 4.9 billion connected devices in use and the information technology guru predicted the number to soar to 25 billion by 2020 incrementing the necessity to better protect equipment from cyber attacks.

The US Federal Trade Commission warned in January that designers should take security seriously in order to avoid cyber attackers potentially hijacking and misusing sensitive information recorded by the technology or that the technology could even create physical safety risks for consumers.

In November last year, CNBC reported Russian webcam hackers spying on thousands of users across the world and transmitting their lives live on the internet.

Footage was broadcasted from over 250 countries, including 4,591 feeds from the U.S., 2,058 from France and 584 from the U.K. as well as 563 from Hong Kong and 182 from China.

Veracode warned that similar assaults could become reality and studied six common at-home devices, including the Chamberlain MyQ Internet Gateway, the Chamberlain MyQ Garage, the SmartThings Hub, the Ubi, the Wink Hub, and the Wink Relay.

Content from our partners
A hybrid strategy will help distributors execute a successful customer experience
Amalthea leverages AI and automation to improve yield while minimising waste and costs
How AI is unlocking valuable opportunities in the insurance industry

The research found that consumers are at risk if these security vulnerabilities are not fixed.

For example, leveraging information from Ubi could enable cybercriminals to know exactly when to expect a user to be home based or when there is an increase in ambient noise or light in the room, which could facilitate a robbery.

The results also led researches to fear for celebrities as they could increasingly become more vulnerable to stalking.

The Chamberlain MyQ system also failed the security tests. Veracode revealed a fault that could notify thieves when a garage door is opened or closed, indicating a window of opportunity to rob a house.

The final report listed the main issues found within IoT cyber security including open debugging interfaces could allow remote attackers to run arbitrary code on the device itself such as spyware.

Serious protocol weakness that would allow passive observers to access sensitive data or control of the device were also highlighted.

Furthermore, a lack of adherence to best practises by manufactures to protect users’ accounts against weak passwords and common password-guessing techniques were pointed as a cause for the problem.

Brandon Creighton, Security Research Architect at Veracode, said: "It’s hard to not be excited about what the IoT has enabled and will bring in the future, although that doesn’t mean cyber security should be sacrificed in the process.

"We need to look at the IoT holistically to ensure that the devices, as well as their web and mobile applications and back-end cloud services, are built securely from their inception. Security should not be treated as an afterthought or add-on, or we risk putting our personal information in jeopardy or even opening the door to physical harm."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.