Your home automation things are a security nightmare
Veracode tests leave lazy devs red-faced
It's not just home broadband routers that have hopeless security: according to security outfit Veracode, cloudy home automation outfits also need to hang their collective heads in shame.
With nothing but standard by-the-manual configurations and network traffic capture – but with no attacks against the devices or the cloud services – the testers reckon they turned up a variety of vulnerabilities in kit from Chamberlain Group, SmartThings, Ubi and Wink.
It seems that if you're the kind of uber-lazy gadget-fan who can't imagine pressing a button to do something voice control is possible, you're matched by uber-lazy device developers. Versacode found that all but one of the devices it tested failed even its non-hostile vulnerability tests.
The products tested were Wink's WinkHub and Wink Relay home automation controllers; Unified Computer Intelligence's Ubi always-on voice activation system; SmartThings' home automation and home access control hub; and Chamberlain Groups' MyQ Garage (an Internet interface to garage door systems) and MyQ Internet Gateway (which extends control to switches and electrical outlets).
The tests covered:
- Whether devices supported or required cryptography to communicate with their vendors' cloud services; whether strong passwords were enforced; and TLS certificate validation. The SmartThings Hub was the only device that passed all tests.
- Interactions with cloud services – device authentication strength, encryption in cloud interactions, MITM protection, protection of sensitive data, and protection against replay attacks. SmartThings was again the only winner; nobody else protected against MITM attacks, and nearly nobody against relay attacks.
- The mobile interface – protection of communications between the device and a smartphone. SmartThings won again, with the caveat that there's only limited direct communications in any of the devices tested – most are routed via the cloud service.
- Debugging security – are there debugging interfaces open, are they protected, can attackers run arbitrary code on a device? For a change, SmartThings had a slip – it allows Telnet access, but passed the other two tests; MyQ Gateway passed all tests.
The Veracode white paper is available with registration here. ®