research found 16 popular smart home devices contain ‘critical crypto flaws’
BREVARD COUNTY, FLORIDA – New cybersecurity research from Florida Tech has revealed that companion smartphone apps for 16 popular smart home devices contain “critical cryptographic flaws” that could allow attackers to intercept and alter their traffic.
As Internet of Things (IoT) devices such as smart locks, motion sensors, security cameras, and smart speakers become more ubiquitous in homes across the country, their growing popularity means that more people are at risk of cyber intrusions.
“IoT devices deliver the promise of security with locks, alarms and connected security cameras,” write assistant professor of computer engineering and science TJ O’Connor and students Dylan Jessee and Daniel Campos in their article, Through the Spyglass: Toward IOT Companion App Man Attacks in the Middle. “However, attackers can take advantage of the immature but ubiquitous nature of IoT to spy on and monitor victims.”
O’Connor leads Florida Tech’s cybersecurity program and heads the IoT Security and Privacy Lab, which has conducted eye-opening research into privacy flaws in internet-connected cameras. This summer, he was named the head coach of the inaugural Cyber Games team in the United States.
Research by O’Connor and his students often highlights the troubling vulnerabilities of consumer IoT devices, and their latest article pursues this goal.
By subjecting 20 devices to a host of ‘man-in-the-middle’ attacks in which the perpetrators seek to intercept communications between the parties, allowing login credential theft, espionage or other nefarious activity, the researchers found that 16 device vendors had failed to implement security measures, thus allowing the attacks.
“We hypothesize that the distributed communication architecture of the IoT introduces vulnerabilities that allow an attacker to intercept and manipulate the communication channel, affecting user-level perception of an IoT device. “, they wrote. “We are applying this (attack) to a wide variety of smart home device vendors to conceal malicious users, suppress motion reports, modify camera images, unlock doors and manipulate history log files. “
IoT devices that exhibited this vulnerability were: Amazon Echo, August Lock, Blink Camera, Google Home Camera, Hue Lights, Lockly Lock, Momentum Camera, Nest Camera, NightOwl Doorbell, Roku TV, Schlage Lock, Sifely Lock, SimpliSafe Alarm, SmartThings lock, UltraLoq lock and Wyze camera.
Devices from four vendors – Arlo, Geeni, TP-Link, and Ring – have proven immune to attacks by researchers.
“As our work reveals widespread failures, vendors can take steps to improve the privacy and integrity of smart home devices and their applications,” the researchers wrote.
The researchers disclosed the vulnerabilities to affected vendors and Apple before their work was released. As the researchers pointed out in their article, vendors need to implement stronger server-side cryptographic implementations to prevent these attacks.
Several vendors have started implementing these recommendations, including Wyze, which updated its companion app before researchers presented their results at the Cyber Security Experiment & Test Workshop in August.
The work was sponsored by the Office of Naval Research. Dylan Jessee, a cadet in the university’s Army ROTC program, led the effort to identify the vulnerabilities. Jessee is hoping to embark on the army’s cyber-career after her commissioning.
The document, Through the Spyglass: Toward IOT Companion App Man-in-the-Middle Attacks, is available at https://research.fit.edu/iot.