We've seen many vulnerabilities in internet-of-things (IoT) devices over the past several years, but the problems can also extend to their companion mobile applications and cloud services. If you're using Wink or Insteon hubs to control sensors, door locks, and other sensitive devices in your home, make sure you update to the latest versions of their Android applications and encrypt your phone.

Researchers from security firm Rapid7 analyzed the Android applications that people use to control their Wink Hub 2 and Insteon Hub devices and found that both of them store sensitive access credentials in plain text in their configuration files. Under Android's security model, apps aren't normally able to access each others' files (with the exception of system services with special privileges), so at first glance this shouldn't be a big problem.

However, there are ways for attackers to get at this data, which is why Android provides a built-in secure keystore for storing sensitive information. There are various other methods for encrypting credentials in storage, but it turns out that some developers—especially those in the IoT space—don't use these mechanisms.

If left unprotected, application data can easily be extracted from phones that have been lost or stolen and are not locked with a strong password or use full device encryption—a feature that not all Android phones support.

"It takes very little effort," Deral Heiland, the research lead at Rapid7, told me. "Anyone who wants to take 45 minutes to an hour out of their life and can use Google, can quickly find out how to pull such data out of a phone."

Furthermore, due to the version fragmentation in the Android ecosystem there are millions of phones out there that are no longer supported by manufacturers and don't receive security updates. Those devices have known vulnerabilities that malicious applications can exploit to gain administrative privileges, or root access.

With privileged access, Android malware—which is not uncommon even on the policed Google Play store—can read other applications' data, including credentials stored in plain text.

The risk is even higher when those credentials are for smart home hubs because these devices often control security-related systems like door locks, garage doors, window sensors, alarms and so on.

The Android application for the Wink Hub 2 was insecurely storing the OAuth access tokens that Wink's servers use to track authenticated user sessions. These tokens allow the mobile applications to send commands to Wink hubs through the company's cloud service.

Heiland also found that Wink's service did not revoke old tokens even when new ones were generated, for example after a password change. So, even if users would have tried to limit the risk after losing their phones by changing their Wink passwords, the OAuth tokens stored on their devices would have continued to work.

According to the researcher, Wink released an update for its Android application and plans to fix the token revocation issue with a server-side change in the future. Users are advised to use the Wink Android application v6.3.0.28 or later.

Wink doesn't make its own peripheral devices, but instead integrates its hub with existing products from other vendors. However, Insteon manufactures a variety of switches, light bulbs, power outlets, sensors, door locks, cameras and other devices that work with its own hub.

These devices communicate over a proprietary radio frequency (RF) protocol that uses the 915MHz band and which, according to Heiland, doesn't use encryption. This makes it susceptible to replay attacks, where an attacker who is in the communications range of the hub can capture a command sent to a device and then replay it later to achieve the same result.

Heiland tested this attack successfully against Insteon's Garage Door Control Kit, capturing the signal to open and close the door from the hub and replaying it later to open the garage door.

The lack of encryption in Insteon's protocol was previously reported by a security researcher named Peter Shipley in a talk at the DEF CON security conference in 2015. According to Heiland, even though the protocol's documentation mentions that encryption can be used, the actual implementation used by Insteon's Garage Door Control Kit or lighting products, doesn't.

The Android application used to control the Insteon Hub was also found to store credentials in plain text, namely the username and password for the user's online account, as well as the username and password that can be used to control the hub directly over the local area network.

Rapid7 notified Insteon about the vulnerabilities on Jul. 19 and even though the company acknowledged having received the report and their intention to review it, it hasn't communicated any patching plans, Heiland said. Details about the vulnerabilities were published after 60 days, which is Rapid7's normal vulnerability disclosure deadline unless vendors ask for extra time, the he explained.

When it comes to replay attacks, there's not much users can do to protect themselves without a vendor patch, other than simply not using the vulnerable products, Heiland said. "That's typically my recommendation."

To reduce the risk of credential theft from mobile apps, users should keep their mobile operating systems up to date and also lock their mobile devices with a password, the researcher said. "If you make it difficult for someone to gain access to your device it's more likely they're just going to wipe it and keep it rather than try to gain access to the data. So you want to make it a little more difficult for them."

More generally, Heiland advises users to research the security track record of the devices they intend to buy, as well as how their creators respond to security vulnerabilities. All software has bugs, but the way in which companies handle vulnerability reports and release patches is what makes the difference.