Written by James Orme Wed 6 Feb 2019

Researchers in the US and Brazil who comprehensively reviewed the security policies of IoT companion apps claim half of them are potentially vulnerable to security exploits, an estimate they say is “conservative”

IoT security is a hot topic, and to be truthful has been for some time. We’ve seen the figures about attempted breaches, ignorance about breaches, the risk to industrial sites and by extension the potentially cataclysmic risk to society.

We’ve even heard about the vulnerabilities in the popular wireless protocols Zigbee and Z-Wave that connect IoT devices to networks. Yet a new study has brought the dangers into sharp focus by exhaustively analysing the security between these devices and their companion apps.

Most smart device manufacturers provide companion apps and cloud services to monitor and control devices. IoT companion apps are the smartphone apps that sit alongside IoT devices, such as the Kasa App that controls the popular TP-Link smart plug.

App exploits

Researchers analysed the 96 top-selling WiFi and Bluetooth-enabled devices available for purchase on Amazon, and found that there were 32 unique apps for these devices. While this is not necessarily a concern from the outset it’s generally not wise security practice, as if vulnerabilities are discovered it means that they can be replicated in other devices.

Unfortunately, this is precisely what the researchers were able to do.

They took the TP-Link smart plug and discovered its hard-coded encryption key was the same used in all of the devices in its product line, and that the users can configure the device out-of-the-box without proper authentication. Together these infiltrative ingredients allowed the researchers to gain control of the device, and all other TP-Link devices that shared the same app, with a spoofing attack.

In total the researchers found that 31 percent of the apps had no encryption and that 19 percent of the apps used hardcoded keys, thus “at least 50 percent of the apps were potentially seriously vulnerable to exploits.” An endeavour they depressingly describe as “not challenging.”

“A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network,” the paper reads.

It goes on to describe how burglars could use these pretty rudimentary techniques to swiftly, reliably, and cleanly gain access to someone’s smart home. A) Use a technique to gain access to WIFI (attacker has multiple attempts) B) Detect when house is empty by monitoring network use patterns c) Deploy rogue app or script to control a door handle – open – and you’re in!

Now you might say “Why would anybody allow their door handles to be controlled by smart devices?”, but the truth is that many are more than willing to fully embrace such conveniences if it produces a total absence of friction in their room-to-room movements. You also feel like a wizard.

“We were successful in creating exploits for all five devices and able to control them, leveraging information that we gathered while analysing the companion apps, both statically, through program analysis, and dynamically, through monitoring the network,” the paper concludes.

“Securing communication between IoT devices and the mobile apps responsible for controlling them is crucial for security and even safety, depending on the types of IoT devices on a network.”

The paper was distributed last week by ArXiv and co-authored by Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d’Amorim, and Atul Prakash.