Kaspersky Lab researchers have discovered vulnerabilities in a smart hub used to manage all the connected modules and sensors installed in the home. Analysis reveals that it is possible for a remote attacker to access the product’s server and download an archive containing the personal data of arbitrary users, which is needed to access their account and take control over their home systems as a result.
While the popularity of connected devices continues to increase, smart home hubs are in high demand. They make house management much easier, combining all device settings in one place and allowing users to set them up and control them through web-interfaces or mobile applications. Some of them even serve as a security system. At the same time, being a “unifier” also makes this device an appealing target for cybercriminals that could serve as an entry-point for remote attacks.
Earlier last year, Kaspersky Lab examined a smart home device that turned out to provide a vast attack surface for intruders, based on weak password generation algorithms and open ports. During the new investigation, researchers discovered that an insecure design and several vulnerabilities in the architecture of the smart device could provide criminals with access to someone’s home.
First, researchers discovered that the hub sends user’s data when it communicates with a server, including the login credentials needed to sign in into the web interface of the smart hub – the user ID and password. Moreover, other personal information such as the user’s phone number used for alerts, can be also listed there. Remote attackers can download the archive with this information by sending a legitimate request to the server that includes the device’s serial number. And analysis shows that the serial number can be also discovered by intruders as a result of simplistic methods of its generation.
According to experts, serial numbers can be brute-forced using logic analysis and then confirmed through a request to the server. If a device with that serial number is registered in a cloud system, criminals will receive affirmative information. As a result, they can log in to the user’s web account and manage the settings of sensors and controllers connected to the hub.
All information about the discovered vulnerabilities has been reported to the vendor and is now being fixed.
“Although IoT devices have been the focus of cybersecurity researchers for last years, they are still proving to be insecure. We randomly selected the smart home hub and the fact that we found it vulnerable is not an exception, but rather one more confirmation of the continuous security problems in the IoT world. It now seems that literally every IoT device – even very simple ones – contain at least one security issue. For example, we recently analysed a smart light bulb. What could possibly go wrong with a bulb which only allows you to change the light colour and some other lightning parameters via your smartphone, you may ask. We found that all credentials of the Wi-Fi networks, i.e. names and passwords, to which the bulb had connected before are being stored in its memory with no encryption. In other words, the current situation in the IoT security sphere is that even your light bulb can compromise you,” said Vladimir Dashchenko, Head of vulnerabilities research group at Kaspersky Lab ICS CERT.
“It’s highly important for manufacturers to ensure proper protection of their users and pay close attention to safety requirements when developing and releasing their products because even small details of insecure design can lead to dangerous consequences,” he concluded.