Submission + - Research Finds Shoddy Security on Connected Home Gateways (securityledger.com)
chicksdaddy writes: Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ "smart" garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode (https://info.veracode.com/whitepaper-the-internet-of-things-poses-cybersecurity-risk.html ) may make you think twice about deploying one of these IoT gateways in your home.
As The Security Ledger reports (https://securityledger.com/2015/04/research-iot-hubs-expose-connected-homes-to-hackers/), Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing.
The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode’s research architect, told The Security Ledger.
This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post (http://www.xipiter.com/musings) describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.
As The Security Ledger reports (https://securityledger.com/2015/04/research-iot-hubs-expose-connected-homes-to-hackers/), Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing.
The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode’s research architect, told The Security Ledger.
This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post (http://www.xipiter.com/musings) describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.
