After HP Fortify picked apart the woeful security of smartwatches earlier this week, security firm Tripwire offered an almost-as-glum report on another branch of the tree of Internet of Things, smart home hubs. (See also: What is the Internet of Things?)
Although still some way from the mainstream, this is a rapidly-developing class of products used for home automation and control, turning on heating systems remotely and acting as interfaces to home security systems such as cameras, lights and even door locks.
According to Tripwire, three of the leading products sold on Amazon, from Vera, Wink Hub and SmartThings , were found to contain zero days serious enough for attackers to potentially change a hub’s settings, for example open a lock, access the local network or take them over as part of DDoS botnets.
They call them ‘smart’ for a reason but it’s clearly not because of their software security testing departments.
“Left unpatched, some of the vulnerabilities revealed in VERT’s analysis can be exploited by malicious web pages or smartphone applications to execute commands with system level access,” said Tripwire in its press statement.
“The threat is relatively low just now but I believe it will increase as malicious actors recognize how much information can be gained by attacking these devices,” added Tripwire’s resident techie, Craig Young, who also did an excellent Q&A with Techworld a couple of months back on securing home broadband routers from similar problems.
Presumably Young means that the threat is “relatively low” because the market size is still small. Anyone buying a smart home hub could probably still be described as an early adopter. Attackers are less interested in that user profile - for now.
It’s pretty apparent that the Internet of Things market is repeating the mistakes of more or less every recent consumer computing technology and under-cooking security. The vendors are often small outfits and don’t perhaps employ enough staff to make security development lifecycle a priority. You wonder how much of the basic firmware and software is written out of house.
A matter of weeks ago another firm, OpenDNS, found that IoT devices might not be front of mind but are popping up everywhere. Until this sector evolves beyond 1.0, consumers would be advised to sit out the product hype or assess whether vendors are putting resources into patching response.