User credentials left unencrypted and vulnerable in smart home devices and associated smartphone apps from Wink and Insteon, researchers find.
Security researchers have found a number of vulnerabilities in two popular smart home systems. The flaw could lead to hackers gaining control of such systems.
According to researchers at IT security company Rapid7, both Wink’s Hub 2 and Insteon’s Hub devices leave sensitive credentials insecure on their associated Android apps. Both devices are designed to connect various home IoT products and manage home automation.
Additionally, they claim, Wink’s cloud-based management API does not properly expire and revoke authentication tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for potentially sensitive security controls such as garage door locks.
Problems to address
In a blog post detailing their findings, the Rapid7 team warn that as most of these issues have not yet been addressed by the vendors, users should ensure mobile devices enable full disk encryption if possible, and avoid the use of these products for sensitive applications until the vulnerabilities are patched.
“While the potential impact is high, these vulnerabilities are not exploitable over the internet: access to the user’s phone, or close proximity to connected devices in the replay case, is required for exploitation,” said Sam Huckins, program manager at Rapid7.
Researchers said that for Wink, a vendor-supplied patch should be provided to revoke the user’s OAuth token after logout from the mobile application.
“In addition, a mechanism should be added to allow for the revocation of all tokens across all mobile devices with access to the user’s Wink Hub 2. This would help prevent unauthorized access to the device and services even if a device is lost or compromised,” said Huckins.
Huckins added that for Insteon, a vendor-supplied patch should be provided to configure the 915MHz signal to encrypt the data being communicated or to apply a rotating certificate to prevent replay of captured RF signals.
“Absent a vendor-supplied patch, users should avoid using the Insteon’s radio-control features with security-related and access control devices if they are concerned about potential radio eavesdroppers,” he added.
Ofer Maor, director of enterprise solutions at Synopsys, told Internet of Business that these recent vulnerabilities, alongside many others discovered for different IoT products, are a good indication of the problem we’re facing with the increased adoption of smart home devices.
“Unlike traditional enterprise solutions coming from a relatively small list of large companies investing substantial resources in security, there is now an influx of smart home device manufacturers, with many of them coming out of the garage door they wish to control,” he said.
“As is common with smaller, start-up type companies, these companies are focused on functionality before anything else, and usually do not invest a lot in securing their products. The vulnerabilities identified by Rapid7 are a fine example of this – for the most part they are not a ‘bug’ or ‘developer mistake’ but rather a lack of security architecture and design in the product.”