Stacey on IoT | Internet of Things news and analysis

Internet of Things

  • Home
  • Analysis
  • Startups
  • How-To
  • News
  • Podcast
  • Events
  • About
  • Advertise
  • Speaking
    • Facebook
    • RSS
    • Twitter
    • YouTube

Researchers find potentially vulnerable smart home devices

March 8, 2022 by Stacey Higginbotham Leave a Comment

Smart home devices from major manufacturers including Amazon and Samsung appear to be using old, vulnerable software to handle the encryption of data from their devices, according to research published earlier this week. The findings were derived from a pool of data on smart home device behavior by way of consumers who had downloaded and run a program called IoT Inspector.

IoT Inspector was launched about three years ago as a way to gather crowdsourced behavior data on smart home devices. Once a consumer downloaded the software, it would monitor the network traffic from any IoT devices they were using and report to both the consumer and researchers how those devices behaved. I downloaded it and ran it for a few weeks. So did about 5,000 other people that together used more than 50,000 devices.

Researchers analyzing this pool of data now have some results. And they are concerning.

A chart quantifying how out of date the OpenSSL libraries are for each vendor taken from the All Things Inspected blog.

According to Danny Y. Huang, an assistant professor at New York University, researchers looked at device traffic to understand which versions of OpenSSL smart home products might use. OpenSSL provides encryption for data as it travels from a device over a home network and through to the cloud.

Huang said researchers looked at the device traffic as part of their efforts to figure out how smart home devices handle security. “We know what the [public key infrastructure, or PKI] looks like on the web. It’s a mature ecosystem. But we don’t know how PKI is evolving around IoT devices,” he said.

On the web, PKI relies on sites issuing certificates signed by an established certificate authority that refreshes every few months or so (the sites set that up) and browsers that check the certificates before establishing a connection. But when it comes to the IoT, companies sometimes provide their own certificates. And they don’t necessarily update them very often.

There are a lot of reasons for that. For example, some apps associated with devices avoid regularly issuing new certificates because having to constantly sign in to the app before, say, turning on a light bulb is irritating for the users of said light bulb. But the lack of certificate authorities and uncertainty around the encryption used by these products are certainly worth talking about.

For the new research, academics looked at how devices behaved on the network in an attempt to figure out which version of OpenSSL software they were using. Based on that behavior, the team established a fingerprint for each of the devices and matched it to the behavior of devices running versions of OpenSSL. The result is 32 Amazon devices, including Echos, plus 18 Samsung devices and a smaller array of other products that all appear to use outdated versions of OpenSSL.

These older versions of OpenSSL have known vulnerabilities that could lead to malicious actors accessing data from the devices. This is a serious vulnerability, but it would take effort to exploit it, said Santiago Torres-Arias, an assistant professor at Purdue University. The real risk would be to individuals who are targeted by a hacker who would take the time to access and then read the data.

This is different from a vulnerability that could be easily exploited by multiple people to access camera or audio data, or from vulnerabilities that would let an individual hacker target a bunch of devices and leak their data. But as Torres-Arias noted, given the risks we see from nation states and corporate espionage, these vulnerabilities are worrisome.

That said, it’s worth reiterating that the research indicates the devices from Amazon and others only appear to be running outdated versions of OpenSSL. The researchers can’t tell which versions of OpenSSL that Amazon devices are running, only that the devices are running SSL software that looks like older, vulnerable versions of OpenSSL.

I reached out to both Amazon and Samsung to find out exactly which versions of OpenSSL they are using. An Amazon spokeswoman didn’t disclose the versions, but emailed the following statement to my questions about which versions of OpenSSL Amazon devices might be running and how Amazon handles known vulnerabilities.

“At Amazon, privacy and security are foundational to how we design and deliver every device, feature, and experience. We are aware of this research, and are investigating the possible impact on our devices. We have no reports of unpatched vulnerabilities in the OpenSSL libraries used in our devices.”

She also noted that Amazon provides automatic security updates to customers when their devices are connected to the Internet. A Samsung representative did not respond.

Not knowing when devices are using outdated software is exactly why I think we need to implement software bills of materials (SBoMs) for connected devices. The federal government is pushing for them as well, with an executive order signed last year that requires companies selling connected devices to the federal government to make sure they have an SBoM.

Huang, Torres-Arias, and other researchers trawling through the IoT Inspector data are also fans of SBoMs, but ultimately they want to see how companies implement security and ensure devices stay secure. I am eager to see this, too. I look forward to more research coming out from this data in the months and years ahead.

Want the latest IoT news and analysis? Get my newsletter in your inbox every Friday.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Filed Under: Analysis, Featured Tagged With: Amazon, Arlo, google, irobot, samsung, Sony, TPLink

Sponsors



Become a sponsor

Subscribe to Blog via Email

Enter your email address to receive notifications of new posts by email.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

IoT Podcast

Listen to the latest episode of the Internet of Things Podcast. Just press play!

Sponsors

Become a sponsor







Get Stacey’s free weekly Internet of Things newsletter

  • This field is for validation purposes and should be left unchanged.

Recent Comments

  • Jack on Podcast: Making meaning from Matter product delays
  • Joe McNulty on Are smart home devices from your insurance company a Trojan horse?
  • Joe McNulty on Are smart home devices from your insurance company a Trojan horse?
  • Ron on Are smart home devices from your insurance company a Trojan horse?

Stacey on Twitter

Tweets by gigastacey
Copyright © 2023 SKT Labs, LLC · Privacy Policy