Smart home devices from major manufacturers including Amazon and Samsung appear to be using old, vulnerable software to handle the encryption of data from their devices, according to research published earlier this week. The findings were derived from a pool of data on smart home device behavior by way of consumers who had downloaded and run a program called IoT Inspector.
IoT Inspector was launched about three years ago as a way to gather crowdsourced behavior data on smart home devices. Once a consumer downloaded the software, it would monitor the network traffic from any IoT devices they were using and report to both the consumer and researchers how those devices behaved. I downloaded it and ran it for a few weeks. So did about 5,000 other people that together used more than 50,000 devices.
Researchers analyzing this pool of data now have some results. And they are concerning.
According to Danny Y. Huang, an assistant professor at New York University, researchers looked at device traffic to understand which versions of OpenSSL smart home products might use. OpenSSL provides encryption for data as it travels from a device over a home network and through to the cloud.
Huang said researchers looked at the device traffic as part of their efforts to figure out how smart home devices handle security. “We know what the [public key infrastructure, or PKI] looks like on the web. It’s a mature ecosystem. But we don’t know how PKI is evolving around IoT devices,” he said.
On the web, PKI relies on sites issuing certificates signed by an established certificate authority that refreshes every few months or so (the sites set that up) and browsers that check the certificates before establishing a connection. But when it comes to the IoT, companies sometimes provide their own certificates. And they don’t necessarily update them very often.
There are a lot of reasons for that. For example, some apps associated with devices avoid regularly issuing new certificates because having to constantly sign in to the app before, say, turning on a light bulb is irritating for the users of said light bulb. But the lack of certificate authorities and uncertainty around the encryption used by these products are certainly worth talking about.
For the new research, academics looked at how devices behaved on the network in an attempt to figure out which version of OpenSSL software they were using. Based on that behavior, the team established a fingerprint for each of the devices and matched it to the behavior of devices running versions of OpenSSL. The result is 32 Amazon devices, including Echos, plus 18 Samsung devices and a smaller array of other products that all appear to use outdated versions of OpenSSL.
These older versions of OpenSSL have known vulnerabilities that could lead to malicious actors accessing data from the devices. This is a serious vulnerability, but it would take effort to exploit it, said Santiago Torres-Arias, an assistant professor at Purdue University. The real risk would be to individuals who are targeted by a hacker who would take the time to access and then read the data.
This is different from a vulnerability that could be easily exploited by multiple people to access camera or audio data, or from vulnerabilities that would let an individual hacker target a bunch of devices and leak their data. But as Torres-Arias noted, given the risks we see from nation states and corporate espionage, these vulnerabilities are worrisome.
That said, it’s worth reiterating that the research indicates the devices from Amazon and others only appear to be running outdated versions of OpenSSL. The researchers can’t tell which versions of OpenSSL that Amazon devices are running, only that the devices are running SSL software that looks like older, vulnerable versions of OpenSSL.
I reached out to both Amazon and Samsung to find out exactly which versions of OpenSSL they are using. An Amazon spokeswoman didn’t disclose the versions, but emailed the following statement to my questions about which versions of OpenSSL Amazon devices might be running and how Amazon handles known vulnerabilities.
“At Amazon, privacy and security are foundational to how we design and deliver every device, feature, and experience. We are aware of this research, and are investigating the possible impact on our devices. We have no reports of unpatched vulnerabilities in the OpenSSL libraries used in our devices.”
She also noted that Amazon provides automatic security updates to customers when their devices are connected to the Internet. A Samsung representative did not respond.
Not knowing when devices are using outdated software is exactly why I think we need to implement software bills of materials (SBoMs) for connected devices. The federal government is pushing for them as well, with an executive order signed last year that requires companies selling connected devices to the federal government to make sure they have an SBoM.
Huang, Torres-Arias, and other researchers trawling through the IoT Inspector data are also fans of SBoMs, but ultimately they want to see how companies implement security and ensure devices stay secure. I am eager to see this, too. I look forward to more research coming out from this data in the months and years ahead.