clock menu more-arrow no yes

A Hacker's-Eye View of the Internet of Things

A study of six consumer-grade smart household devices raises big security questions.

Gualtiero Boffi/Shutterstock

Ever wonder what hackers think about the Internet of Things? Consider for a moment what someone with criminal intent might do with secret access to your Internet-connected garage door opener and it doesn’t take long to imagine something bad.

The folks at security company Veracode were thinking along the same lines with a study of six consumer-grade IoT devices and found them to be surprisingly vulnerable to hackers, and the study takes the unusual step of calling out each product by name and describing some of the weaknesses found. A similar study by Hewlett-Packard last year raised similar concerns without naming any of the devices studied. So if you’re into outfitting your home with smart things all over the place, it’s certainly worth your attention.

Veracode bought the devices in December and tested them in a lab in January, monitoring all the data traffic going to and from the device. The company says it found what it describes as “significant” security vulnerabilities in most, but not all, of the products it tested. “Product manufacturers weren’t focused enough on security and privacy as a design priority, putting consumers at risk for an attack or physical intrusion,” the report says.

In all six cases, Veracode reached out to the vendors to share its findings, and all six have responded with fixes. Even so, I’ll focus on just two examples from the study because they’re interesting and a little troubling.

One concerned the MyQ Garage system from Chamberlain. The device allows a user to open and close his or her garage door from a smartphone. Veracode found that a potential burglar could gain access to the device and use it to find out when the garage door has been opened or closed, and thus provide an opportunity to rob the house.

A spokesperson for Chamberlain responded to Veracode’s findings saying that the product Veracode tested was “out of date,” and went on to say, “We disagree with some of the findings in the report and will work with Veracode to share our concerns.”

The second one that caught my attention was the Wink Relay, a touch-enabled controller that fits into the space of a light switch and allows easy control of lots of other smart devices around the house.

The device runs a variant of Google’s Android mobile operating system. Veracode found it was able to take advantage of Android Debug Bridge, a tool used by programmers to troubleshoot software code, usually known by its initials, ADB. Veracode was able to use ADB to turn on the unit’s microphone and record nearby conversations, and then download those recordings to a computer. Veracode notes in the study that Wink responded by disabling the ADB in a subsequent software update.

Of the six devices it studied, Veracode found the fewest security problems with the SmartThings Hub, the central piece of the SmartThings platform that links sensors, locks, light switches, outlets, thermostats and other smart household devices. It has a Telnet server running on it that could potentially allow an attacker to gain access to it, but even so, Veracode’s engineers weren’t able to compromise anything else on the device. And the Telnet issue will be addressed in a forthcoming version of the device’s software.

If nothing else, Veracode makes the case that manufacturers should think harder about the security and privacy implications of these devices than they appear to have done so far: “It’s clear there is a need to perform security reviews of device architecture and accompanying applications to minimize the risk to users.”

It’s an important issue when you start digging into how many of these smart devices are going to be touching the Internet within the next few years. One educated estimate by the research firm Gartner says it could swell to include 26 billion individual devices by 2020, while another by Verizon says there’s already more than a billion in use by businesses alone.

This article originally appeared on Recode.net.