In January 2014, Proofpoint, a digital security firm, announced 750,000 malicious email communications from more than 100,000 everyday consumer gadgets.
Those devices included televisions and at least one refrigerator. They were compromised and used as a platform to launch attacks.
The recent announcement by Sarthak Grover at PrivacyCon, held by the Federal Trade Commission, that Nest was leaking some data further highlights the vulnerability of the devices that are monitoring our businesses and homes.
It’s another worry for small business owners who are worried about the security of their data.
Grover and his colleagues purchased popular Internet of Things (IoT) devices to monitor the data they exchanged with the public Internet after connecting them to a laboratory network. In the paper titled, “The Internet of Unpatched,” the researchers concluded by saying: “Be Very Afraid!”
They made the statement because many of the devices they tested didn’t encrypt at least some portion of the data they were sending and receiving. The devices they purchased were the Belkin WeMo Switch, the Nest Thermostat, an Ubi Smart Speaker, a Sharx Security Camera, a Pix-Star Digital Photoframe and a SmartThings hub.
Because of its popularity, the product that has made headlines is the Nest Thermostat. In the investigation, the device revealed the user’s zip code in clear text. This means it wasn’t encrypted, a clear invitation for hackers to locate at least the physical address where the device was installed.
Nest has already resolved the issue with the unencrypted transmission.
Additional flaws the investigation uncovered include:
- Ubi Smart Speaker uses unencrypted emails,
- Sharx security camera transmits video over unencrypted FTP, and
- PixStar photoframe data is sent unencrypted too.
The other companies have yet to announce if they have patched any of the flaws.
The Samsung SmartThings hub, on the other hand, is noted as being very secure, because no information about IoT devices attached to the hub is leaked. The device uses HTTPS on port 443 using TLS v1.2 for all its data, and it makes background updates every 10 seconds (over HTTPS) fingerprinting the hub.
Even though the SmartThings hub should be commended for taking these precautions, the vast majority of these devices don’t have the necessary processing power, storage capability and accessibility to adequately protect themselves.
While concerns may seem exaggerated to some, it’s important to note these devices monitor activities in businesses and homes, so the data potentially being leaked to the Web is difficult to predict.
The solution is for business owners and other consumers to be more informed about the devices they install and be aware of the potential risks.
Thermostat Photo via Shutterstock