Over the past few years, an increasing number of vulnerabilities have been found in different Internet of Things (IoT) devices. The catalog of IoT security shortcomings continues to grow as experts discover that these problems can potentially extend to the respective IoT cloud services and mobile applications.
According to researchers from Rapid7, an IT security company, Wink and Insteon Hub smart home systems have issues within their architecture that would compromise their security.
The recent vulnerabilities in Wink and Insteon Hub, alongside other IoT systems designed to connect and automate various home products, represent an influx of downsides to be expected with the growing popularity of smart home devices.
Problems to Address
The Insteon and Wink home control systems appear to have a common problem with encryption.
According to the Rapid7 cybersecurity experts, user credentials in the associated smartphone applications are left unencrypted. In addition, Insteon Hub systems use an unencrypted radio transmission protocol in some of their security controls, including garage doors.
On the other hand, Wink’s cloud-based application programming interface (API) does not expire and revoke validation/authentication tokens correctly.
After a detailed analysis of the Wink Android application, the Rapid7 security team noted that the user’s access credentials are stored as plain text in their configuration files. Encryption mechanisms ensure that a third party cannot access user credentials and other sensitive information. However, if left in the unprotected form, attackers can breach the Android’s security model to get this data.
With the insecure storage of authentication access tokens on the Wink Hub 2 Android application, hackers could infiltrate the company’s cloud service through the mobile application.
Deral Heiland, the Rapid7 research lead, also discovered that Wink’s service failed to revoke old tokens after generating new tokens following critical events like a password change. This means that authentication tokens stored in home devices would still work even when users change their Wink password to limit possible risks after losing their phones.
The Rapid7 security researchers uncovered that poor encryption, weak or default passwords and authentication issues are the main flaws in IoT devices. After performing a test attack on Insteon’s Garage Door Control Kit, the team captured the door-opening signal and replayed it later to open the garage door successfully.
Insteon also failed to encrypt protocols used on their control kits and lighting products. In addition, the Insteon Android application was found to store user credentials (usernames and passwords) in plain text for both the online account and the local area network hub.
The Rapid7 research team also pointed out that it takes very little effort for a third party to extract data from a lost phone, or one without a strong password protection. Moreover, most Android phones do not receive regular security updates from their manufacturers, making it easier for adversaries to exploit these vulnerabilities to gain root access or administrative privileges.
The impact of a breached home automation system is even higher as credentials are needed to control security systems such as door locks, window sensors, garage doors and alarms.
Remedy for Internet of Things Flaws
In a blog post with detailed findings, the Rapid7 team encourages users to keep their operating systems up to date, use strong passwords to lock their devices and enable full disk encryption on their smartphones.
The cybersecurity experts also recommended that users avoid using these systems for sensitive applications until the respective vendors patch the vulnerabilities.
The researchers also advised the companies to carry out a thorough code review, fix the bugs and provide users with regular patches to avoid real-time invasion into their home systems.
Those using Wink and Insteon Hubs for home automation should ensure they update their Android application to the latest version and encrypt their phone to prevent theft of credentials.