Kaspersky Lab researchers have discovered vulnerabilities in a smart hub used to manage all the connected modules and sensors installed in the home.
Kaspersky Lab researchers have discovered vulnerabilities in a smart hub used to manage all the connected modules and sensors installed in the home. Analysis reveals that it is possible for a remote attacker to access the product’s server and download an archive containing the personal data of arbitrary users, which is needed to access their account and take control over their home systems as a result.
While the popularity of connected devices continues to increase, smart home hubs are in high demand. They make house management much easier, combining all device settings in one place and allowing users to set them up and control them through web-interfaces or mobile applications. Some of them even serve as a security system. At the same time, being a “unifier” also makes this device an appealing target for cybercriminals that could serve as an entry-point for remote attacks. Earlier last year, Kaspersky Lab examined a smart home device that turned out to provide a vast attack surface for intruders, based on weak password generation algorithms and open ports. During the new investigation, researchers discovered that an insecure design and several vulnerabilities in the architecture of the smart device could provide criminals with access to someone’s home.
First, researchers discovered that the hub sends user’s data when it communicates with a server, including the login credentials needed to sign in into the web interface of the smart hub – the user ID and password. Moreover, other personal information such as the user’s phone number used for alerts, can be also listed there. Remote attackers can download the archive with this information by sending a legitimate request to the server that includes the device’s serial number. And analysis shows that the serial number can be also discovered by intruders as a result of simplistic methods of its generation.
According to experts, serial numbers can be brute-forced using logic analysis and then confirmed through a request to the server. If a device with that serial number is registered in a cloud system, criminals will receive affirmative information. As a result, they can log in to the user’s web account and manage the settings of sensors and controllers connected to the hub.
All information about the discovered vulnerabilities has been reported to the vendor and is now being fixed.
“The research we’ve conducted on smart home hubs confirms that these connected devices across the country are at risk of attack – resulting in vulnerabilities across millions of homes in the UK. Though it’s no surprise that IoT devices are still proving to be insecure, gadgets that are commonplace in homes, containing personal user data, should be afforded the utmost security protection. That smart home hub meters are open to attack from cybercriminals is very concerning due to the wealth of people using these devices on a day-to-day basis”, said David Emm, Principal Researcher at Kaspersky Lab.
In order to stay protected, Kaspersky Lab strongly advises users to do the following:
- Always use a complex password and do not forget to change it regularly.
- Raise your security awareness by checking the latest information on the discovered and patched vulnerabilities of smart devices, which is usually available online.
To ensure the safety of your "smart" home and the Internet of Things, Kaspersky Lab offers its free application for the Android platform, Kaspersky IoT Scanner. The solution scans the home Wi-Fi network, informing the user about the devices connected to it and their level of security.
To mitigate cybersecurity risks, Kaspersky Lab advises manufacturers and developers to always conduct security tests before products are released and to follow IoT cybersecurity standards. Recently Kaspersky Lab contributed to the Recommendation ITU-T Y.4806 (International Telecommunication Union — Telecommunication sector) standard, created to help maintain proper protection of IoT systems, including smart cities, wearable and standalone medical devices and many others.
More information on this research is available on Securelist.com
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company that celebrated its 20 year anniversary in 2017. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialised security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at https://www.kaspersky.co.uk/.
Editorial contact:
Berkeley Global | Kaspersky Lab UK |
Ollie Bennett | Stephanie Fergusson |
Telephone: 0118 909 0909 | Telephone: 07714107292 |
100 Longwater Avenue | 2 Kingdom Street |
RG2 6GP, Reading | W2 6BD, London |
