The problem with vulnerable IoT companion apps
There’s no shortage of exploitable security holes in widely used Internet of Things devices, so it shouldn’t come as a surprise that the communication between many of those devices and their companion apps is not encrypted.
The research
A group of researchers from Brazil’s Federal University of Pernambuco and the University of Michigan have analyzed 32 unique companion Android apps for 96 WiFi and Bluetooth-enabled devices popular on Amazon.
They searched for answers to the following questions:
- Is the encryption key hardcoded?
- Does the app use local communication?
- Does the app send broadcast messages?
- Does the app use any well-known protocol with vulnerabilities?
They found lack of encryption in 31% of the apps analyzed and use of hardcoded keys in 19% of all the apps. Furthermore, they discovered that a significant fraction of the apps also use local communication or local broadcast communication, thus providing an attack path to exploit lack of crypto or use of hardcoded encryption keys.
They also purchased and tested five of those devices and their four companion apps for attack paths (two of the selected devices use the same app):
- TP-Link Kasa, the app for controlling TP-Link-manufactured devices from the smart home product line Kasa
- LIFX, the app that controls smart lights manufactured by LIFX
- WeMo, the app for controlling Belkin devices from the product line WeMo
- e-Control, the app responsible for controlling smart home devices and universal remote controllers from Broadlink.
“Based on our in-depth analysis of 4 of the apps, we found that leveraging these weaknesses to create actual exploits is not challenging. A remote attacker simply has to find a way of getting the exploit either on the user’s smartphone in the form of an unprivileged app or a script on the local network,” they noted.
“We were successful in creating exploits for all five devices and able to control them, leveraging information that we gathered while analyzing the companion apps, both statically, through program analysis, and dynamically, through monitoring the network.”
Did someone get it right?
You may be left wondering whether some of IoT manufacturers avoided all of those things.
The researchers did find four apps that use encryption without hardcoded keys and do not use local communication, broadcasts or known insecure protocols. Apparently, the Nest thermostat app is one of these.
“All their communication was via the cloud service, likely over SSL,” they shared, but noted that while this way of communication is relatively secure from the PoC attacks they devised, there is a privacy tradeoff.
“The cloud service has access to the commands sent to the device. Consequently, a potential long-range security risk exists if the cloud service is ever compromised, a non-negligible risk,” they pointed out.
On the other hand, event though the app that is used to control NVRs, DVRs and smart cameras by EZVIZ does support local communication between the companion app and the device over the local network, it uses a clever strategy for key exchange.
“The shared encryption key is enclosed in the box in the form of a QR code and must be scanned by the companion app. This strategy is better than hardcoded keys provided the key in the QR code is of sufficient length, random, and strong crypto library is used,” they opined.
The researchers have shared their findings with the manufacturers, but none have acknowledged them and, to the best of the researchers’ knowledge, have not released patches for the vulnerabilities.