Nav: Home

Design flaws create security vulnerabilities for 'smart home' internet-of-things devices

May 02, 2019

Researchers at North Carolina State University have identified design flaws in "smart home" Internet-of-Things (IoT) devices that allow third parties to prevent devices from sharing information. The flaws can be used to prevent security systems from signaling that there has been a break-in or uploading video of intruders.

"IoT devices are becoming increasingly common, and there's an expectation that they can contribute to our safety and security," says William Enck, co-author of a paper on the discovery and an associate professor of computer science at NC State. "But we've found that there are widespread flaws in the design of these devices that can prevent them from notifying homeowners about problems or performing other security functions."

"Essentially, the devices are designed with the assumption that wireless connectivity is secure and won't be disrupted - which isn't always the case," says Bradley Reaves, co-author of the paper and an assistant professor of computer science at NC State. "However, we have identified potential solutions that can address these vulnerabilities."

Specifically, the researchers have found that if third parties can hack a home's router - or already know the password - they can upload network layer suppression malware to the router. The malware allows devices to upload their "heartbeat" signals, signifying that they are online and functional - but it blocks signals related to security, such as when a motion sensor is activated. These suppression attacks can be done on-site or remotely.

"One reason these attacks are so problematic is that the system is telling homeowners that everything is OK, regardless of what's actually happening in the home," Enck says.

These network layer suppression attacks are possible because, for many IoT devices, it's easy to distinguish heartbeat signals from other signals. And addressing that design feature may point the way toward a solution.

"One potential fix would be to make heartbeat signals indistinguishable from other signals, so malware couldn't selectively allow heartbeat signals to pass through," says TJ O'Connor, first author of the paper and a Ph.D. student at NC State.

"Another approach would be to include more information in the heartbeat signal," O'Connor says. "For example, if a device sends three motion-sensor alerts, the subsequent heartbeat signal would include data noting that three sensor alerts had been sent. Even if the network layer suppression malware blocked the sensor alert signals, the system would see the heartbeat signal and know that three sensor alerts were sent but not received. This could then trigger a system warning for homeowners."

"No system is going to be perfect, but given the widespread adoption of IoT devices, we think it's important to raise awareness of countermeasures that device designers can use to reduce their exposure to attacks," Enck says.
-end-
The paper, "Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things," will be presented at the 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec '19), being held May 15-17 in Miami, Fla.

Note to Editors: The study abstract follows.

"Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things"

Authors: TJ O'Connor, William Enck and Bradley Reaves, North Carolina State University

Presented: WiSec '19, May 15-17, Miami, Florida

Abstract: The always-on, always-connected nature of smart home devices complicates Internet-of-Things (IoT) security and privacy. Unlike traditional hosts, IoT devices constantly send sensor, state, and heartbeat data to cloud-based servers. These data channels require reliable, routine communication, which is often at odds with an IoT device's storage and power constraints. Although recent efforts such as pervasive encryption have addressed protecting data in-transit, there remains little insight into designing mechanisms for protecting integrity and availability for always-connected devices. This paper seeks to better understand smart home device security by studying the vendor design decisions surrounding IoT telemetry messaging protocols, specifically, the behaviors taken when an IoT device loses connectivity. To understand this, we hypothesize and evaluate sensor blinding and state confusion attacks, measuring their effectiveness against an array of smart home IoT device types. Our analysis uncovers pervasive failure in designing telemetry that reports data to the cloud, and buffering that fails to properly cache undelivered data. We uncover that 22 of 24 studied devices suffer from critical design flaws that (1) enable attacks to transparently disrupt the reporting of device status alerts or (2) prevent the uploading of content integral to the device's core functionality. We conclude by considering the implications of these findings and offer directions for future defense. While the state of the art is rife with implementation flaws, there are several countermeasures IoT vendors could take to reduce their exposure to attacks of this nature.

North Carolina State University

Related Malware Articles:

Browser tool aims to help researchers ID malicious websites, code
Researchers have developed an open-source tool that allows users to track and record the behavior of JavaScript programs without alerting the websites that run those programs.
Tech companies not doing enough to protect users from phishing scams
Just over 15 years after the first reported incident of phishing, new research from the University of Plymouth suggests tech companies could be doing more to protect users from the threat of scams.
New computer attack mimics user's keystroke characteristics and evades detection, according to Ben-Gurion University cyber researchers
'Our proposed detection modules are trusted and secured, based on information that can be measured from side-channel resources, in addition to data transmission,' Farhi says.
Illinois researchers add 'time-travel' feature to drives to fight ransomware attacks
One of the latest cyber threats involves hackers encrypting user files and then charging ''ransom'' to get them back.
Design flaws create security vulnerabilities for 'smart home' internet-of-things devices
NC State researchers find countermeasures for designers of security systems and other smart home devices.
New technique uses power anomalies to ID malware in embedded systems
Researchers have developed a technique for detecting types of malware that use a system's architecture to thwart traditional security measures.
How a personality trait puts you at risk for cybercrime
Impulse online shopping, downloading music and compulsive email use are all signs of a certain personality trait that make you a target for malware attacks.
Research finds bots and Russian trolls influenced vaccine discussion on Twitter
Social media bots and Russian trolls promoted discord and spread false information about vaccines on Twitter using tactics similar to those at work during the 2016 United States presidential election, according to new research led by the George Washington University.
New malicious email detection method that outperforms 60 antivirus engines -- Ben-Gurion
They compared their detection model to 60 industry-leading antivirus engines as well as previous research, and found their system outperformed the next best antivirus engine by 13 percent -- significantly better than such products including Kaspersky, MacAfee and Avast.
Can your cardiac device be hacked?
Medical devices, including cardiovascular implantable electronic devices could be at risk for hacking.
More Malware News and Malware Current Events

Trending Science News

Current Coronavirus (COVID-19) News

Top Science Podcasts

We have hand picked the top science podcasts of 2020.
Now Playing: TED Radio Hour

Clint Smith
The killing of George Floyd by a police officer has sparked massive protests nationwide. This hour, writer and scholar Clint Smith reflects on this moment, through conversation, letters, and poetry.
Now Playing: Science for the People

#562 Superbug to Bedside
By now we're all good and scared about antibiotic resistance, one of the many things coming to get us all. But there's good news, sort of. News antibiotics are coming out! How do they get tested? What does that kind of a trial look like and how does it happen? Host Bethany Brookeshire talks with Matt McCarthy, author of "Superbugs: The Race to Stop an Epidemic", about the ins and outs of testing a new antibiotic in the hospital.
Now Playing: Radiolab

Dispatch 6: Strange Times
Covid has disrupted the most basic routines of our days and nights. But in the middle of a conversation about how to fight the virus, we find a place impervious to the stalled plans and frenetic demands of the outside world. It's a very different kind of front line, where urgent work means moving slow, and time is marked out in tiny pre-planned steps. Then, on a walk through the woods, we consider how the tempo of our lives affects our minds and discover how the beats of biology shape our bodies. This episode was produced with help from Molly Webster and Tracie Hunte. Support Radiolab today at Radiolab.org/donate.