Researchers at Pradeo Lab looked at a representative sample of 100 mobile applications used to control a variety of IoT devices, including thermostats, electric blinds, and baby monitors.
All of the apps were sourced from the official app stores run by Google and Apple, which you would like to think ensures a certain level of quality control.
However, although none of the apps can be classified as downright malicious, worrying evidence was found of mobile apps used to control ‘smart’ home devices apps being vulnerable to attacks, or downright reckless in how they handled users’ sensitive information.
According to the research, an alarming 80% of the tested apps contained vulnerabilities, with an average of 15 flaws discovered per application.
15% of the vulnerabilities discovered, said the researchers, could lead to a man-in-the-middle (MITM) attack, where a hacker could not only intercept communications sent between an IoT device and its smartphone app – but even potentially send it rogue commands allowing a criminal to hijack control.
And then there are concerns over data being sent to third party remote servers. 8% of the applications (approximately one in 12) ‘phoned home’ or connected to uncertified servers. According to Praedo, some have expired and are available for sale, opening opportunities for a malicious actor to buy them up in order to access any data received.
The researchers finished their report by noting the breadth of data that is leaked by the flawed apps they discovered, with 90% said to be leaking one type of data or another:
- Application file content: 81% of applications
- Hardware information (device manufacturer, commercial name, battery status etc): 73%
- Device information (OS version number etc): 73%
- Temporary files: 38%
- Phone network information (service provider, country code etc): 27%
- Video and audio records: 19%
- Files coming from app static data: 19%
- Geolocation: 12%
- Network information (IP address, 2D address, Wi-Fi connection state): 12%
- Device identifiers (IMEI): 8%
It’s clear to me that many IoT devices, and their associated apps, are made down to a price rather than up to a decent level of security and privacy. If you cannot trust manufacturers to have built their products to a decent level of security then you’re going to have to either take additional measures to defend privacy in your ‘smart’ home or throw the gadgets in the dustbin.