Vulnerabilities in “smart” homes | What Smart home vulnerabilities Kaspersky has detected
It’s been years since security research on IoT was started, and as the IoT ecosystem continues to expand, such research is still relevant.
New products and threats are everyday things that offer different new challenges for businesses. There are many examples of this all around us. One Kaspersky employee challenged its researchers to examine his ‘smart’ home system. He, indeed, gave them access for testing, which is normal practice in the industry. The safest strategy is to use a control device with software that has reliable safety features such as robust encryption standards and unique ID codes. The breach would be prevented because the digital attacker needs access to multiple devices in order for it to be successful.
It was found that the cloud infrastructure proved to be the most effective for attack. A technical examination of the methods used to process requests from a user’s device revealed vulnerabilities in the authorisation process and the possibility of remote code execution.
Kaspersky testings
Kaspersky identified some important vulnerabilities on a control device of an active home ecosystem. These included bugs in the cloud infrastructure and possible remote code execution that would allow a third party to gain “super user” access to the control device and manipulate the smart home infrastructure in the way they want. Kaspersky has reported to Fibaro about potential security threats on the latter’s website, prompting the company to upgrade their security protocols.
Kaspersky scientists used a test attack on the control device to determine if it had a vulnerability or not. It is important to set up a system that can catch credential stuffing done in one way. After the user received an email and SMS, one can prepare for what would happen next by having a script for further stealing. As requested, the “victim” agreed to upgrade firmware and downloaded a compromised backup. Researchers have gained super user privileges by downloading a compromised firmware update on a networked device that has “smart appliances.” These hackers were able to remotely control their home and keep it safe. The researchers made sure the alarm clock woke up their target on the next day. They changed the sound to a loud drum and bass song so it would be detectable by any intruder.
Representatives’ statements
“Unlike us, a real attacker with access to the home center would be unlikely to be limited. One of the key functions of the device we studied is to integrate all the ‘smart things’ so that the homeowner can manage them from a single home center. One important detail is the focus of the evaluation on an active system. Previously, most of the research took place under laboratory conditions. More importantly, the devices we studied had mass production and deployment in functional “smart” home networks. We thank Fibaro for their responsible attitude towards the issues raised, as we know they focus on digital security, and for making our colleague’s home even more secure than it was before the research,” said Pavel Cheremushkin, security researcher at Kaspersky ICS CERT.
“IoT infrastructure requires a complex system that will work fluently on many levels. It involves a lot of implementation and architectural work. We appreciate Kaspersky’s research and effort. It has helped us work on the security of our products and services. Together we addressed potential weaknesses. We strongly recommend FIBARO users to install the updates. They should always check if the emails are in line with the announcements on the FIBARO website. The upgrades increase the functionality of the system. They also make it harder for hackers to try to extract personal data.” Fibaro CPO Krzysztof Banasiak made the statement.
If you enjoyed this post, then you may also like this one.
Author: PC-GR
The World of Technology
