Princeton: IoT Devices’ Security Flawed

Princeton: IoT Devices’ Security Flawed

This post is also available in: heעברית (Hebrew)

The Internet of Things (IoT) is growing, soon to be a permanent feature of our lives, but there are some things about it which should worry anybody. The biggest of them is security, or rather lack thereof. New research from Princeton only adds to the worries.

Researchers at the Centre for Information Technology Policy (CITP) at Princeton investigated several IoT devices, focusing on how information is exchanged between them. Their aim was to see how secure they are. Among the devices they looked at are the Belkin WeMo Switch, Ubi Smart Speakers, Sharx Security Camera, the Nest Thermostat, and others. What they found is extremely worrying. Some, too many, of these devices transmit data in the open, unsecured and unencrypted.

The Nest thermostat, for example, leaks customer’s area codes for everyone to see over the internet. Simply put, the device lets anyone on the open internet know the address it’s installed at. Nest patched the issue when notified, but it shouldn’t have been an issue in the first place.

The Sharx security camera was also transmitting video footage in a completely unsecure manner. Reportedly, video was being transmitted over an unencrypted FTP connection. Anyone with just a tiny bit of technical know-how could gain access and see everything the camera was shooting. Even worse than Nest’s case, Sharx allowed people to be potentially spied on by the very device that was supposed to make them more secure.

The CITP researcher found that many of the IoT devices they investigated simply didn’t encrypt at least a portion of the information they were transmitting over the internet. This state of affairs is absolutely unacceptable. Manufacturers should and must take customer’s security seriously and make it a top priority. Issues such as this belong in amateur hour, not in the corporate world.