Craig Young, a security researcher with Tripwire security, presented his research titled “Smart Home Invasion” at the 2015 Intelligent Defense European Technical Research Conference in June, where he revealed a zero-day exploits in Internet of Things devices like SmartThings hubs, Wink hubs, and MiOS Vera:
“Vulnerable versions of Vera and Wink could be attacked through HTTP requests,” Young added. “These requests may come from a malicious web page (as demonstrated at IID on the Vera), a phone app on the LAN, or a malicious user on the LAN directly connecting to the vulnerable device. In the case of Vera, the attacker can directly supply commands to run on the Vera’s embedded operating system. In the case of Wink, the attacker would inject SQL commands to trick SQLite into creating a PHP script on the device. A subsequent request can then trigger execution of the PHP code with root permissions.”
The SmartThings hub had the least serious vulnerability as it was vulnerable to improper certificate validation. The holes in both SmartThings and Wink were patched, but that means the user must apply the patches. In the case of SmartThings, a mandatory update was pushed out in February. A spokesperson said, “Any inactive hub that was not updated, cannot connect to the SmartThings service and is automatically redirected to an update server.”
As the Internet of Things evolves over the course of the next few years, expect to see a lot more vulnerabilities exposed as the manufacturers creating these devices are not including security in the design stages of their products. IoT increases the cyber attack surface and will be a huge platform malicious actors – likely cyber criminals – will attempt to leverage to gain access to private data for nefarious purposes.