A paper distributed on arXiv, an online repository of e-prints, analyzes the concerning lack of security when it comes to the companion apps of IoT devices. The security issues plaguing IoT devices themselves are well-documented. While customers’ first thoughts may be on how secure their device is, for manufacturers, security often seems to be an afterthought in the rush to the market.
And while there’s been a recent explosion in connected devices, app development has been around much longer. In fact the application development industry has been around long enough to know how to help ensure security, but it seems that this aspect hasn’t reached IoT device app developers just yet.
Five computer scientists analyzed smartphone apps for 96 IoT devices in the research. They found that nearly 31 percent of the companion apps used no encryption whatsoever and 19 percent used hardcoded keys that are easy to discover. The result shows about 50 percent of IoT device apps can be exploited. In this case, if you have a smart home with various connected devices, it is likely you only have a 50/50 chance whether the apps you’re using have any basic security features at all.
And if we’re being completely honest, there isn’t much expectation for a high level of security when it comes to IoT devices that are on the cheaper end of the market. But we still expect an acceptable level of security. Even large household names whose apps were put under the microscope by the computer scientists did not perform as well as many would have expected. The LIFX app, WeMo app for Belkin devices, ‘Kasa for Mobile’ app for TP-Link devices, and the ‘e-Contro’ app for Broadlink gear were all vulnerable. The researchers were able to create exploits for each.
In the report, the researchers wrote: “We find that an Amazon top-seller smart plug from TP-Link shares the same hard-coded encryption key for all the devices of a given product line and that the initial configuration of the device is established through the app without proper authentication.”
The researchers claim to have informed the companies behind each of the companion apps about their findings prior to publishing the report, but have not received a response.