Kaspersky Lab researchers have discovered vulnerabilities in a smart hub used to manage all connected modules and sensors installed in a home.
The researchers revealed that it is possible for a remote attacker to access the product’s server and download an archive containing the personal data of arbitrary users, which is needed to access their account and take control over their home systems as a result.
While the popularity of connected devices continues to increase, smart home hubs are in high demand.
Earlier last year, Kaspersky Lab examined a smart home device that turned out to provide a vast attack surface for intruders, based on weak password generation algorithms and open ports.
‘Serial numbers can be brute-forced’
During the new investigation, researchers discovered that an insecure design and several vulnerabilities in the architecture of the smart device could provide criminals with access to someone’s home.
First, researchers discovered that the hub sends user’s data when it communicates with a server, including the login credentials needed to sign in into the web interface of the smart hub – the user ID and password.
Moreover, other personal information such as the user’s phone number used for alerts can be also listed there. Remote attackers can download the archive with this information by sending a legitimate request to the server that includes the device’s serial number.
According to experts, serial numbers can be brute-forced using logic analysis and then confirmed through a request to the server.
If a device with that serial number is registered in a cloud system, criminals will receive affirmative information.
As a result, they can log in to the user’s web account and manage the settings of sensors and controllers connected to the hub.
‘Vulnerabilities across millions of homes’
All information about the discovered vulnerabilities has been reported to the vendor and is now being fixed.
David Emm, principal security researcher at Kaspersky Lab, commented: “The research we’ve conducted on smart home hubs confirms that these connected devices are at risk of an attack – resulting in vulnerabilities across millions of homes.
“Though it’s no surprise that IoT devices are still proving to be insecure, gadgets that are commonplace in homes, containing personal data, should be afforded the utmost security protection.
“The fact that smart home hub meters are open to attack from cyber criminals is very concerning due to the wealth of people using these devices on a day-to-day basis.”
In order to stay protected, Kaspersky Lab strongly advises users to always use a complex password and to raise your security awareness by checking the latest information on the discovered and patched vulnerabilities of smart devices online.
Written from press release by Leah Alger