A study from security research firm Veracode this week underscores a common fear about smart-home devices. If you connect your thermostat, your garage door, or your front door lock to the Internet, you could also introduce network security vulnerabilities from those devices, which a tech-savvy criminal could then potentially exploit. It's an important topic, but the report merits a close look before you throw away your Nest.
Veracode reviews six products from four different manufacturers in its report:and MyQ Gateway, home automation hub, and and control panel. Veracode says it reviewed only those six smart-home devices, so absent are popular products like the , the , smart LED bulbs or anything from . I wouldn't expect them to review everything (we can't either), but keep in mind there are a lot of smart-home products out there.
Breaking its study into four categories, Veracode's displays its findings in methodical, well-organized fashion. It looks at potential vulnerabilities in the communication between each product and the smart phone app designed to control it, communication between the device and its associated cloud services, any interfaces on the device itself, as well as the presence of any debugging interfaces that might grant unwanted access to engineering-level commands. A moderately tech-savvy reader should be able to understand most of it, even without much familiarity in network security jargon.
Of the four vendors, Ubi comes out looking the least protected. Among other problems, Ubi doesn't employ enough encryption in transmission between the device and its back-end cloud service, it doesn't require users to make strong enough passwords, and it doesn't restrict access to its debugging interface (from which an attacker can execute commands on the device).
Ubi's CEO Leor Grebler danced when I asked him for his response. "The report is an apples-to-oranges comparison. The Ubi is not a 'common at-home device' -- we were a Kickstarter-backed product and putting it next to Wink and MyQ is flattering." If the report was about marketing spend and units shipped, he might have a point, but the Ubi is for sale to consumers, and that's all that matters. Grebler does mention in a forum post that beefing up password protection is "on our roadmap," but the overall tone of his response is more defensive than reassuring.
Wink looks less bad in the report. Via a spokesman, new Wink security head Brian Knopf said, "We patched the ADB debugging issue present in Wink Relay before Veracode notified us of the vulnerability." Other problems (weak passwords, potential for man-in-the-middle attacks) are "in the process of being improved for both the Hub and Wink Relay," said Knopf.
Chamberlain was also a victim of bad timing between Veracode's testing, its own patch schedule, and then Veracode publishing its report. Company spokesperson Cory Sorice says it has addressed every issue except for requiring strong passwords from its users. "We are looking at this later in the year along with other improvements to our security and architecture.".
SmartThings' review was the least damning. Its only local vulnerability is the presence of its debugging interface, but access to it is password-protected. SmartThings wouldn't comment on the report, but there isn't a lot to comment on for them, either.
Aside from those vulnerabilities relating to each device and its accompanying services, Veracode also looked at what would happen if someone gained access to your user account information, or somehow breached the back-end cloud service.
Unsurprisingly, if someone gets your account credentials, they can access your account and interact with your devices. Two-factor authentication would add more security here, and none of the companies reviewed here provides it. This is an oversight.
A full cloud system breach, of course, also means a complete system compromise.
The larger question for all of this is whether these security issues will matter to consumers. Credit card breaches at TJ Maxx and others haven't stopped us from shopping at those stores. The potential consequences of a credit rating hit likely aren't as dire as someone gaining access to your front door lock, but our history is that we change our passwords or get a new card and move on., ,
I asked Veracode about the claims from various manufacturers that they've issued patches to address some of the issues in the report, and they essentially said that they haven't had a chance to test those updates yet. You always need to ask about the motivations of security research (as you do with journalism), but Veracode's report doesn't feel like grandstanding to me. They simply went with the information they could verify at the time of their publication date. We often face the same situation in product reviews, and we try to update as soon as we can. I hope Veracode does the same. I also hope Veracode continues to look at smart-home products this way, and that they call out the ones that get it right.