In the past few months, we've seen major connected device vulnerabilities make headlines. At Minim, IoT security is always top of mind, so we're kicking off a home network security monitoring series. Take a look at what caught our eye.
Google Home Hub
Screenshot taken Nov 15, 2018 from Google Home website.
On October 31, 2018, several tech review sites— see articles by Tom's Guide, CNET, and AndroidPIT— alerted the public regarding a major security flaw found in one of Google's products, the Google Home Hub. These alerts stemmed from the Twitter announcement made by Jerry Gamblin, an avid security researcher and fan of Google's products:
I am not an IOT security expert, but I am pretty sure an unauthenticated curl statement should not be able to reboot the @madebygoogle home hub. pic.twitter.com/gCWFm5Ofyb
— Jerry Gamblin (@JGamblin) October 27, 2018
Essentially, Gamblin was using the Google Home Hub and found that it could be remotely controlled by another device by executing a single, unauthenticated command. Doing so allowed Gamblin to remotely reboot the Google Home Hub, as well as edit the device's configuration settings. Notably, for a device to be used to remotely control the Hub, it needs to be on the same WiFi network, so he points out that securing the WiFi network is the best step towards IoT security. We agree.
See Gamblin's technical deep dive for more detail on this security flaw.
Sony Bravia Smart TV
Up next on our list of major security headlines is the Sony Bravia Smart TV. Earlier in October, news broke out that Sony had discretely killed 3 bugs found in the firmware of the Bravia Smart TV models.
FortiGuard Labs, the security research team behind cybersecurity company Fortinet, had released the initial story, stating that they had discovered 3 critical vulnerabilities:
- Stack Buffer Overflow (high severity)— a memory corruption vulnerability
- Directory Traversal (high severity)— a filesystem vulnerability
- Command Injection (critical severity)— a root privilege vulnerability
Luckily, FortiGuard Labs was able to inform Sony of their findings, who promptly responded to fix these vulnerabilities.
For more detail and instructions on how to make sure your Sony Smart TV's firmware is up-to-date, see here.
FreeRTOS devices
The last major security headline of October regarded the numerous vulnerabilities that were found in FreeRTOS, which is an open-source operating system that's stewarded by Amazon for IoT devices.
Zimperium's zLabs researcher Ori Karliner found 13 vulnerabilities that could allow numerous attacks and give hackers access to smart devices. Think device crashes and takeovers, information leakage, and DOS attacks.
Considering FreeRTOS is used in millions of embedded devices spanning multiple industries, these vulnerabilities raise many concerns. In terms of where these vulnerabilities stand today, Karliner states the following:
"Since this is an open source project, we will wait for 30 days before publishing technical details about our findings, to allow smaller vendors to patch the vulnerabilities."
In the meantime, Amazon has released patches for several AWS FreeRTOS versions.
Conclusion
A key takeaway from discussing these IoT security flaws could very well be the following: IoT devices are not secure by design. Some legal bodies are trying to combat this unfortunate fact. For example, the state of California recently enacted an IoT cybersecurity law: starting in January 2020, device manufacturers must "equip the device with a reasonable security feature," ranging from preventing unauthorized access to protecting information and personal data.
At Minim, it is our mission to make IoT security simple and accessible for every household. If you are interested in learning more, let us know.
