Smart Homes, IoT Devices, and the Unprotected Apps That Power Them
Share
Commentary
Smart Homes, IoT Devices, and the Unprotected Apps That Power Them
July 3, 2024
Table of Contents
As our homes become increasingly connected, the Internet of Things (IoT) has transformed the way we interact with our day-to-day living spaces. From smart thermostats and lighting systems to voice-activated assistants and connected appliances, IoT devices offer unprecedented convenience and efficiency. Many of these smart devices are powered and controlled by mobile applications. This app-centric approach puts application security at the forefront of IoT protection.
According to a SDM Magazine webinar titled “Security & Smart Home Market: The Latest Trends and Advancements,” the smart home market is expected to grow to $138 billion by 2026, with a compound annual growth rate (CAGR) of 10.4%. This rapid growth underscores the critical need for robust security measures, particularly in the apps that serve as the primary interface for these devices.
However, this interconnectedness also brings new security challenges that consumers and device manufacturers must address. In this blog post, we’ll explore the critical role of application security in the IoT sector.
The IoT security landscape
The proliferation of IoT devices without common standards and practices worldwide has created a complex security landscape. According to a recent Forrester report on emerging technologies, IoT security is one of the top trends that companies need to have on their radar. The report emphasizes that “IoT security technologies reduce the chances of compromising critical data and can accelerate the value of edge intelligence technology.”
This observation highlights the dual nature of IoT security: it’s not just about protecting individual devices but also about safeguarding the entire ecosystem and the valuable data it generates.
As Dr. Klaus Schenk, SVP Security and Threat Research at Verimatrix, notes:
“IoT security is paramount as these devices have become deeply embedded in our critical infrastructure and daily lives. The impact of IoT hacks came to light in 2016 when the Mirai botnet infiltrated many millions of weakly protected IoT devices, turning these devices into weapons and enabling the operators of this botnet to conduct DDoS attacks that took down the internet connections of whole countries over weeks.
Today, IoT devices control the public infrastructure of cities and households. Thus, any mass hack impacting a significant portion of IoT devices can block the population from essential resources such as water or electric power. Modern IoT devices are usually controlled by mobile applications, carrying vital individual user data. These mobile applications open up new attack vectors on IoT devices, and the stored personal data is another target for criminals. Via these attack vectors, all the dangerous and powerful attack frameworks, like Hook, became a threat to IoT devices and related personal information.
These attack frameworks and their dropper applications can develop significant reach and impact. The numbers of infected devices can range from hundreds of thousands to many millions per criminal campaign. Even legitimate development processes can be compromised by malware infiltrating the supply chain, underscoring the critical need for robust application security measures, proactive monitoring, and swift action from responsible app developers. By implementing the right tools at the right time and in the right way, we can significantly mitigate these risks and safeguard our increasingly connected digital ecosystem.”
Popular smart home devices and examples of attacks
To understand the importance of application security in IoT, let’s first look at some common IoT devices and their vulnerabilities:
Printers and printing apps: These are common gateways for attacks on home and even company networks. Often, these devices even have unprotected listening ports to the public internet.
Home routers and control applications: Routers are the gateway to your smart home. Many have long lifespans and identical configurations, making them attractive targets for cybercriminals. Cloud-based applications now often control the routers, enabling one campaign to impact millions of routers.
Children’s monitoring devices and monitoring apps: Baby monitors and other child-focused IoT devices suffer from many examples of leaking personal information, often via their controlling apps.
Healthcare devices and control apps: Connected health devices, such as insulin pumps, can pose life-threatening risks if hacked.
Webcams and monitoring apps: Prone to privacy breaches, unsecured webcams can also be weaponized for large-scale DDoS attacks.
The critical role of application security
While hardware security is up to the manufacturers, the required application security to protect IoT devices is often overlooked. Many vulnerabilities stem from developers not applying security to the code during the CI/CD process. Developers also often rely on untested supply chain code to assemble the app quickly. Here’s why application security is critical in the IoT sector:
Attack surface reduction
Properly secured applications minimize the potential entry points for attackers. By implementing robust authentication, encryption, and access controls, developers can significantly reduce the attack surface of IoT devices. Application protection can monitor and protect entry points for applications.
Data protection
IoT devices collect and process vast amounts of sensitive data. Secure applications ensure that this data is encrypted both in transit and at rest, protecting user privacy and preventing unauthorized access. App security protects the application and the data against all forms of instrumentation, tampering, and reverse engineering. The best products on the market monitor every attempt at an attack.
API security
Many IoT devices communicate with cloud services and other devices through APIs. Securing these APIs is crucial to prevent unauthorized access to the server. App protection also prevents the extraction of secrets and the weaponization of the app itself.
And according to Dr. Schenk:
“Securing all attack vectors of IoT devices is essential for enterprises, as breaches can have severe consequences. Attacks on IoT devices can lead to the weaponization of infrastructure, data theft, manipulation of critical infrastructure such as municipal water supplies, data manipulation like the replacement of real camera footage with deepfakes, or disruption of transportation systems. Ensuring the security of these devices is crucial to preventing these potentially devastating impacts.”
To protect smart homes and IoT devices, developers and manufacturers should consider implementing in-app protection to safeguard IoT devices from attacks by securing the mobile applications that control them.
Conclusion
As our homes become smarter, it’s crucial that we become smarter about security. Application security plays a pivotal role in protecting IoT devices and the valuable data they handle. By understanding the vulnerabilities, implementing robust security measures, and staying informed about emerging technologies, consumers can enjoy the benefits of a connected home while minimizing potential risks.
Protect your digital world
Don’t miss out on the latest threats, vulnerabilities, and intelligence reports. Join our newsletter to stay one step ahead in the ever-evolving world of cybersecurity for mobile apps and connected devices.
Written by
Dr Klaus Schenk
Dr. Klaus Schenk is senior vice president of security and threat research at Verimatrix and serves as head of its VMX Labs.
Commentary
Smart Homes, IoT Devices, and the Unprotected Apps That Power Them
Table of Contents
As our homes become increasingly connected, the Internet of Things (IoT) has transformed the way we interact with our day-to-day living spaces. From smart thermostats and lighting systems to voice-activated assistants and connected appliances, IoT devices offer unprecedented convenience and efficiency. Many of these smart devices are powered and controlled by mobile applications. This app-centric approach puts application security at the forefront of IoT protection.
According to a SDM Magazine webinar titled “Security & Smart Home Market: The Latest Trends and Advancements,” the smart home market is expected to grow to $138 billion by 2026, with a compound annual growth rate (CAGR) of 10.4%. This rapid growth underscores the critical need for robust security measures, particularly in the apps that serve as the primary interface for these devices.
However, this interconnectedness also brings new security challenges that consumers and device manufacturers must address. In this blog post, we’ll explore the critical role of application security in the IoT sector.
The IoT security landscape
The proliferation of IoT devices without common standards and practices worldwide has created a complex security landscape. According to a recent Forrester report on emerging technologies, IoT security is one of the top trends that companies need to have on their radar. The report emphasizes that “IoT security technologies reduce the chances of compromising critical data and can accelerate the value of edge intelligence technology.”
This observation highlights the dual nature of IoT security: it’s not just about protecting individual devices but also about safeguarding the entire ecosystem and the valuable data it generates.
As Dr. Klaus Schenk, SVP Security and Threat Research at Verimatrix, notes:
“IoT security is paramount as these devices have become deeply embedded in our critical infrastructure and daily lives. The impact of IoT hacks came to light in 2016 when the Mirai botnet infiltrated many millions of weakly protected IoT devices, turning these devices into weapons and enabling the operators of this botnet to conduct DDoS attacks that took down the internet connections of whole countries over weeks.
Today, IoT devices control the public infrastructure of cities and households. Thus, any mass hack impacting a significant portion of IoT devices can block the population from essential resources such as water or electric power. Modern IoT devices are usually controlled by mobile applications, carrying vital individual user data. These mobile applications open up new attack vectors on IoT devices, and the stored personal data is another target for criminals. Via these attack vectors, all the dangerous and powerful attack frameworks, like Hook, became a threat to IoT devices and related personal information.
These attack frameworks and their dropper applications can develop significant reach and impact. The numbers of infected devices can range from hundreds of thousands to many millions per criminal campaign. Even legitimate development processes can be compromised by malware infiltrating the supply chain, underscoring the critical need for robust application security measures, proactive monitoring, and swift action from responsible app developers. By implementing the right tools at the right time and in the right way, we can significantly mitigate these risks and safeguard our increasingly connected digital ecosystem.”
Popular smart home devices and examples of attacks
To understand the importance of application security in IoT, let’s first look at some common IoT devices and their vulnerabilities:
The critical role of application security
While hardware security is up to the manufacturers, the required application security to protect IoT devices is often overlooked. Many vulnerabilities stem from developers not applying security to the code during the CI/CD process. Developers also often rely on untested supply chain code to assemble the app quickly. Here’s why application security is critical in the IoT sector:
Properly secured applications minimize the potential entry points for attackers. By implementing robust authentication, encryption, and access controls, developers can significantly reduce the attack surface of IoT devices. Application protection can monitor and protect entry points for applications.
IoT devices collect and process vast amounts of sensitive data. Secure applications ensure that this data is encrypted both in transit and at rest, protecting user privacy and preventing unauthorized access. App security protects the application and the data against all forms of instrumentation, tampering, and reverse engineering. The best products on the market monitor every attempt at an attack.
Many IoT devices communicate with cloud services and other devices through APIs. Securing these APIs is crucial to prevent unauthorized access to the server. App protection also prevents the extraction of secrets and the weaponization of the app itself.
And according to Dr. Schenk:
“Securing all attack vectors of IoT devices is essential for enterprises, as breaches can have severe consequences. Attacks on IoT devices can lead to the weaponization of infrastructure, data theft, manipulation of critical infrastructure such as municipal water supplies, data manipulation like the replacement of real camera footage with deepfakes, or disruption of transportation systems. Ensuring the security of these devices is crucial to preventing these potentially devastating impacts.”
To protect smart homes and IoT devices, developers and manufacturers should consider implementing in-app protection to safeguard IoT devices from attacks by securing the mobile applications that control them.
Conclusion
As our homes become smarter, it’s crucial that we become smarter about security. Application security plays a pivotal role in protecting IoT devices and the valuable data they handle. By understanding the vulnerabilities, implementing robust security measures, and staying informed about emerging technologies, consumers can enjoy the benefits of a connected home while minimizing potential risks.
Protect your digital world
Written by
Dr Klaus Schenk
Dr. Klaus Schenk is senior vice president of security and threat research at Verimatrix and serves as head of its VMX Labs.
Share this cybersecurity insight
Other cybersecurity insights
Salt Typhoon Exposes Critical Gaps in Mobile Security: CISA Reacts
When Apps Attack: HGS Hack, F@c! Messages and Bitcoin Ransoms
BoneSpy & PlainGnome: The Spyware Duo Disguised as Trusted Apps
Decoding Remo: The Evolving Android Banking Trojan