Researchers at Kaspersky Lab have discovered vulnerabilities in a virtual assistant (hub) used to manage all connected modules and sensors installed in the home. This one can already be vulnerable to remote attacks.
The analysis reveals that it is possible for a remote attacker to access the product server and arbitrarily download a file that contains the personal data of the users, which is needed to access to their accounts and, as a result, take control of the systems in their homes.
As the popularity of connected devices continues to increase, virtual assistants or hubs for households are in great demand. They facilitate the administration of the house, since they combine all the configurations of the devices in a single place and allow the users to adjust and control them through interfaces on the web or mobile applications.
Some of these assistants even serve as a security system. While being a "unifier", it also makes this device an attractive target for cybercriminals, as it could serve as an entry point to remote attacks. Early last year, Kaspersky Lab examined a smart device used in the home that facilitated intruder attacks based on algorithms for generating weak passwords and open ports. During the new investigation, it was discovered that an insecure design and several vulnerabilities in the architecture of the smart device could provide criminals with access to someone's home.
First, the researchers discovered that the hub sends user data when communicating with a server, including the credentials needed to log in to the virtual assistant web interface: the user's identification and password. In addition, other personal information, such as the phone number used for alerts, can also be listed there. Remote attackers can download the file with this information by sending a legitimate request to the server that includes the serial number of the device. And the analysis shows that intruders can also discover this serial number as a result of the simplistic methods used to generate it.
According to experts, serial numbers can be forced through the use of logical analysis and confirmed by doing a request to the server. If a device with that serial number is registered in a cloud system, the offenders will receive affirmative information. As a result, they can log in to the user's web account and manage the configuration of the sensors and controllers connected to the hub. remote attacks remote attacks remote attacks remote attacks
All information related to discovered vulnerabilities has been reported to the provider and the repair is now being performed.
"Although the devices used in The Internet of Things (IoT) has been the focus of cybersecurity researchers in recent years, it is still shown that they are insecure. We randomly select the virtual assistant for home use and the fact that we find it vulnerable is not an exception, but rather a confirmation of the constant security problems in the IoT world. It seems that, literally, all IoT devices, even the simplest ones, contain at least one security problem.
For example, we recently analyzed an intelligent light bulb. We could ask ourselves, what could go wrong with a light bulb that only allows to change the color of the light and other lighting parameters by means of a smartphone? Well, we found that all the credentials of the Wi-Fi networks, that is, names and passwords, to which the lightbulb had been connected before, are stored in their memory without encryption. In other words, the current situation in the sphere of IoT security is that even the light bulb can put the user in danger "said Vladimir Dashchenko, head of the Kaspersky Lab's vulnerability research group ICS CERT .
To stay protected, Kaspersky Lab recommends that users consider the following:
- Always use a complex password and do not forget to change it regularly.
- Increase your security knowledge by consulting the latest information about discovered vulnerabilities and corrected for smart devices, which is generally available online.
To ensure the security of the "smart" home and the Internet of Things, Kaspersky Lab offers Kaspersky IoT Scanner, a free application for the Android platform. The solution examines the Wi-Fi network of the home and informs the user about the connected devices and their level of security. remote attacks remote attacks
To mitigate the risks of cybersecurity, Kaspersky Lab advises manufacturers and developers to always carry out security tests before they send the products to the market and that they comply with the rules of cyber security of the IoT. Recently, Kaspersky Lab contributed to the ITU-T Y.4806 standard (International Telecommunication Union, telecommunications sector), created to help maintain adequate protection of IoT systems, including smart cities, medical devices that carry patients and those who are self-employed, as well as many others.
More information on this research is available at Securelist.com