As the Internet of Things (IoT) market is advancing by leaps and bounds, almost all household electrical appliances have now launched connected models. According to Gartner's prediction, by 2015 consumers will have 2.9 billion connected IoT devices in the smart home environment.
But despite the public's increasing recognition of smart homes, the latest research shows that the "security" issue of IoT devices does not seem to receive the same attention, which may expose consumers' privacy.
Smart home devices may use back-end cloud services to monitor device usage or support users to control these systems remotely. Users can access these data or control devices through mobile applications or Web portals.
Our research results show that many devices and services have some basic security issues.
Weak authentication mechanism <br> None of these devices use mutual authentication or use strong passwords. To make matters worse, some devices restrict the authentication password to a simple four-digit PIN code, which prevents users from setting a strong password on the cloud interface. In addition, these devices do not support two-factor authentication (2FA), and cannot respond to password brute force attacks, resulting in users easily becoming the target of the attack.
Web vulnerabilities
In addition to the weak identity authentication mechanism, many smart home Web interfaces are also vulnerable to some well-known Web application vulnerabilities. After performing a quick test on 15 IoT cloud interfaces, the results showed that these devices have some serious vulnerabilities, but this test can only check for surface problems. We discovered and reported ten vulnerabilities related to path traversal, unrestricted file upload (remote code execution), remote file inclusion (RFI) and SQL injection. In addition to smart bulbs, the devices involved also include smart door locks. We can open the door remotely via the Internet without even knowing the password.
Local attack <br> The attacker will attack the home network by intruding into the Wi-Fi network with weak encryption, and then attack the user's smart device. We found that these devices transmit passwords locally in clear text or do not use any identity authentication functions at all. There is also a common feature of IoT devices, which is the use of unsigned firmware updates. The lack of this security feature will allow an attacker to easily break the home network and crack the password of the IoT device. These stolen certificates can be used to execute other commands, and even completely control the device through malicious firmware updates.
Potential attacks <br> So far, we have not found large-scale malware targeting smart home devices, such as routers and network-attached storage devices such as computer-related devices. At present, most of the proposed IoT attacks are just proof-of-concept, which has not caused any profit to the attackers. But this does not mean that as technology becomes more mainstream in the future, attackers will not target IoT devices.
Looking back, if the attacker's methods are not new, we will not take them too seriously, but on the contrary, they can always think of new attack methods. Even if it's just abusing technology, threatening users, or attacking home networks, cybercriminals are always ready and keen to attack any target.
So do n’t be prematurely satisfied with the new smart home automation project, you need to take a moment to think about how these convenient devices will expose your information and home network, and then make them subject to cyber attacks. This requires major manufacturers to produce smarter home appliances and Internet of Things devices with higher security. Only in this way can security problems be improved.
If you want to know more analysis and insight about smart home devices, please refer to our white paper.
solution
Unfortunately, it is difficult for users to improve the security of IoT devices by themselves, because most devices do not provide a safe mode of operation. Nevertheless, users should stick to the following recommendations to ensure that they are less likely to be attacked:
Use a unique strong password on the device account and Wi-Fi network to change the default password to set the Wi-Fi network, use a more secure encryption method, such as WPA2
When not necessary, turn off or protect the remote access function of IoT devices. If you can, please use a wired connection instead of a wireless connection. If you can, connect the device to an independent home network and be very careful when buying second-hand IoT devices. This is Because these devices may have been tampered with, research the device security protection measures provided by the supplier. According to your needs, modify the privacy and security settings of the device to disable extra functions. Install the latest updates to ensure that downtime caused by interference or network failures will not lead to unsafe. The installation status of the system confirms whether to use intelligent functions, or whether ordinary equipment can meet the requirements
Intelligent WIFI Ceiling Fan,ac dc ceiling fan,ceiling fan 220v,3 blade ceiling fan
JIANGMEN ESCLIGHTING TECHNOLOGY LIMITED , https://www.jmwindfansummer.com