Scientists at North Carolina State (NC State) University have spotted design defects in “smart home” Internet-of-Things (IoT) devices that enable third parties to stop devices from sharing information. The defects can be used to stop security systems from signaling that there has been a burglary or uploading video of intruders.
“IoT devices are becoming increasingly common, and there’s an expectation that they can contribute to our safety and security,” says William Enck, co-author of a paper on the discovery and an associate professor of computer science at NC State. “But we’ve found that there are widespread flaws in the design of these devices that can prevent them from notifying homeowners about problems or performing other security functions.”
“Essentially, the devices are designed with the assumption that wireless connectivity is secure and won’t be disrupted – which isn’t always the case,” says Bradley Reaves, co-author of the paper and an assistant professor of computer science at NC State. “However, we have identified potential solutions that can address these vulnerabilities.”
Specifically, the scientists have discovered that if third parties can hack a household’s router – or already are aware of the password – it would be possible for them to upload network layer suppression malware to the router. The malware enables devices to upload their “heartbeat” signals, suggesting that they are online and functional – but it blocks signals associated with security, such as when a motion sensor is triggered. These suppression hacks can be carried out on-site or remotely.
“One reason these attacks are so problematic is that the system is telling homeowners that everything is OK, regardless of what’s actually happening in the home,” Enck says.
These network layer suppression hacks are conceivable because, for a number of IoT devices, it is easy to differentiate heartbeat signals from other signals. Also, looking into that design feature may direct the way toward a solution.
One potential fix would be to make heartbeat signals indistinguishable from other signals, so malware couldn’t selectively allow heartbeat signals to pass through. Another approach would be to include more information in the heartbeat signal. For example, if a device sends three motion-sensor alerts, the subsequent heartbeat signal would include data noting that three sensor alerts had been sent. Even if the network layer suppression malware blocked the sensor alert signals, the system would see the heartbeat signal and know that three sensor alerts were sent but not received. This could then trigger a system warning for homeowners.
TJ O’Connor, Study First Author and Ph.D. student, NC State.
No system is going to be perfect, but given the widespread adoption of IoT devices, we think it’s important to raise awareness of countermeasures that device designers can use to reduce their exposure to attacks.
William Enck, Study Co-Author and Associate Professor of Computer Science, NC State.
The paper, “Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things,” will be presented at the 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec ’19), being held between May 15th and 17th in Miami, Florida.