Synack completed a benchmarking test in a series of home automation devices from cameras to home automation controllers to thermostats. The devices were examined head to head to derive conclusions on the relative state of security across the board. Interested in what we found?
2. Project Scope
Cameras Thermostats Smoke / CO
Home Automation
Controllers
Dlink DCS-2132L Ecobee First Alert SC9120B Control4 HC-250
Dropcam Pro Hive Kidde i2010S Lowes Iris
Foscam FI9826W Honeywell Lyric Nest Protect Revolv
Simplicam Nest Thermostat SmartThings
Withings
Baby Monitor
3. Cameras
• All communications
encrypted
• No public services
• Automatic firmware
updates
• No default credentials
• Hardwired connection
available
• Public firmware is
encrypted to some
extent
• Credential change
required on first boot
• Encrypted automatic
updates
• Lost communications
alerting
• Automatic firmware
updates
• No hardwired
connection
• No SSL pinning in
mobile app
• Communications default
to unencrypted
• Obfuscates, rather than
secures data in transit
• Publicly available
firmware
• Maximum 12 character
passwords
• Communications default
to unencrypted
• Obfuscates, rather than
secures data in transit
• Weak password policy
• No certificate
validation
• Multiple
communications are
unencrypted
• Credentials easily
pulled from backups
• Hard-coded shared
password
• Considerable
network footprint
BEST PRODUCT QUALITIES
WORST PRODUCT QUALITIES
*The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
4. Thermostats
• All communications
encrypted
• Automatic firmware
updates
• Proper SSL usage /
encrypted traffic
• Public firmware is
encrypted to some
extent
• Credential change
required on first boot
• Built on widely used
platform
• Automatic firmware
updates
• Encrypted communication
• Weak password policy • Weak password policy
• Easily guessable
configuration token used
• Lack of SSL pinning in
mobile app
• Insecure initial configuration
• History of vulnerabilities
across product lines
• Not all traffic is encrypted
• Moderate password
policy
BEST PRODUCT QUALITIES
WORST PRODUCT QUALITIES
*The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
5. Smoke and CO Detectors
• Audible power loss notification
• Encrypted network
communication
• Difficult to tamper with
• Impossible to remotely hack,
because it lacks connectivity
• Impossible to remotely hack,
because it lacks connectivity
• Weak password policy
• Custom configuration
protocol / short pairing codes
• Not applicable because this is
not a “smart” device
• Not applicable because this is
not a “smart” device
BEST PRODUCT QUALITIES
WORST PRODUCT QUALITIES
*The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
6. Home Automation Controllers
• Encrypted
communications
• Strong pairing
mechanics
• Encrypted
communications
• Notified if goes offline
• Strong password policy • Encrypted communications
• Automatic firmware
updates
• Unsigned firmware
• Custom remote
management feature
• Open ports
• Hardcoded API keys
• Weak password policy
• Exposed telnet service
• History of unpatched
security issues
• Built-in unauthenticated
remote management
feature
• Moderate password
policy
BEST PRODUCT QUALITIES
WORST PRODUCT QUALITIES
*The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
7. Takeaways
• Overall, IoT security is poor, with cameras scoring the lowest
• With few exceptions, Nest leads the industry in security practices
• A sinking tide incident will likely hit home automation
• The industry needs some basic standards to set the bar
8. Areas to Watch
Wi-Fi Jamming
• With few exceptions, all Wi-Fi devices are susceptible to jamming
• Diversification of used spectrum (2.5Ghz + 5 Ghz, etc.) reduces risk
• Hardwired Ethernet options also reduce the risk
• Jamming/network down incidents should result in a proactive alert to the user
Password strength, Reuse, and Attack Resistance
• Basic Password strength requirements should be enforced
• Horizontal and vertical password guessing countermeasures should be
implemented at application and network layers
9. Areas to Watch
Unencrypted and unauthenticated communications
• All communications should use bidirectional encryption
• Unauthenticated servers, communications and services should not be allowed
Misconfiguration of Encryption
• Independent encryption architecture reviews should always be performed. There are
thousands of ways to get it wrong, and only a handful of ways to get it right
• SSL pinning should be used to prevent man-in-the-middle attacks
• Certificate validation should always be performed against a 3rd party
• Self-signed certificates should never be used