14 DAY TRIAL // Two students from Princeton University carried out an experiment, analyzing six popular IoT (Internet of Things) devices, and their results confirm countless other studies that say that IoT is extremely insecure, bordering on life-threatening and highly dangerous situations.
The six products they tested included devices such as the Belkin WeMo Switch, the Nest Thermostat, an Ubi Smart Speaker, a Sharx Security Camera, a PixStar Digital Photoframe, and a Smartthings hub.
All of these were subjected to a series of tests, and the results are as bad as you'd think they are.
First of all, the researchers found out that many devices did not encrypt their communications.
For example, the Nest thermostat leaked the ZIP code configured during the device's setup, the Sharx security camera sent video recordings to its storage server via classic FTP (not sFTP), and all traffic to and from the PixStar smart photoframe was unprotected, revealing interactions with the device.
But worst of all was the Ubi smart speakers, which allow you to control other gadgets via voice commands. Ubi devices leaked everything via HTTP, enabling attackers to intercept all the data, from sensor readings to device interactions, letting them know if someone was at home, in which room, and if they were active around the house.
A lack of regulation fosters dangerous situations
Researchers did say that, when encryption was deployed, it wasn't properly implemented, and allowed attackers to detect various traffic signatures, which could have been exploited later to reveal certain user activities.
But this is nothing new. Researchers have been griping about IoT devices for years now, and the problems are always the same: - the devices don't have enough physical resources to deal with powerful security features - manufacturers don't care because there's nobody that can sanction them on a daily basis - there are no official regulations to follow - users also don't care / aren't educated, and manufacturers aren't sanctioned by buyers by avoiding their "insecure" products - there's too much diversity to fix IoT security overnight
The two students presented their findings at the PrivacyCon security conference. You can view a video of their presentation below.
UPDATE: Softpedia has received an update on the status of the Ubi device tested in the Princeton research.
As Leor Grebler, CEO of Unified Computer Intelligence Corporation (the Ubi manufacturer) has told Softpedia, the tested device "has been discontinued for more than a year."
Current Ubi implementations are "not targeted towards the consumer market right now. Most of those using the Ubi are building custom integrations and rules." Current Ubi services have deviated from providing ready-made devices, and are focused on providing the platform for implementing voice interaction into your consumer electronics and IoT devices.
