This week’s Smart World Problems roundup features new research that reveals the vulnerabilities of the connected world.

Symantec details the downside of IoT

Symantec Corp. released its white paper that looked at the different methods used to manage user data by the range of device makers and their associated service providers in the Internet of Things (IoT) market. The study unveiled that a significant portion of connected devices share the same basic security problems.

Symantec’s research team scrutinized 50 smart home devices that included smart thermostats, locks, light bulbs, smoke detectors, energy management devices and hubs. The study revealed that many of the devices have several basic security flaws, such as weak authentication or lack of enforcing strong passwords.

What’s more, the smart home web interface (the cloud of the smart home system), has several vulnerabilities related to data paths, unrestricted file uploading, remote file inclusion and SQL injection, making them vulnerable to local attacks or hackers who have managed to infiltrate the home network via an unsecured Wi-Fi connection. Not to mention, malware can play a role in rendering your smart home unsecure.

Symantec suggests that IoT manufacturers follow these tenets to keep their products secure and consumers protected:

• Using a strong trust model, such as device authentication through SSL
• Protecting the code by utilizing digital code signing
• Implementing effective host-based protection, such as endpoint protection and system hardening
• Implementing safe and effective management, which includes configuration and over-the-air updates
• Using security analytics to address new and advanced threats

TrapX releases Anatomy of an Attack report on IoT devices

TrapX Labs, a division of TrapX Security, Inc., released its Anatomy of an Attack report entitled “The Internet of Things (IoT) – The Hidden Danger Exposed.” The report discussed the team’s discovery of design flaws in the Nest Learning Thermostat. The researchers were able to use the Nest Learning Thermostat as the initial point of attack, compromise an entire home network.

Though TrapX was able to compromise Nest’s security, the Google-owned smart thermostat maker is better than most others in the market, offering a “relatively robust security compared to most IoT devices.”

TrapX offers some suggestions for manufacturers to keep their devices secured, such as:

• Pperforming a complete design review
• Rapidly integrating and deploying software fixes and/or hardware fixes to customers
• Not allowing any production versions of these devices to be bootable from a USB port
• Signing the software, which is a mathematical technique to validate its authenticity
• Using an outside penetration-testing firm to run security tests to discover vulnerabilities and help with the design review of OEM components
• Implementing firewalls on every device
• Protecting the management channel interface by allowing only limited access to the management server.

Download the full report here.

photo credit: Security in the dictionary via photopin (license)