As the IoT Research Lead at Rapid7, I have looked at a number of IoT devices and their associated ecosystem. During various research projects, I have found a common trend related to insecurities within the mobile applications. Nearly all applications I've tested have the following two issues:
- Cleartext storage of credentials
- Lack of SSL pinning
When considering the security risk and impact of these two issues, which is more critical? To me, cleartext storage of credentials adds the biggest risk and is more severe in terms of potential impact.
During examination of IoT mobile applications, it is common for me to find account information such as username, passwords, and WiFi passcodes stored in cleartext on mobile phones. When combined with the common problem of lost and stolen phones, we have a serious issue that makes it possible for the compromised user’s data to be used to compromise IoT service accounts, home automation, and WiFi networks. To my mind, this is one of the primary issues that needs to be addressed in the consumer IoT ecosystem.
Why do we see this issue at all, since standard methods are available to properly encrypt and store such data? It may be that mobile application programmers lack experience in secure coding, or that they are taking shortcuts thinking it does not matter. It definitely does matter!
What solutions are available? For Android applications, the documented solution is to leverage keystore. Keystore allows for the storage of cryptographic keys in a container to help mitigate against the extraction or unauthorized use of the credential data. If properly implemented, end users' authentication data can be properly encrypted during storage. For iOS applications, the solution is the keychain service. Similar to the Android keystore, the iOS Keychain API provides a solution for application to safely store secret information by encrypting it before it is stored on the local file system. Both of these solutions provide standard methods for major mobile operating systems and at a minimum should be implemented on all mobile applications where critical data, such as authentication information, needs to be stored.
Unfortunately, we cannot always count on programmers and vendors to prioritize and build in security from the start. So what's our part—how do we as end users take proactive steps to reduce our risk? The answer here is to always put a passcode on your phone. It's not a 100% solution, but this simple step does reduce risk by making it more difficult for your data to be compromised if your mobile phone is lost or stolen. A little added security may make your phone itself more valuable than the data stored on it, hopefully leading the thief to just wipe it for you. It’s a small step with a big benefit, so we should all make sure to make it a priority.
Last but not least, I would like to point out a positive finding. I mentioned earlier that most IoT mobile applications I have looked at during my research were storing user information unencrypted. There were two notable exceptions of IoT mobile applications that I examined where the user data was properly protected, however:
It was encouraging to encounter IoT product manufacturers that have taken the time to address security concerns (at least user credential encryption) within their mobile applications. I hope to see more of this as IoT security awareness continues to improve.
If you'd like further information, you can read about Rapid7's IoT security testing services here.