IoT devices are convenient but they are far from secure and harmless, and there’s another report that proves this fact. Apparently, IoT devices contain design flaws that can allow third parties to prevent them from sharing information.
What does this mean? These flaws can be deployed to obstruct security systems from warning about break-ins. The alarming discovery comes from researchers at North Carolina State University which presented their findings in a report titled “Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things“.
New Report Outlines Design Flaws in IoT Devices
According to researchers, the devices are designed with the assumption that wireless connectivity is secure but this is not always the case.
IoT devices consist of two subsystems: always-responsive and ondemand [28]. The always-responsive subsystem maintains a perpetual connection to remote servers to report the availability of the device and listen for server-side instructions. In turn, the servers use low-bandwidth messages to monitor connectivity health. We label this message exchange heartbeats, since they periodically indicate the connectivity health of a device. When a timeout expires without receiving any heartbeats, servers mark the device as offine and present the user with a smart phone alert.
In the researchers’ experiments, they measured the timeout period as brief as forty seconds and as long as thirty minutes. It should also be noted that some battery constrained devices entirely eliminate the always-responsive subsystem due to the power constraints of periodic messaging, the report said. More specifically, if threat actors or unnamed third parties hack a home’s router, network layer suppression malware can be uploaded to the router.
The malware will enable the vulnerable devices to upload their heartbeat signals informing that they are online but will block any security signals. These attacks can be triggered both on-site and remotely. The problem is that the system is telling homeowners that everything is in order when it’s not.
According to says TJ O’Connor, one of the authors of the paper, “one potential fix would be to make heartbeat signals indistinguishable from other signals, so malware couldn’t selectively allow heartbeat signals to pass through.” Another solution is including more information in the heartbeat signal:
For example, if a device sends three motion-sensor alerts, the subsequent heartbeat signal would include data noting that three sensor alerts had been sent. Even if the network layer suppression malware blocked the sensor alert signals, the system would see the heartbeat signal and know that three sensor alerts were sent but not received. This could then trigger a system warning for homeowners, O’Connor said.
In conclusion, the report hypothesized that the NEST and Amazon Key incidents are not isolated occurrences, but rather an indication of a larger systemic design flaw in a prevalent number IoT devices.