It has been reported that new research from Kaspersky Lab, released today, has highlighted vulnerabilities in smart home hubs across millions of UK homes. Researchers discovered that the hub sends user data when it communicates with a server, including the login credentials needed to sign in into the web interface of the smart hub. Remote attackers can then download the archive with this information by sending a legitimate request to the server that also includes the device’s serial number.
Commenting on this, Christopher Littlejohns, EMEA manager at Synopsys, said “Vulnerabilities in smart hubs are entirely predictable symptoms of an immature organisation without a clear focus on security. Common avoidable mistakes have been made that put users data at risk including:
- User and company sponsored publication of credentials on publicly accessible sites
- Poor credential mechanisms that include guessable device ids
- Using legacy encryption techniques that are readily crackable using brute force techniques
- Passing data over htttp rather than https
All of these issues demonstrate a lack of threat awareness or analysis; they are fundamental design issues that creates readily exploitable vulnerabilities. This is a recurring theme for small and larger companies for whom speed to market is the primary goal. Companies that do not “build security in” as part of their development processes will suffer the consequences of brand damaging reports like this, or worse – they will likely go out of business.”