Smartphones Used as Remote Hubs Can Lead to Malware and Other Flaws
July 24, 2014
However, as exciting as it is, we still have to approach it carefully. This is because most of the tech fueling this new era is still based on current mobile device technology (SmartTVs, smart appliances, etc.), which could potentially suffer the same pitfalls of today’s mobile devices in terms of security.
There is also the fact that mobile devices – specifically, smartphones – may soon become the ‘central hub’ for our homes, as the device that we use to manage all our appliances and security systems. Both Google and Apple have already begun to develop home automation management apps on their respective mobile platforms. The recently-unveiled iOS 8 Homekit, for instance, touts complete control over the home and the myriad of networked devices inside of it, and makes it easy by allowing the user to group certain devices based on the room they’re in.
Consider, then, the potential risks this poses to the Internet of Everything. How it makes the scenario of a cybercriminal being able to enter someone’s home just by hacking into their smartphone no longer sci-fi fantasy, but plausible reality. Mobile devices have caught up with the desktop as the most targeted platform by cybercriminals after all, so there is no doubt that they'll be looking into exploiting this new field for profit.
Possible Risks
Using a smartphone as the centralized remote for an automated home means that all the security threats inherent in the platform could affect the home itself. Here are examples of these threats and how they could affect the automated home:
- OS vulnerabilities – cybercriminals can use the smartphone OS’ underlying vulnerabilities in order to take control of the smartphone and thus do whatever they want with the automated home, such as turn off security systems or even spy on the family for blackmail/information theft purposes.
- App vulnerabilities – app vulnerabilities can be exploited to ‘mine’ the information they receive and send for theft/blackmail purposes. They can even be used, again, to take control of the hub, or to prevent malware from being detected/uninstalled.
- Mobile malware – mobile malware can be used to intercept/steal information from the hub and those that connect to it, or take control of the hub via a remote malicious attacker. It may also infect appliances with screens with adware or annoying popups.
- High-risk apps – apps that are not necessarily malware but are coded/programmed to collect and store information, possibly in an insecure manner. These could be taken advantage of to steal information that could lead to the infiltration of the home network.
- Physical loss/theft/destruction – The loss/theft/destruction of the smartphone (and thus, the hub) may not only prevent the user from actually accessing his home or activating/deactivating necessary systems, but can also give cybercriminals unlawful access to his home. This severely jeopardizes not only the hub’s security, but that of the house’s. Destruction of the hub also means re-wiring and resetting everything back again, which could cost valuable time and resources.
- Unsecured connections – the proprietary apps that manage the connected systems as well as the hub may not use encryption to protect the information they’re sending and receiving from the internet. This could result in information leaks and/or theft. The information stored in the smartphone itself may also be stolen as well.
We can see from these potential threats that the consequences of having a compromised smartphone that's being used as a remote hub for an automated home could be dire. Not only is it very possible for them to take control of your home and devices, but they may also be able to steal information.
A sample scenario: the user is at work, away from his automated home, with his Android OS smartphone registered and installed as its hub. Unbeknownst to the user, cybercriminals have already compromised his smartphone through a vulnerability – which could have been caused by downloading a ‘legitimate patch’ to his favorite game app from a third party site. The update inserted malicious code into the legitimate game app, effectively Trojanizing it but still allowing it to retain its legitimate status.
The trojanized app, listening for commands from its remote malicious user, takes control of the smartphone and disables the security system of the user’s home without their knowledge or authorization. The cybercriminal is therefore free to enter without fear of being spotted or caught on close-circuit camera, and the user will be none the wiser.
Continuing on the vein of hypothetical scenarios, the cybercriminal may also be able to use the above attack pattern to turn the victim and his family into information mines – using the systems under his control as a wiretapping system to steal information for blackmail, identity theft and other malicious purposes. The hijacked system could therefore be used to cause mischief on the family, such as turning devices on and off while they’re in use, or leaving them on for long amounts of time, potentially causing property damage/exorbitant electricity charges.
Not Just Possible, Plausible
Certain readily-available IoE-enabled products have already been proven to be vulnerable to infiltration. One of the most recent ones involve the LIFX smart lightbulbs – lightbulbs touted to come with their own network capabilities and thus are able to be switched on and off with an iOS/Android device.
A weakness was discovered in its firmware that allowed hackers within 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The weakness presented itself whenever there was more than one LIFX lightbulb connected to the same Wi-Fi network – in that the first lightbulb would share the network credentials with the second, but encrypted in such a way that anyone nearby can intercept and decipher the shared information. Once the Wi-Fi network credentials are taken, it’s only a matter of time until the hacker takes control of one of the more important parts of the automated home, such as the user’s desktop or the security system itself.
Other incidents of note include the proof-of-concept malware attack that could induce blackouts in a facility using the smartphone-controlled Philips HUE Led lighting system. Another is the internet-capable Belkin baby monitor being turned into a wiretapping device due to its unsecured ‘easy one-time connection’ feature, allowing anyone to listen in on the baby being monitored (or conversations inside the house). The latter also netted the discovery that any device sporting the same technology as the baby monitor (which means any product released in the same line) can also be turned into an audio spying device quickly and easily.
We believe more discoveries like this will be made in the future, as more and more IoE-enabled devices come to the fore.
Securing The Internet of Everything
What can be done, then, to secure the Internet of Everything, should the smartphone be used as the lynchpin to keep it all together?
For those of us who have yet to buy into the Internet of Everything, our advice is to wait. The technology is still new, it’s still being tested, and it’s not yet that stable even if a multitude of products already exist to take advantage of it. Going into it now while developers and manufacturers are still feeling their way around could expose your home and loved ones to risks that you may not be prepared to deal with.
For the early adopter, however, we have a few recommendations:
- Buy IoE-enabled products from vendors who update their product firmware regularly. Flaws and vulnerabilities will always be inherent in any system, and as such, the vendor that rolls out firmware updates to patch them should be patronized in the case of IoE-enabled devices.
- Secure the network. Any and all other devices that connect to the home network must also be secured and defended against intrusion. This includes the router, as well as all computers and mobile devices that connect to it.
Most importantly, we must stress that the smartphone that would be used as the remote hub must be protected, just as well if not more than the rest of the network itself. A security solution, along with all its own built-in security options installed and enabled would help prevent it from becoming the weak point of the established network.
The user should also look into segregating the remote hub smartphone from their usual daily complement of devices – in essence, remove it from casual/personal use. This eliminates the chances of malicious apps being downloaded onto the device, and prevents security flaws from coming into play. This also helps protects the remote hub from theft or loss.
The Internet of Everything promises us a vision of tomorrow in an entirely new frontier. But as with all frontiers, it has its own share of challenges that we must carefully overcome.
HIDE
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Posted in Mobile Safety, Internet of Things
Recent Posts
- Ransomware Spotlight: Ransomhub
- Unleashing Chaos: Real World Threats Hidden in the DevOps Minefield
- From Vulnerable to Resilient: Cutting Ransomware Risk with Proactive Attack Surface Management
- AI Assistants in the Future: Security Concerns and Risk Management
- Silent Sabotage: Weaponizing AI Models in Exposed Containers