Losing Control of Your IoT — A Cautionary Tale

When you're highly tech-savvy, it's tempting to take on certain challenges just because you can. This was the case for security experts Lev Aronsky and Idan Strovinsky of Aleph Research, a branch of HCLTech, who started out hacking an Electra Smart air conditioner controller—and wound up exposing an IoT security mess.

As we've all had to learn, the Internet of Things (IoT) is as diverse and chaotic as it sounds. And while all sorts of devices—air conditioners included—are networked and controllable using an app, it's arguably pretty inefficient to use each manufacturer's individual app to manage a house full of individual devices. Thus, as Aronsky and Strovinsky explain, "when one of us moved into an apartment with a smart A/C controller, hacking it to work with Home Assistant, an open-source home automation software, was prioritized highly."

The controller they set out to hack uses a specialized app to connect to the WiFi network and thereby control the air conditioner unit. The first step on their quest was to look for integrations and libraries that would let them interface with the controller, with the goal of gaining access via the local network instead. But as their investigations went on—piecing together, step by step, how the controller communicated with its remote server and how they could bend its behavior to their desires—they realized they had discovered something truly disturbing: a collection of "glaring security vulnerabilities that exposed the controllers’ users to complete takeover from the internet, amongst other issues."

A point arrived, for instance, where "we could see hundreds of air conditioner units" in addition to their own, including their IP address and detailed state. "It was a massive privacy issue, but the worst was still to come." Additional investigation brought success in controlling their air conditioner without the app—but they also learned that they could control other air conditioners as well, and do it with the wrong password, or no password at all. In their summation: "There was an MQTT server, open to anyone over the internet, that allowed anonymous logins with permission to control any Electra Smart air conditioner connected to the network."

It's hard to know which is more awful: the additional horrors they uncovered (yes, there were more) or the resistance they then faced trying to get them fixed. But their research clearly points to bigger questions. How many IoT devices—large or small, insignificant or critical—are afflicted by vulnerabilities of the sort they found? And what would it take to ferret them out?

Though they're seldom top-of-mind with respect to IoT, these questions are non-trivial. Security vulnerabilities in IoT devices can pose significant risks for individuals, organizations, and even infrastructure. They arise from a combination of factors unique to IoT that make them a prime target for cyberattacks:

• Limited processing power and memory in IoT devices can lead to weak encryption, poor authentication, and inadequate security updates.
• Weak authentication mechanisms and passwords can give unauthorized users free access to manipulate devices and systems.
• Poorly designed, insufficiently tested firmware in rushed-to-market devices can add to security risks, while outdated software is more susceptible to known, exploitable vulnerabilities.
• IoT devices often collect sensitive data. If not properly secured, this information can be intercepted or stolen—with potentially serious consequences for all concerned.
• The lack of standardized security practices in IoT—due largely to the extreme diversity of devices and ecosystems—makes consistent security measures tough to implement.
• Physical access to IoT devices, too, can compromise security—for example, tampering with sensors or connections can enable data manipulation or cause device malfunction.
• Inadequate network security—including unencrypted communication, weak firewalls, and man-in-the-middle risks—can expose IoT devices to a variety of threats.
• Finally, the complex supply chains typical of IoT device manufacturing can introduce vulnerabilities at various stages, from hardware components to software integration.

As the IoT landscape continues to expand, security concerns are a key consideration—and collaborative efforts between manufacturers, regulators, and cybersecurity experts will be essential to mitigate the risks associated with IoT vulnerabilities and create a more secure and resilient IoT ecosystem. The work of groups like the Aleph Research team is an important contribution to that effort — one that we at HCLSoftware are proud to support.

HCLSoftware is a provider of industry-leading enterprise security software including HCL AppScan, a comprehensive suite of application security testing platforms and solutions.