Design Flaws in Smart Home IoT Devices Lead to Security Vulnerabilities

Internet of Things hardware and security

Good news is that researchers at North Carolina State University have identified potential solutions that can address these vulnerabilities.

 Internet of Things hardware and securityResearchers at North Carolina State University have identified design flaws in “smart home” Internet-of-Things (IoT) devices that allow third parties to prevent devices from sharing information.

According to the researchers, these flaws can be used to prevent security systems from signaling that there has been a break-in or uploading video of intruders.

“IoT devices are becoming increasingly common, and there’s an expectation that they can contribute to our safety and security. But we’ve found that there are widespread flaws in the design of these devices that can prevent them from notifying homeowners about problems or performing other security functions,” says William Enck, an associate professor of computer science at NC State and co-author of the research paper.

However, there is no need to worry about it. The research team has identified potential solutions that can address these vulnerabilities.

Researchers identify two potential ways to fix it

Specifically, the researchers have found that if third parties can hack a home’s router – or already know the password – they can upload network layer suppression malware to the router. The malware allows devices to upload their “heartbeat” signals, signifying that they are online and functional – but it blocks signals related to security, such as when a motion sensor is activated. These suppression attacks can be done on-site or remotely.

The researcher say that these network layer suppression attacks are possible because, for many IoT devices, it’s easy to distinguish heartbeat signals from other signals. They opine that addressing that design feature may point the way toward a solution.

According to TJ O’Connor, first author of the paper and a Ph.D. student at NC State, one potential fix would be to make heartbeat signals indistinguishable from other signals, so malware couldn’t selectively allow heartbeat signals to pass through. Another approach would be to include more information in the heartbeat signal.