Security Experts:

Connect with us

Hi, what are you looking for?



The IoT Sky is Falling: How Being Connected Makes Us Insecure

The first chunk of actual sky recently slammed into the ground with a resounding thud.

The first chunk of actual sky recently slammed into the ground with a resounding thud.

The security community has been actively telling the world that the Internet of Things (IoT) is ripe for compromise and exploitation. Unfortunately, the public has shoved aside these “Chicken Little” warnings in hopes of getting all of the promised gee-whiz technologies without the sky actually falling.

Fortunately, a combined research team from the University of Michigan and Microsoft recently performed in-depth analysis of an IoT home command center and brought the problems into the bright light of day. As sobering as their research results are, they took things a step farther by building four attacks based on their research. These attacks designed real exploits like creating a code for the automated front door lock, stealing a PIN to open other door locks, and disabling detectors and alarms.

The device at the center of the research is the Samsung SmartThings platform, which is a series of products and associated software that is tied together on a hub device. Samsung sells monitors, alarms, and other devices. There is also a community of products that are SmartThings-enabled ranging from door locks to light and fan switches to home weather systems. The community offers applications for the devices as well as mobile and Web apps to control the devices connected to the platform.

IoT Device Security

It’s software that makes an IoT or embedded device different. The device is, by definition, connected to the Internet. Software not designed and constructed to be secure will contain vulnerabilities that can be exploited to gain access to the device. Anything connected to the Internet can be discovered and potentially infiltrated, and the associated software will be the target.

This research shows what the security industry has known for a while and simply proves it to everyone else.

When people see a television commercial of a couple operating their front door lock from a mobile app on their phone, most see convenience and safety. However, those in the security community immediately see vulnerabilities and exploits. The report validates our apprehension.

The research notes that the majority of the vulnerabilities exist in the software of either the device or the software that controls the devices. This is exactly what the security community has feared. This pattern is repeating every time new technology is introduced without proper consideration for the basics of security. It happened when applications moved to the Web, and we dutifully took note of the lessons learned. But when mobile applications took off, we ignored those lessons and repeated the same mistakes. The pattern persisted when the Cloud emerged, and now we see proof that it is happening again with IoT.

When vulnerabilities are discovered in business applications, there are changes made to remediate the exploits and patches, or new releases are distributed to update the software. There are people in the business whose job it is to ensure that the devices in the business are kept updated to mitigate potential attacks.

In the IoT scenario, there may be software that isn’t programmed to protect against new and emerging threats. In order to manufacture devices at a competitive price point, manufacturers may not enable that capability (hardware/software) to update the software on the device. This leaves the consumer with the decision to scrap the vulnerable device or hope against an intrusion.

If you knew a mechanical lock on your front door was no longer functionally capable of securing the door, would you continue to use it to keep out lurking thieves? My guess is no. Because you can see and feel the lock, you would likely have evidence of its failure and want to replace it. Now what about software? How do you know if the software has a vulnerability or if that vulnerability has been exploited?

While you consider those questions, one thing to consider is that the research did not touch on the privacy issues involved. For example, the amount of data that’s communicated back to a central database. This is data about you and your family. Your habits, your comings and goings. Data that can easily create a picture of who is home at any given time on any given day. It knows if you leave your door unlocked. It knows if your burglar alarm is on—or not. 

This shouldn’t be ignored. Data is being collected—how else does a smart thermostat know you’re home—and you have to ask, “Where does the data go and who is protecting it?”

The best part about this chunk of sky that fell to the ground was the research was conducted by university researchers. Consider the research information carefully and become an intelligent consumer of IoT products and services. IoT promises a lot of convenience, but there is a price to be paid if you don’t involve the best connected device ever created—your brain.   

Related: Burglars Can Easily Disable SimpliSafe Alarms

Related: Serious Flaw Found in Comcast’s Xfinity Home Security System

Related: Connected Home Security Systems Easy to Hack

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.