These days, you’d be hard-pressed to find connected devices that do not come with companion smartphone applications. In fact, it’s very common for contemporary devices to offload most (if not all) of its display to the user handset.
Smartphones and the rise of IoT
Relying on the ubiquity of smartphones and the rise of remote controls, users and vendors alike have embraced the move away from physical device interfaces. This evolution in the IoT ecosystem, however, brings major benefits AND serious drawbacks.
While users enjoy the remote capabilities of companion apps and vendors bypass the need for hardware interfaces, studies show that they present serious cybersecurity risks. For example, the communication between an IoT device and its app is often not properly encrypted nor authenticated – and these issues enable the construction of exploits to achieve remote control of victim’s devices.
How the industry got here
It is important to explain that connected devices have not always been this way. I’m sure others like myself do not need to cast their minds far back to remember a time when smartphones did not even exist. User input during these halcyon days relied on physical interfaces on the device itself, interfaces that typically consisted of basic touch screens or two-line LCD displays.
Though functional, these physical interfaces were certainly limited (and limiting) when compared to the applications that superseded them. Devices without physical interfaces are smaller, consume less power, and look better. Developers, meanwhile, enjoy the relative ease of creating an app – with the additional support of software development kits – instead of manually programming physical interfaces. Perhaps most importantly, it’s many times cheaper for vendors to create devices with companion apps than to create devices with physical interfaces.
All that is without even starting on the benefits of remote connectivity! Smartphone apps enable users anywhere in the world to set the temperature of their air conditioning and record from their home security webcam with the click of a screen. These apps are simply much more expressive and intuitive than physical interfaces, enabling users to customize what they like from wherever they are. On the other hand, however, it is this element of remote connectivity which presents the compromise between usability and security.
The dangers of device companion apps
Unfortunately, the majority of companion apps have the potential to open devices to bad actors. Researchers last year found that about half are potentially exploitable through protocol analysis since they use local communication or local broadcast communication, thus providing an attack path to exploit lack of crypto or use of hardcoded encryption keys. Further, this study into companion apps from some of Amazon’s most popular devices found a lack of encryption in one-third of cases and the use of hardcoded keys in one-fifth of cases.
These findings were confirmed in another study where researchers tested more than 2000 device companion apps for security faults. The researchers found more than 30 devices from 10 vendors relied on the same cloud service to manage their devices, with the cloud service reporting security weakness that previously allowed attackers to take full control by device ID and password enumeration.
To make matters worse, there is little incentive for vendors to release fixes when vulnerabilities are uncovered. Most vendors in this space are small and medium-sized businesses that lack the budget for software quality control and security best practices. This issue is only exacerbated by the relative inexpensiveness of the devices they sell, meaning that vendors simply do not have the resources necessary to implement security best practices like monitoring agents or authentication hardware.
What users must do
The good news is that secure communication between a device and an app is possible. For example, EZVIZ smart home security applications support local communication between the companion app and the device over the local network. The shared encryption key is enclosed in the device box in the form of a QR code and must be scanned by the companion app. This strategy is better than hardcoded keys, provided that the key in the QR code is of sufficient length and randomness.
Another security workaround is possible to ensure that commands between the client and the device cannot be intercepted by a third-party. Peer-to-peer is a private connection type used by German smart heating and cooling provider SOREL to ensure its smartphone app communicates without interference. Moreover, the connection offers the company minimized risk since end users only manage their data on their device.
The bad news is that users today remain at the mercy of the vendors. There is currently no legislation that requires device makers to ensure that their devices or companion apps implement certain cybersecurity protocols. As we have seen time and again, vendor indifference to cybersecurity consistently results in subpar security protocols.
Therefore, the onus is on users to take extra cybersecurity steps in this context of vendor ambivalence. Until legislators catch up or manufacturers begin to implement stricter security protocols for their devices and apps, users will need to take matters into their own hands to make certain that the devices they bring into the workplace or the home are safe from outside forces. While the benefits of companion apps are clear, it is only the user who can prevent the worst dangers of these digital interfaces from becoming reality.