A study of insecure protocols for setting up IoT devices

Ciprian Oprisa , Team Leader , Bitdefender

IoT security is a challenge for both IoT producers and security vendors.The producers focus on offering usability and functionality, while security is of less concern. Security vendors don’t have many options for securing the Internet of Things, most of the time network-level security being the only option.

To be “smart”, an IoT device needs to communicate with Internet servers,smartphones or other IoT devices, exposing a large attack surface.Although many vendors work towards mitigating communication
vulnerabilities, our research shows that IoT devices are usually vulnerable during their inital setup.

After being powered on, an IoT device needs to receive the Wi-Fi credentials in order to access the Internet and make further connections. Since these devices usually don’t have a keyboard, the
initial setup is performed through a smartphone. At this point, the smartphone can be impersonated by an attacker that can take control over the device. The device itself can also be impersonated, tricking the user into revealing the Wi-Fi credentials. Some devices also communicate through an unencrypted channel at this point, receiving private information in the plain text.

Our study on 25 IoT devices from various vendors shows that more than two thirds have at least one type of vulnerability during the initial setup phase. Moreover, for some of these devices, this phase can be triggered at any time by an external attacker. The paper shows some practical attacks that were successfully performed on the analyzed devices and also presents a protocol for securing the initial setup. The proposed protocol assures mutual trust between the IoT device and the smartphone that performs the setup, making impersonation impossible. The protocol is also cryptographically secure (based on state of the art key exchange and symmetric encryption), ensuring that sensitive data like Wi-Fi passwords cannot be read by 3rd parties.

Although the initial setup vulnerabilities are limited to a local attacker, making the severity smaller, the vendors should be aware of them and implement secure protocols.

Ciprian Oprisa

Dr. Ciprian Oprisa is a Team Leader in the Antimalware Lab at Bitdefender, where he works since 2010 and a Lecturer at Technical University of Cluj-Napoca since 2017. His job involves performing reverse engineering on malicious applications, developing new technologies for heuristic malware detection and for fighting network-based threats. He received his PhD, entitled “Machine Learning Techniques for the Analysis and Detection of Malicious Software” at the Technical University of Cluj-Napoca. His research interests include security, machine learning and algorithms.