Smart Wifi Plug IoT Security Case Study

Introduction:

The objective of IoT security research was to identify possible attacks that a malicious attacker might launch, in order to gain access to an IoT device and/or other devices, and to provide recommendations on how the risks associated with these can be mitigated. The assignment focused on external threats and assessed the effectiveness of the present security posture.

We have taken additional care to protect the vendor information. For any information regarding this please email to uday[dot]datrak[at]imaginea.com

 

1. Security Issue: Unauthorized Concurrent Connections

Detailed Description:
The Test Team observed that smart plug APK can be installed on multiple devices and can operate the smart wifi plug without providing any username or password.

Impact:
An attacker can install the smart wifi plug APK on his phone and he can connect to default wifi network name and ON/OFF the switch.
Note: Wifi network name is same for all the smart plugs of that manufacturer.

Video Evidence:
Video evidence was removed to hide the manufacturer information.

Recommendations:
It is recommended to implement the access control

References:
https://www.owasp.org/index.php/Category:Access_Control

 

2. Security Issue: Undisclosed Default Credentials

Detailed Description:
The Test Team observed that all smart wifi plugs have same default username ‘*******’ and password ‘*******’ for default login.
The buyers will not be aware of this default username and password as the credentials information not mentioned in the Android app or user Manual.

Impact:
All the smart plugs have same credentials and the attacker might ON/OFF the switches using these default credentials.

Screenshots:
The screenshot was removed to hide the vendor information and common gateway IP address.

Recommendations:
It is recommended to ask the user to change the default password for smart wifi plug.

References:
https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)

 

3. Security Issue: No Root Detection

Detailed Description:
The Test Team observed that smart plug APK can be installed on Rooted devices.
The application should be installed/started on rooted devices.

Impact:
If the application is installed on rooted devices, malware can steal the sensitive information OR on/off the switch.

Screenshots:
Screenshots were removed to hide the application GUI and smart wifi plug image.

Recommendations:
It is recommended to implement the Root Detection code.

References:
https://www.owasp.org/index.php/Mobile_Top_10_2014-M10

 

4. Security Issue: Information Leakage

Detailed Description:
It is observed that the smart wifi plug has default wifi network name ‘***** and a user doesn’t have user-friendly option to change the wifi network name.

Impact:
An attacker can scan for wifi network name ‘******’ in the city to know the number of smart plug users and can operate their smart wifi plug using default credentials.
Screenshots:
Screenshots were removed to hide the application GUI and smart wifi plug image.

Recommendations:
The application should have the option to change/hide the wifi network name.

References:
https://www.owasp.org/index.php/Information_Leak_(information_disclosure)

 

5. Security Issue: Android Source Code Not Protected

Detailed Description:
The Test Team observed that smart wifi plug APK file can be decompiled and application encryption code can be understood using JD-GUI.

Impact:
An attacker can decompile the source code to understand the encryption logic to decrypt the traffic.

Screenshots:
N/A

Recommendations:
It is recommended to use Proguard to obfuscate the code.

References:
https://www.guardsquare.com/en/proguard