Mobile Security Blog | Pradeo

Connected Objects, Vulnerable to Malicious Takeover

Written by Vivien Raoul | March 27, 2018

In a few years, smart cars will become common and they will drive you wherever you want autonomously. We are not at that stage yet, but we can already control our entire house thanks to home automation. Heaters, lights, door-locks or CCTV are now connected items that can be managed remotely from a mobile phone or a tablet through a dedicated mobile application.

Official stores are listing hundreds of mobile applications enabling to control connected objects. Once installed, these applications can influence users environment and access their private information: videos, pictures, location, etc. But how protected are they in case of an attack? How do they secure the data they handle?

The Pradeo Lab investigated the question by reviewing a representative sample of 100 IoT mobile applications (thermostat, electrical blinds, remote control, baby phone…) available on Google Play and App Store. Discover below the main results from this study.

 

15% of applications are vulnerable to takeover

80% of tested applications carry vulnerabilities, with an average of 15 per application. Moreover, 15% of them can lead to a Man-In-The-Middle attack, a vulnerability that particularly caught our researchers' attention because in the IoT realm, it can lead to an object takeover by a cybercriminal.

 

8% of applications get connected to uncertified networks

Official stores applications rarely include a malware but they are not necessarily safe. The IoT applications analyzed by the Pradeo Lab are sending the data they handle to 17 servers in average, and 8% of them are transmitting the information to uncertified servers. Among these, some have expired and are available for sale. Anyone buying them could access all the data they receive.

 

90% of applications leak the data they manipulate

Most of the analyzed applications are sending data over the network. Here is the detail of the data sent classified by the percentage of applications which send them:

  • Application file content: 81% of applications
  • Hardware information (device manufacturer, commercial name, battery status…): 73%
  • Device information (OS version number…): 73%
  • Temporary files: 38%
  • Phone network information (service provider, country code…): 27%
  • Video and audio records: 19%
  • Files coming from app static data: 19%
  • Geolocation: 12%
  • Network information (IP address, 2D address, Wi-Fi connection state): 12%
  • Device identifiers (IMEI): 8%

 

We have reached out to the companies concerned by these results to notify them about the security problems they are exposed to.

 

Discover Pradeo Security, the behavioral analysis engine which contributed to this detailed analysis.