IEEE Technology and Society Magazine - June 2018 - 77

show when a particular attribute could not be tested
or assessed.
Note these tests were performed at a point in time
and may have been improved or further deteriorated
since the date of testing in April 2017.

this, we launched a password-guessing attack to see if
they were protected by strong security protocols.
Each device was also checked to see how much traffic any open ports could handle before they were
brought down in a DDoS attack.

Confidentiality Rating

Access Control Rating
We tested to see if any ports on a device were "open,"
allowing the port to be exploited by attackers. Based on
JUNE 2018

∕

DNS Spoofing

Fake Server

We checked the integrity and authentication of each device by setting up a fake server to "listen" on the port
used by the real server. This technique is known as a
"man in the middle attack."
Using a number of methods, this fake server communicated with each device to see if it could be authenticated. We also tested to see if the devices could be
controlled by outside influences.
Figure 2 shows how each device performed in integrity testing.
■ These results show that all of the IoT devices were
vulnerable to an attack through the Domain Name
System (DNS) protocol. This means that at tackers
could hijack the system and impersonate the legitimate server of the IoT device. They would be protected, however, through proper authentication.
■ The two light bulbs that were tested communicated
with the fake server, which is a concern.

DNSSEC

Integrity Rating

Integrity and Authentication
Replay Attack

Confidentially is a measure of the security of data running between the IoT device, the router, and our server.
Our tests show whether the communications sent
and received were encrypted (the most difficult to read),
encoded (hard but not impossible), or plain text (easiest
to hack).
Figure 1 shows how each device performed in confidentiality testing.
■ Most of the devices had fairly secure communications in two channels (device to server and user app
to server) but were vulnerable when they communicated with their user app.
■ Five of the devices - the Phillips Hue light bulb, Belkin switch and motion sensor, HP Envy printer, and
TP-Link camera - sent data in plain text rather than
encrypted code. This would make it relatively simple
for hackers to deduce when a user is at home, based
on whether the power switch is on or off, or when the
light bulb was last used, for example.
■ The TP-Link camera was particularly susceptible to
attack. Not only might an attacker view any video and
audio footage based on reassembled data, the default
authentication password "admin" was easily decoded.

Phillips Hue Light Bulb

Belkin Switch

Samsung Smart Cam

Belkin Smart Cam

Awair Air Monitor

HP Envy Printer

LIFX Bulb

Canary Camera

TP-Link Switch

Amazon Echo

Samsung Smart Things

Pixstar Photo Frame

TP Link Camera

Belkin Motion Sensor

Nest Smoke Alarm

Netatmo Camera

Dlink Camera

Hello Barbie Companion

Withings Sleep Monitor

Nest Drop Camera

Devices

Netatmo Weather Station
Triby Speaker

Withings Weighing Scale
Chromecast

Key:
DNS: Domain Name System
DNSSEC: DNS Security Extensions
Figure 2. Integrity and authentication.

IEEE Technology and Society Magazine

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - June 2018