Towards Examining The Security Cost of Inexpensive Smart Home IoT Devices

A myriad of security challenges has accompanied the rapid proliferation of internet-of-things (IoT) smart-home devices. While smart-home security cameras, locks, digital speakers, and thermostats offer the promise of security, their naive implementations often introduce vulnerability into our digitally connected lives. We argue that the consumer demand for inexpensive IoT has led to a supply of grossly insecure devices. To examine this hypothesis, we examine the security of five inexpensive IoT devices from three separate vendors. In all five devices, our work uncovers immature software security efforts. Our findings discover new vulnerabilities, document legacy vulnerabilities due to software bill of materials (SBOM) issues, explore security mitigations in firmware, and examine the unsecured communication within the ecosystems of the devices. Our analysis discusses the root causes of these vulnerabilities. While these results indicate a snapshot of an immature and naive state of IoT software, there are several software development lifecycle processes that vendors can immediately implement to overcome the root causes of these vulnerabilities.