UPDATED with statements from Belkin and LIFX.
You don't need to take apart smart-home devices to see whether their security is any good, say a team of Brazilian and American academic researchers. You can tell just by looking at the devices' companion smartphone apps.
"Our intuition is that if this interaction between the companion app and device firmware is not implemented with good security principles, the device's firmware is potentially insecure and vulnerable to attacks," the researchers said in an academic paper published last week on Arxiv.org.
In other words, if the smartphone app has lousy security, then the device probably does too. Such was the case with smart-home companion apps used by Broadlink, Belkin, LIFX and TP-Link. On the other hand, the Nest and EZVIZ smartphone apps were praised for good security.
All of the devices used Wi-Fi to connect directly to home wireless networks. You might be better off sticking to devices that need a smart-home hub to connect to the Wi-Fi network. That way, there would be a buffer between a hacked device and the rest of your devices. Otherwise, create a second network if your Wi-Fi router allows it, and put your smart-home devices on that to separate them from your computer network.
No official fixes seem to have been pushed out for the flaws discovered, although the LIFX one may have been partly fixed due to an unrelated flaw we wrote about last week. We've reached out to Belkin, Broadlink and TP-Link for comment and will update this story when we receive a reply.
MORE: Why Smart-Home Devices Should Scare You
The researchers looked at 32 Android apps that work with the 96 top-selling smart-home devices on on Amazon. (Many apps work with more than one model of device.)
Ten of the apps, including those used by Belkin, Broadlink and LIFX, used no encryption at all to secure their communications with smart devices. Six, including TP-Link's Kasa app, had hard-coded encryption keys that could be discovered by taking apart the Android apps. (The iOS apps are harder to dissect.)
"We found that leveraging these weaknesses to create actual exploits is not challenging," the research paper said. "A remote attacker simply has to find a way of getting the exploit either on the user's smartphone in the form of an unprivileged app or a script on the local network."
Let's do some breaking and entering
The team bought a Belkin WeMo smart plug, a Broadlink infrared remote controller, a LIFX smart bulb, a TP-Link smart plug and a TP-Link smart bulb and found that they could leverage smartphone-app flaws to easily hijack communications with each of the devices.
Without encrypted communications, the device is essentially unprotected, and the researchers were able to seize control of the Broadlink, Belkin and LIFX devices without too much trouble.
TP-Link's Kasa app used a Caesar cipher, a form of cryptography used by the ancient Romans. The key to deciphering the cipher was hard-coded right into the app, and the researchers used it to communicate with the TP-Link smart bulb from their rogue app. (It probably would have worked with any of the two dozen TP-Link devices that uses the Kasa app.)
In a demonstration video, an authorized user downloads the TP-Link Kasa companion app, creates an account, connects to the TP-Link bulb over Bluetooth and connects the bulb to the local Wi-Fi network. The user demonstrates that the Kasa app works by turning the bulb on and off through the app.
Then another user comes along with a different Android phone, fires up a homemade app and turns the bulb on and off as well. According to the research paper, the second user didn't need to use the real app, didn't need to create an account with TP-Link and didn't even need to pair with the device over Bluetooth. All he or she had to do was find the TP-Link bulb on the same Wi-Fi network.
"This is a severe flaw as the user would not even be aware of an attack," the paper noted. "The official app would still work as intended even with a rogue app controlling the device simultaneously."
Not all bad news
There was some good news in the findings. Nest was praised for making its own cloud servers act as an intermediary between smartphone apps and Nest devices, even if the smartphone and the devices happened to be on the same Wi-Fi network.
"The companion app does not talk directly to the device," the paper said. "The communication between the companion app and the thermostat happens over [encrypted] SSL links to the cloud service."
EZVIZ had a simple but effective strategy to transmitting encryption keys securely. The encryption key was printed in the form of a QR code on a piece of paper inside the product box, and the smartphone app had to scan the code to connect to the device.
As for whether the flaws they discovered have been fixed, the researchers noted that "none of them have sent any response to our disclosures and to the best of our knowledge, have not released patches relative to these vulnerabilities."
UPDATE 3:40 p.m. EST Feb. 4: Belkin responded to our query with the following statement: "UPnP [the Universal Plug 'n' Play protocol] was chosen for its ubiquity and ease of use and because the local home network provides a good amount of security. We are however always working on improving and heightening the security of our products, especially due to increasing threats from malware from phishing scams and malicious web sites. We are working on introducing user accounts later this year, which will secure local network communications and provide better accessibility."
UPDATE 10:00 a.m. EST Feb. 5. LIFX sent Tom's Guide the following statement:
"We are aware of this report. As a general statement, consumers should be aware that all IoT devices are on a vulnerability spectrum. We are always attempting to strike the right balance between tight security and ease of use.
In this case, we do use unencrypted messaging to communicate with our lights over local LAN. This is not hidden by LIFX: our LAN protocol is publicly documented (https://lan.developer.lifx.com/) to help facilitate use by partners and 3rd party developers.
Importantly though, access to the network is required in order to control the lights. So it is not the lights being hacked to get access to the Wi-Fi, but the Wi-Fi being hacked to gain access to the lights."