Smarter homes and businesses are fast emerging but it seems that device manufacturers are not keeping up with basic security issues such as password security, encryption and user access permissions.
Hewlett Packard, using its Fortify on Demand security testing service, scanned 10 of the most popular IoT devices, to uncover, on average, 25 vulnerabilities per device – totaling 250 security concerns across all tested products.
The IoT devices tested, along with their cloud and mobile application components, included TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers. The majority of these devices included some form of cloud service, and all of them included mobile applications for remote access and control.
Common security issues
The most common and easily addressable security issues HP found were:
Privacy concerns: Eight of the 10 devices tested, along with their corresponding cloud and mobile application components, raised privacy concerns regarding the collection of consumer data such as name, email address, home address, date of birth, credit card credentials and health information. Moreover, 90% of tested devices collected at least one piece of personal information via the product itself, the cloud or its mobile application.
Insufficient authorization: 80% of the devices tested, including their cloud and mobile components, failed to require passwords of sufficient complexity and length, with most devices allowing password such as “1234.” In fact, many of the test accounts HP configured with weak passwords were also used on the products’ websites and mobile applications.
Lack of transport encryption: 70% of devices analyzed did not encrypt communications to the internet and local network, while half of the devices’ mobile applications performed unencrypted communications to the cloud, internet or local network. Transport encryption is crucial given that many of the tested devices collected and transmitted sensitive data across channels.
Insecure web interface: Six of the 10 devices evaluated raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text. 70% of devices with cloud and mobile components would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
Inadequate software protection: 60% of the devices did not use encryption when downloading software updates. Some downloads could even be intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.
“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary, given the expanded attack surface,” said Mike Armistead, vice president and general manager, Fortify, Enterprise Security Products, HP.
“With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.”
With the rise of IoT – projected by Gartner to include 26 billion units installed by 2020 – HP believes it is imperative for organizations to implement an end-to-end approach to identify software vulnerabilities before they are exploited.
Three takeaways are offered:
● IoT security is not one-dimensional, and all surface areas need to be evaluated in order to have a complete view of the risk.
● IoT security is not just a consumer problem. Corporations need to be looking at how their ICS and SCADA systems fare when looked at under a similar light.
● The current state of IoT security seems to take all the vulnerabilities from existing spaces, e.g. network security, application security, mobile security, and internet-connected devices, and combine them into a new (even more insecure) space, which is troubling.
Recommendations for manufacturers include conducting a security review of their device and all associated components, implementing security standards that all devices must meet before production, and ensuring that security is a consideration throughout the product lifecycle.