If you jump into the Internet of Things and purchase a home security system to provide security, you may actually be less secure and more vulnerable than before you bought a security system. HP Fortify researchers tested 10 of the newest home security systems and discovered IoT-connected home security systems are full of security fail.
Connected home security systems are connected via the cloud to a mobile device or the web for remote monitoring, and come with a variety of features such as motion detectors, door and window sensors and video cameras with recording capabilities. Although “the intent of these systems is to provide security and remote monitoring to a home owner,” HP researchers said (pdf), “given the vulnerabilities we discovered, the owner of the home security system may not be the only one monitoring the home.”
“The biggest takeaway is the fact that we were able to brute force against all 10 systems, meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather and watch home video remotely,” wrote HP’s Daniel Miessler.
HP Fortify found an “alarmingly high number of authentication and authorization issues along with concerns regarding mobile and cloud-based web interfaces.” Under the category of insufficient authentication and authorization, the researchers reported (pdf):
- 100% allowed the use of weak passwords
- 100% lacked an account lockout mechanism that would prevent automation attacks
- 100% were vulnerable to account harvesting, allowing attackers to guess login credentials and gain access
- Four of seven systems that had cameras, gavethe owner the ability to grant video access to additional users, further exacerbating account harvesting issues.
- Two of the systems allowed video to be streamed locally without authentication
- A single system offered two-factor authentication
“Properly configured transport encryption is especially important since security is a primary function of these home security systems.” Yet regarding the encryption that is critical for protecting “sensitive data such as credentials, person information, device security settings and private video to name a few,” they discovered that “50% exhibited improperly configured or poorly implement SSL/TLS.”
70% of the home security systems allowed “unrestricted account enumeration through their insecure cloud-based interface.” Mobile didn’t fare much better as “50% allowed unrestricted account enumeration through their mobile application interface.”
Regarding firmware and software, “60% indicated no obvious update capabilities and none offered any kind of automatic update functionality.” One system updated firmware via FTP, which would allow an attacker to capture credentials and have write-access to the update server. Three out of 10 systems let the users decide whether or not to accept the latest firmware update.
FTC chairwoman Edith Ramirez recently warned of privacy threats from IoT device data and of course HP researchers found privacy issues as well. “70% made video streaming available through their cloud-based web interface or mobile application interface.” They added, “These systems carry a concern with data privacy as well as the privacy of video images from inside the home due to the use of video cameras.”
According to HP’s infographic (pdf), “If video streaming is available through a cloud-based web or mobile application interface, then video can be viewed by an Internet-based attacker from hacked accounts anywhere in the world.” Unfortunately, some parents only learn this lesson after their wireless baby monitor is hacked and the attacker talks to them or the baby. Owners of about 73,000 wireless cameras had a rude wakeup call when “insecurecam” aggregated security surveillance systems that are “available for all Internet users” to view.
“It seems that every time we introduce a new space in IT we lose 10 years from our collective security knowledge,” stated Miessler. “The Internet of Things is worse than just a new insecure space: it's a Frankenbeast of technology that links network, application, mobile, and cloud technologies together into a single ecosystem, and it unfortunately seems to be taking on the worst security characteristics of each.”
Would there be more of an outcry about these security failings if HP released the names of products tested? If HP would name the vendors and products, then it gets personal; people with those specific IoT devices and home security systems might raise a ruckus with the manufacturers if the vulnerabilities were publicly disclosed.
HP's TippingPoint Zero Day Initiative publishes security advisories after a vendor patches, but ZDI also maintains a list of upcoming advisories, which are vulnerabilities that are not yet patched or publicly disclosed. If, after 120 days, the vendor chooses to ignore a disclosed vulnerability and not to deploy a patch, then the security bug is made public. If the same responsible disclosure were true in the IoT space, then vendors would fix flaws or face unhappy customers and future customers would steer clear of stigmatized non-secure brands.
In a previous report, HP Fortify researchers found about 25 security vulnerabilities per Internet of Things device. In the report about home security systems, HP researchers said they don’t want to dampen your enthusiasm, but they do want you to be informed about the risks before activating these systems. Wouldn’t we be better informed if we knew precisely what IoT devices and security systems are full of fail?
“Securing the Internet of Things will be our greatest challenge as an information security community,” Miessler added. “With complex systems like IoT, breaking security is often all about chaining smaller vulnerabilities together, and that's what we saw when looking at these home security systems. We can expect to see more of the same across the IoT space precisely because of the complexity of merging network, application, mobile, and cloud components into one system.”
While the researchers only tested 10 systems, based on OWASP Internet of Things top 10 project list, they believe it’s a “good indicator of where the market currently stands as it relates to security and the Internet of Things.” In other words, the IoT space is the new Wild West and home security systems are not nearly as secure as you may think.