Every day, more Internet of Things devices hit the market. Some of that is about innovation and some of it is about vendors rabidly racing to claim a piece of the predicted one trillion dollar IoT market by 2020, when 26 billion “units” are predicted to make up the IoT. 2020 is still a long way off, but if manufacturers keep up current practices of security as an afterthought, then we could be in a world of hurt because smart devices can be anything but smart; currently 70% of the 10 most popular types of Internet of Things “smart” devices are vulnerable to being hacked or compromised.
Although HP Security Research didn't play the name-shame game by saying which manufacturers were involved, it did give a list of 10 types of IoT products (pdf) studied. Each of these devices could be controlled via a smartphone app and many also had connected cloud services. HP analyzed Smart TVs, webcams, smart home thermostats, remote power outlets, sprinkler controllers, doors locks, home alarms, bathroom scales, garage door openers and hubs for controlling multiple devices.
Daniel Miessler from HP Fortify on Demand said, “The current state of Internet of Things security seems to take all the vulnerabilities from existing spaces, e.g. network security, application security, mobile security, and Internet-connected devices, and combine them into a new (even more insecure) space, which is troubling.”
Devices and their components were assessed based on the OWASP Internet of Things top 10 project list and the “alarmingly high” number of vulnerabilities “ranged from Heartbleed to Denial of Service to weak passwords to cross-site scripting.” In fact, each device had about 25 vulnerabilities such as insufficient authentication, insecure web interface, or lack of transport encryption. 80% of the devices studied raised privacy concerns.
90% of the devices collected personal info from the device, its connected cloud service or its mobile app. That might be fine to feed in your name, address, date of birth, health stats or credit card number if your sensitive info were encrypted when it was transmitted. But 70% used unencrypted network services to transmit data. The researchers pointed out that “the lack of using transport encryption compounds the problem when you consider that the data is passed between the device, the cloud and the app.” HP asked, “Do these devices really need to collect this personal information to function properly?”
Six out of 10 devices with web interfaces were riddled with security vulnerabilities ranging from persistent cross-site scripting (XSS), to poor session management to weak default credentials. The researchers wrote, “We identified a majority of devices along with their cloud and mobile counterparts that enable an attacker to determine valid user accounts using mechanisms such as the password reset features. These issues are of particular concern for devices that offer access to devices and data via a cloud website.”
While I’d love to believe people know better than to use a password like “1234,” HP said that a whopping 80% of IoT devices with their accompanying mobile components and cloud services suffer from insufficient authorization. Most fail to require sufficient password length and complexity, allowing pathetic passwords like “1234” or “123456.” Does that really strike anyone as “smart” control for their “smart” device that is in their home or business?
60% of the devices did not use encryption when downloading software or firmware updates. “In fact some downloads were intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.”
The good news is that it’s not rocket science for manufacturers to put security fixes in place to remove “low hanging fruit” vulnerabilities. Vendors who do not want to leave users susceptible to attack should conduct security reviews of the devices, apps and cloud services. Testing should include “automated scanning of your web interface, manual review of your network traffic, reviewing the need of physical ports such as USB, reviewing authentication and authorization and reviewing the interactions of the devices with their cloud and mobile application counterparts.”
Vendors, unless you plan to give away your IoT devices for free, then understand your customers are not paying for those devices so you can blow off protecting their privacy and leave them susceptible to being hacked.