The Internet of Things, is big and heading towards huge. The Internet of Things (IoT) is a system where unique identifiers are assigned to objects, animals, or people. These “Things” then transfer data over a network without requiring human-to-human or human-to-computer interaction. Whatis.com says IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS), and the Internet.
Business Insider believes that the IoT will be the biggest thing since sliced bread. They claim there are 1.9 billion IoT devices today, and 9 billion by 2018, which roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs combined. Gartner (IT) predicts that there will be 26 billion IoT devices by 2020. Based on a recent article in InfoSecurity Magazine is a very scary thing.
The InfoSecurity article says HP (HPQ) found 70% of the most common IoT devices have security vulnerabilities. HP used its Fortify On Demand testing service to uncover security flaws. HP detected flaws in IoT devices like TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers as well as their cloud and mobile app elements according to the new study.
HP then tested them with manual and automated tools and assessed their security rating according to the vendor neutral OWASP Internet of Things Top 10 list of vulnerability areas. The author concludes that the results raised significant concerns about user privacy and the potential for attackers to exploit the devices and their cloud and app elements. Some of the results are:
- A total of 250 security concerns were uncovered across all tested devices, which boils down to 25 on average per device,
- 90% of devices collected at least one piece of personal information via the device, the cloud, or its mobile application,
- 80% of devices studied allowed weak passwords like 1234 opening the door for WiFi-sniffing hackers,
- 80% raised privacy concerns about the sheer amount of personal data being collected,
- 70% of the devices analyzed failed to use encryption for communicating with the Internet and local network,
- 60% had cross-site scripting or other flaws in their web interface vulnerable to a range of issues such as the Heartbleed SSL vulnerability, persistent XSS (cross-site scripting), poor session management and weak default credentials,
- 60% didn’t use encryption when downloading software updates.
Mike Armistead, VP & General Manager, HP Fortify, explained that IoT opens avenues for attackers.
While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface … With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.
HP urged device manufacturers to eliminate the “lower hanging fruit” of common vulnerabilities. They recommend manufacturers, “Implement security … so that security is automatically baked in to your product … Updates to your product’s software are extremely important.”
Antti Tikkanen, director of security response at F-Secure, told InfoSecurity said the problems HP uncovered in this report were just the tip of the iceberg for IoT security risks.
One problem that I see is that while people may be used to taking care of the security of their computers, they are used to having their toaster ‘just work’ and would not think of making sure the software is up-to-date and the firewall is configured correctly … At the same time, the criminals will definitely find ways to monetize the vulnerabilities. Your television may be mining for Bitcoins sooner than you think, and ransomware in your home automation system sounds surprisingly efficient for the bad guys.
rb-
I covered the threats that IoT or “smart” devices presented back in 2012. I don’t know where HP (or the rest of the security community) has been.
The current generation of “smart” devices does not seem to have any security. Most likely the manufacturer did not consider basic security or worse calculated it was better to ignore the secure design in their rush to gain market share.
It is also annoying that HP did not reveal the details on the products they tested.
Related articles
- Internet of Everything Is Hackable (inventorspot.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.