{"id":71310,"date":"2014-09-25T19:50:26","date_gmt":"2014-09-25T23:50:26","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2022-09-13T16:15:21","modified_gmt":"2022-09-13T20:15:21","slug":"internet-of-things-full-of-holes","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/internet-of-things-full-of-holes\/","title":{"rendered":"Internet of Things Full of Holes"},"content":{"rendered":"<p><a href=\"https:\/\/web.archive.org\/web\/20140815114324\/http:\/\/m.enterprisecioforum.com:80\/en\/blogs\/jkhawaja\/internet-thingys\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-104512\" title=\"Internet of Things Full of Holes\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Internet-of-things1-4.jpg?resize=113%2C110&#038;ssl=1\" alt=\"Internet of Things Full of Holes\" width=\"113\" height=\"110\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Internet-of-things1-4.jpg?w=150&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Internet-of-things1-4.jpg?resize=75%2C73&amp;ssl=1 75w\" sizes=\"auto, (max-width: 113px) 100vw, 113px\" \/><\/a><strong>The Internet of Things<\/strong>, is big and heading towards <strong>huge<\/strong>. The Internet of Things (<a title=\"Internet of Things\" href=\"http:\/\/en.wikipedia.org\/wiki\/Internet_of_Things\" target=\"_blank\" rel=\"noopener wikipedia noreferrer\">IoT<\/a>) is a system where\u00a0<a title=\"unique identifiers\" href=\"http:\/\/whatis.techtarget.com\/definition\/unique-identifier-UID\" target=\"_blank\" rel=\"noopener noreferrer\">unique identifiers<\/a> are assigned to objects, animals, or people. These &#8220;Things&#8221; then transfer data over a network without requiring human-to-human or human-to-computer interaction. <em><a title=\"Whatis.com\" href=\"http:\/\/whatis.techtarget.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Whatis.com<\/a><\/em> <a title=\"Internet of Things (IoT)\" href=\"http:\/\/whatis.techtarget.com\/definition\/Internet-of-Things\" target=\"_blank\" rel=\"noopener noreferrer\">says<\/a> IoT evolved from the convergence of <a title=\"wireless\" href=\"http:\/\/searchmobilecomputing.techtarget.com\/definition\/wireless\" target=\"_blank\" rel=\"noopener noreferrer\">wireless<\/a> technologies, micro-electromechanical systems (<a title=\"micro-electromechanical systems\" href=\"https:\/\/web.archive.org\/web\/20130830071008\/http:\/\/searchcio-midmarket.techtarget.com:80\/definition\/micro-electromechanical-systems\" target=\"_blank\" rel=\"noopener noreferrer\">MEMS<\/a>), and the Internet.<\/p>\n<p><a title=\"Business Insider\" href=\"http:\/\/www.businessinsider.com\/\" target=\"_blank\" rel=\"noopener noreferrer\"><em>Business Insider<\/em><\/a> <a title=\"The 'Internet Of Things' Will Be Bigger Than The Smartphone, Tablet, And PC Markets Combined\" href=\"http:\/\/www.businessinsider.com\/growth-in-the-internet-of-things-market-2-2014-2\" target=\"_blank\" rel=\"noopener noreferrer\">believes<\/a> that the IoT will be the biggest thing since sliced bread. They claim there are <strong>1.9 billion IoT devices today, and 9 billion by 2018<\/strong>, which roughly equal to the number of smartphones, <a title=\"Smart TV\" href=\"http:\/\/en.wikipedia.org\/wiki\/Smart_TV\" target=\"_blank\" rel=\"noopener wikipedia noreferrer\">smart TVs<\/a>, tablets, wearable computers, and PCs <em>combined.\u00a0<\/em><a title=\"Gartner\" href=\"https:\/\/www.gartner.com\/technology\/home.jsp\" target=\"_blank\" rel=\"noopener noreferrer\">Gartner<\/a> (<a title=\"NYSE : IT\" href=\"https:\/\/www.nyse.com\/quote\/XNYS:IT\" target=\"_blank\" rel=\"noopener noreferrer\">IT<\/a>) <a title=\"Gartner Says the Internet of Things Installed Base Will Grow to 26 Billion Units By 2020\" href=\"https:\/\/www.gartner.com\/newsroom\/id\/2636073\" target=\"_blank\" rel=\"noopener noreferrer\">predicts<\/a> that there will be <strong>26 billion IoT devices by 2020<\/strong>. Based on a recent\u00a0<a title=\"Internet of Things Laid Bare: 25 Security Flaws Per Device\" href=\"http:\/\/www.infosecurity-magazine.com\/news\/internet-of-things-laid-bare-25-security-flaws\/\" target=\"_blank\" rel=\"noopener noreferrer\">article<\/a> in <em><a title=\"InfoSecurity Magazine\" href=\"http:\/\/www.infosecurity-magazine.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">InfoSecurity Magazine<\/a><\/em> is a very scary thing.<\/p>\n<p><a href=\"http:\/\/www.businessinsider.com\/growth-in-the-internet-of-things-2013-10\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-104514\" title=\"BI Global IOT Installed Devie projections\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/BI_IOT_deviceforecast.jpg?resize=400%2C300&#038;ssl=1\" alt=\"BI Global IOT Installed Devie projections\" width=\"400\" height=\"300\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/BI_IOT_deviceforecast.jpg?resize=150%2C113&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/BI_IOT_deviceforecast.jpg?resize=75%2C56&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/BI_IOT_deviceforecast.jpg?w=400&amp;ssl=1 400w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/a>The <em>InfoSecurity<\/em> article says\u00a0<a title=\"HP\" href=\"http:\/\/www.hp.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">HP<\/a> (<a title=\"NYSE : HPQ\" href=\"https:\/\/www.nyse.com\/quote\/XNYS:HPQ\" target=\"_blank\" rel=\"noopener noreferrer\">HPQ<\/a>) found 70% of the <strong>most common IoT devices have security vulnerabilities<\/strong>. HP used its <a title=\"Fortify On Demand testing service\" href=\"https:\/\/web.archive.org\/web\/20180531073408\/http:\/\/www8.hp.com\/us\/en\/software-solutions\/application-security-testing\/index.html\" target=\"_blank\" rel=\"noopener noreferrer\">Fortify On Demand<\/a> testing service to uncover security flaws. HP detected flaws in IoT devices like TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers as well as their cloud and mobile app elements according to the new <a title=\"HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack\" href=\"https:\/\/web.archive.org\/web\/20150925183150\/http:\/\/h30499.www3.hp.com\/t5\/Fortify-Application-Security\/HP-Study-Reveals-70-Percent-of-Internet-of-Things-Devices\/ba-p\/6556284\" target=\"_blank\" rel=\"noopener noreferrer\">study<\/a>.<\/p>\n<p><a href=\"https:\/\/web.archive.org\/web\/20211018082524\/https:\/\/www.wasatch.edu\/Page\/7798\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-104516\" title=\"HP tested IoT devices\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mad-scientist-e1568504758742-122x150.png?resize=100%2C123&#038;ssl=1\" alt=\"HP tested IoT devices\" width=\"100\" height=\"123\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mad-scientist-e1568504758742.png?resize=122%2C150&amp;ssl=1 122w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mad-scientist-e1568504758742.png?resize=61%2C75&amp;ssl=1 61w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/mad-scientist-e1568504758742.png?w=284&amp;ssl=1 284w\" sizes=\"auto, (max-width: 100px) 100vw, 100px\" \/><\/a>HP then tested them with manual and automated tools and assessed their security rating according to the vendor neutral <a title=\"OWASP Internet of Things Top 10 list of vulnerability areas\" href=\"https:\/\/web.archive.org\/web\/20190807234010\/https:\/\/www.owasp.org\/index.php\/OWASP_Internet_of_Things_Top_Ten_Project\" target=\"_blank\" rel=\"noopener noreferrer\">OWASP Internet of Things Top 10 list of vulnerability areas<\/a>. The author concludes that the results raised significant concerns about user privacy and the potential for attackers to <strong>exploit the devices and their cloud and app<\/strong> elements. Some of the results are:<\/p>\n<ul>\n<li>A total of 250 security concerns were uncovered across all tested devices, which boils down to <strong>25 on average per device<\/strong>,<\/li>\n<li>90% of devices collected at least one piece of <strong>personal information<\/strong> via the device, the cloud, or its mobile application,<\/li>\n<li>80% of devices studied allowed <strong>weak passwords<\/strong> like 1234 opening the door for WiFi-sniffing hackers,<\/li>\n<li>80% raised privacy concerns about the sheer amount of personal data being collected,<\/li>\n<li>70% of the devices analyzed failed to use encryption for communicating with the Internet and local network,<\/li>\n<li>60% had <strong>cross-site scripting<\/strong> or other flaws in their web interface vulnerable to a range of issues such as the <a title=\"Heartbleed SSL vulnerability\" href=\"http:\/\/blog.lumension.com\/8461\/heartbleed-and-crls\/\" target=\"_blank\" rel=\"noopener noreferrer\">Heartbleed SSL vulnerability<\/a>, persistent <a title=\"Cross-site scripting\" href=\"http:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting\" target=\"_blank\" rel=\"noopener wikipedia noreferrer\">XSS<\/a> (cross-site scripting), poor session management and weak default credentials,<\/li>\n<li>60% didn\u2019t use encryption when downloading software updates.<\/li>\n<\/ul>\n<p><a title=\"Mike Armistead\" href=\"http:\/\/www.linkedin.com\/pub\/mike-armistead\/5\/471\/116\" target=\"_blank\" rel=\"noopener noreferrer\">Mike Armistead<\/a>, VP &amp; General Manager, HP Fortify, explained that IoT <strong>opens avenues for attackers<\/strong>.<\/p>\n<p style=\"padding-left: 30px; text-align: justify;\"><em><a href=\"https:\/\/www.itbusiness.ca\/news\/it-world-canada-fights-for-survival\/127460\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-104524 size-medium\" title=\"IoT opens avenues for the attackers.\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/cyber-crime.jpg?resize=150%2C100&#038;ssl=1\" alt=\"IoT opens avenues for the attackers.\" width=\"150\" height=\"100\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/cyber-crime.jpg?resize=150%2C100&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/cyber-crime.jpg?resize=75%2C50&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/cyber-crime.jpg?w=598&amp;ssl=1 598w\" sizes=\"auto, (max-width: 150px) 100vw, 150px\" \/><\/a>While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface &#8230; With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.<\/em><\/p>\n<p>HP urged device manufacturers to eliminate the \u201clower hanging fruit\u201d of common vulnerabilities. They recommend manufacturers, &#8220;<em>Implement security &#8230; so that security is automatically baked in to your product &#8230; Updates to your product\u2019s software are extremely important.&#8221;<\/em><\/p>\n<p><a title=\"Antti Tikkanen\" href=\"https:\/\/www.linkedin.com\/in\/tikkanen\" target=\"_blank\" rel=\"noopener noreferrer\">Antti Tikkanen<\/a>, director of security response at <a title=\"F-Secure\" href=\"http:\/\/www.f-secure.com\/en_US\/web\/home_us\/home\" target=\"_blank\" rel=\"noopener noreferrer\">F-Secure<\/a>, told <em>InfoSecurity<\/em> said the problems HP uncovered in this report were <strong>just the tip of the iceberg<\/strong> for IoT security risks.<\/p>\n<p style=\"text-align: justify; padding-left: 30px;\"><em>One problem that I see is that while people may be used to taking care of the security of their computers, they are used to having their toaster \u2018just work\u2019 and would not think of making sure the software is up-to-date and the firewall is configured correctly &#8230; At the same time, the criminals will definitely find ways to monetize the vulnerabilities. Your television may be <\/em><em><a title=\"Mining for Bitcoins\" href=\"http:\/\/whatis.techtarget.com\/definition\/Bitcoin-mining\" target=\"_blank\" rel=\"noopener noreferrer\">mining for Bitcoins<\/a> sooner than you think, and <a title=\"Ransomware\" href=\"https:\/\/web.archive.org\/web\/20170706083212\/https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/ransomware.aspx\" target=\"_blank\" rel=\"noopener noreferrer\">ransomware<\/a> in your home automation system sounds surprisingly efficient for the bad guys.<\/em><\/p>\n<p><strong><em>rb-<\/em><\/strong><\/p>\n<p style=\"text-align: left;\"><em>I <a title=\"Smart TV Dumb Security\" href=\"http:\/\/wp.me\/p2wgaW-5NB\" target=\"_blank\" rel=\"noopener noreferrer\">covered<\/a> the threats that IoT or &#8220;smart&#8221; devices presented back in 2012. I don&#8217;t know where HP (or the rest of the security community) has been. <\/em><\/p>\n<p style=\"text-align: left;\"><em>The current generation of &#8220;smart&#8221; devices does not seem to have any security. Most likely the manufacturer did not consider basic security or worse calculated it was better to ignore the secure design in their rush to gain market share. <\/em><\/p>\n<p style=\"text-align: left;\"><em>It is also annoying that HP did not reveal the details on the products they tested.<\/em><\/p>\n<h6>Related articles<\/h6>\n<ul>\n<li><a href=\"https:\/\/web.archive.org\/web\/20190902014542\/http:\/\/inventorspot.com\/articles\/internet-everything-hackable\" target=\"_blank\" rel=\"noopener noreferrer\">Internet of Everything Is Hackable<\/a> (inventorspot.com)<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p style=\"text-align: left;\"><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on <a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>HP found average of 25 security threats on Internet of Things things divulging PII weak passwords no encryption cross-site scripts Heartbleed SSL vulnerability<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[2292,857,5,173,2636,2115,824,85,2160,168,904,832,944,23,431,1913,209,1507,4,579,25],"class_list":["post-71310","post","type-post","status-publish","format-standard","hentry","category-security","tag-2292","tag-bitcoin","tag-business-continuity","tag-cloud-computing","tag-css","tag-disaster-recovery","tag-encryption","tag-gartner","tag-heartbleed","tag-hp","tag-hpq","tag-internet-of-things","tag-iot","tag-malware","tag-mobile","tag-network","tag-password","tag-ransomware","tag-security","tag-wi-fi-2","tag-wireless"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/71310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=71310"}],"version-history":[{"count":18,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/71310\/revisions"}],"predecessor-version":[{"id":131789,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/71310\/revisions\/131789"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=71310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=71310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=71310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}