From refrigerators to sprinkler systems, everything seems to be interconnected these days. And while we may be excited about what the internet of things has in store for us, so are hackers, according to HP.
A couple of security concerns for your mobile can quickly multiply when considering the amount of IoT devices and appliances in an interconnected businesses or home. As Mike Armistead, VP and general manager of HP’s Fortify unit, puts it: “For a hacker, that’s a pretty big new target to attack.”
HP said in a statement: “Late last year, we were hearing a lot about internet of things, and a bit about IoT security, but had not seen anything that focused on the complete picture of IoT security, i.e. all the various surface areas that represent the IoT ecosystem. So, we decided to start the OWASP ‘Internet of Things Top Ten Project‘, which aims to educate on the main facets of Internet of Things Security that people should be concerned with.
“Then earlier this year, we decided to use that project as a baseline for testing the top ten IoT devices being used today.” The company’s Fortify security unit “bought them, shipped them to Craig Smith’s home lab, and beat up on them for around three weeks.”
Most shockingly, an average number of 25 vulnerabilities per device were found, and 80 per cent of devices raised privacy concerns. More specifically, devices failed to require passwords of sufficient complexity and length, with the majority of cloud and mobile devices allowing passwords such as “1234” or “123456”.
It seems that once one device is compromised, “overlapping vulnerabilities can lead an attack from one to the other.” After all, the famous Target breach was carried out through the store’s heating and ventilation system.
Six out of ten devices had weak security on their web interfaces and were vulnerable to “cross-site scripting, poor session management and weak default credentials.” They were also able to determine “valid user accounts using mechanisms such as the password reset features. These issues are of particular concern for devices that offer access to devices and data via a cloud website.”
However, what HP saw as particularly “alarming” was “given that software is what makes these devices function, it was rather alarming that 60 per cent of devices displayed issues including no encryption during downloading of the update along with the update files themselves not being protected in some manner. In fact some downloads were intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.”
Furthermore, nine of the ten devices collected at least some kind of personal information: An email address, a home address, a name or date of birth.
It’s thus no surprise that 70 per cent of them were deemed vulnerable to being hacked.
Share this story
