Seventy percent of the most commonly used Internet of Things (IoT) devices contain vulnerabilities—including password security, encryption and general lack of granular user access permissions, according to a recent study conducted by HP.
With the rise of IoT, the number and diversity of connected devices is expected to increase exponentially. According to Gartner, "The Internet of Things will include 26 billion units installed by 2020."
This spike in demand from consumers is pushing manufacturers to quickly bring to market connected devices, cloud access capabilities and mobile apps and that is opening the doors for security threats. From software vulnerabilities to denial-of-service (DOS) attacks to weak passwords and cross-site scripting vulnerabilities, the risk is bound to affect the enterprise too.
Considering that every machine cannot be locked down (from industrial to enterprise to home), and in light of the fact that many of the machines in the IoT are consumer grade without security in mind, is there really an absolute solution? Where do you start? Where does it end?
Daniel Miessler, practice principal of HP Fortify, said via email, "The number of connected devices is just going to grow with time, and we can either choose to address security after an attack has occurred or we can be proactive. The only way to get ahead of the adversary is to start implementing a security strategy in the very beginning, and that means to integrate security processes into the development stage of IoT devices."
HP leveraged HP Fortify on Demand to scan 10 of the most popular IoT devices, uncovering, on average, 25 vulnerabilities per device—totaling 250 security concerns across all tested products. The IoT devices tested—along with their cloud and mobile app components—were from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.
Many organizations have not even gotten traditional mobile device security where it needs to be and the IoT is adding much more complexity, with much less control.
"A couple of security concerns on a single device such as a mobile phone can quickly turn into a much greater ordeal when considering multiple IoT devices in an interconnected home or business," said Miessler. "Until security is considered a top priority during the development process of IoT devices, we will continue to have unsettling results as was shown in this study."
What was so unsettling?
A Breach Buffet
Privacy concerns: Eight of the 10 devices tested, along with their corresponding cloud and mobile app components, raised privacy concerns regarding the collection of consumer data such as name, email address, home address, date of birth, credit card credentials and health information.
Moreover, 90% of tested devices collected at least one piece of personal information via the product itself, the cloud or its mobile app.
Insufficient authorization: 80% of IoT devices tested, including their cloud and mobile components, failed to require passwords of sufficient complexity and length, with most devices allowing password such as "1234." Many of the test accounts HP configured with weak passwords were also used on the products’ websites and mobile apps.
Lack of transport encryption: 70% of IoT devices analyzed did not encrypt communications to the internet and local network, while half of the devices' mobile apps performed unencrypted communications to the cloud, internet or local network.
Transport encryption is crucial given that many of the tested devices collected and transmitted sensitive data across channels.
Insecure web interface: Six of the 10 devices evaluated raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text. Seventy percent of devices with cloud and mobile components would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
Inadequate software protection: 60% of devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices.
Some downloads could even be intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.
How do companies begin to evaluate their vulnerabilities with the IoT in mind?
Companies can test their devices on a continuous basis to ensure they catch vulnerabilities as early as possible According to Miessler, security testing solutions can enable organizations to quickly analyze their apps and allow them enough time to appropriately react to any concerns before the issue gets too out of hand.