Sophos Cloud Optix
Forget muggers and falling pianos!
The real enemies are those malevolent internet-enabled gadgets, curse them.
According to a new report (PDF) from HP Security Research, those smart TVs, those overly intelligent thermostats, and those entirely too spam-spewing refrigerators (email-not-lunch-meat) are all pockmarked with security and privacy holes and probably plotting against us right now.
HP found that 7 out of the 10 internet-enabled devices they tested are vulnerable to some form of attack.
HP Security Research examined some of the most popular internet-connected devices: TVs, webcams, thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.
They unearthed a total of 250 vulnerabilities, for an average of 25 invitations to mayhem per gadget.
Some of the worst of the security holes:
- Privacy concerns
- Insufficient authorization
- Lack of transport encryption
- Insecure web interface
- Inadequate software protection
Most of the smart devices – the type of gadgets known collectively as the Internet of Things (IoT) – included some form of cloud service. They all included mobile apps that can be used to control or access the device remotely.
Unfortunately, 80% of the devices and their cloud and/or mobile app components allowed lame passwords.
Aha, “1234”, we meet again!
Sins in the IoT go beyond weak passwords to include insecure password recovery mechanisms, poorly protected credentials, and feeble passwords allowed not only on the device but also on the mobile apps and with the data stored in the cloud on somebody else’s computer.
That’s pretty basic stuff, IoT, and thus HP Security Research regrets to inform you and your vendor parents that you’ve flunked kindergarten:
A strong password policy is Security 101 and most solutions failed.
A majority of the devices also fell asleep at their desks when it comes to encryption, failing to encrypt network services transmitting data via the internet and the local network.
The fact that the data is getting passed between, say, the internet-enabled lawn sprinkler and the cloud and mobile application controlling/accessing it compounds the importance of this missed step, the researchers pointed out.
Six of the 10 devices had web interface problems that included persistent cross-site scripting, also known as XSS, poor session management and/or weak default credentials.
A majority of devices, along with their cloud and mobile counterparts, let an attacker identify valid user accounts by fiddling with mechanisms such as their password reset features – particularly worrisome when you’re talking about devices and data that users access via the cloud.
The researchers were also rather alarmed to find that 60% of the devices they examined had issues including unencrypted downloads of software/firmware updates.
In fact, the researchers themselves intercepted some of the downloads, extracted them and mounted them as a file system in Linux – a convenient lab table for vivisection and modification into a potentially nasty new form.
If this sounds OWASPish, it should.
The study is an outgrowth of the OWASP Internet of Things Top 10 Project, which HP started after hearing about all the things that could go wrong with all the IoT stuff vendors are cranking out: cars, lighting systems, refrigerators, telephones, SCADA systems, traffic control systems, home security systems, TVs, and DVRs, among a growing list.
Just like other OWASP (Open Web Application Security Project) projects, IoT security is multifaceted, says HP’s Miessler:
You need to look at all the surface areas discussed in the report and in the OWASP Internet of Things Top 10 Project in order to have a complete view of your risk.
One big problem with IoT security is that all the bugs that bedevil the plain old internet are being sucked up into this new “thing” universe, he said.
From a statement released with the report:
The current state of Internet of Things security seems to take all the vulnerabilities from existing spaces, e.g. network security, application security, mobile security, and Internet-connected devices, and combine them into a new (even more insecure) space, which is troubling.
Troubling indeed.
The report gives advice to vendors on how to clean up the IoT, including conducting a security review of the device and all associated components that encompasses automated scanning of web interfaces, manual review of network traffic, reviewing the need of physical ports such as USB, reviewing authentication and authorization, and reviewing the interactions of the devices with the cloud and mobile apps.
Advice, in short, that has nothing to do with the newness or uniqueness of the Internet of Things and everything to do with plain old computer security best practice.
The OWASP Internet of Things Top 10 site is there for you, vendors, to help you ferret out the issues during such a security review, before somebody else steps in and does it for you.
As it is, many of the vulnerabilities identified in the research are low-hanging fruit and should be easy to remedy, the researchers said. They might have added “…but should not have been on the tree in the first place” too.
It you’re using IoT devices then make sure that you keep up to date with the latest patches so you can benefit from any fruit picking at the earliest opportunity.
HP only tested ten devices but if their results are reflective of the large ecosystem of IoT devices then we should be concerned. It has taken a long time and a lot of high profile data breaches for the web to get serious about security. Please, let’s not go through it all again with our toasters, fridges, thermostats, lampshades, cameras, cars…
Composite image of duck, crosshairs and Wi-Fi courtesy of Shutterstock.
I’ve been talking about TOI for decades. I’ve also seen TV’s hacked, cameras remoted, wifi pcmcia cards with spying software on them and NAS boxes that are great little BOTs. It is getting worse as manufacturers rush to be first to market and with low cost, low spec. being the order of the day, security isn’t even on the agenda.
Yep.. It’s quite sad, but definitely not unexpected due to the way things function in the business world today. Security always seems to be low priority over everything else. :/
Maybe if the average consumer got educated it would be different, but I’d wager that only the minority these days care about security.
A friend who lives in an upscale gated community gave me the code to get in the gate: yep, you guessed it, “1234”.
I always said that IoT and ‘the cloud’ were inherently unsafe and insecure. Glad I am proven correct.
My S.O. has been saying this for even longer than me and he worked for a software house and saw the risks several yeas ago when ‘the cloud’ was fiorst being talked about – and it has not improved.
So thanks to HP and their researchers we feel vindicated. Plus we will not be obtaining any device that is web-enabled apart from our carefully protected PCs. (We don’t need a ‘smart’ anything in the house so we are very happy to go without and be safe.)
Anyone who thinks Cloud or IOT is a good thing needs to get out of IT, or start wearing brown shirts.
Aren’t they already wearing red shirts? (As in Star Trek: original series)
The really worrying thing about this is that there are software people out there who work for the manufacturers of these IoT devices that don’t seem to know anything about device or system security and how vital it is to anything that might be connected to an internet service!
I’m glad I don’t use any ‘cloud’ service and do not have any ‘intelligent’ IoT devices that are clearly dumb according to the HP research. Even if I have to buy a product that ‘intelligent’ capabilities, it will not be seeing any RJ45s or WiFi so will npot be connecting to any IoT.
In addition to the IoTs mentioned here, what about application vendors who are moving to a “cloud-only” business model? I’m thinking specifically about Adobe moving Creative Suite to be cloud-only. After their massive break-in a while back, there’s no way I would buy into that.
But, obviously some people ARE buying it. What have they done to secure it? And, apply the same question to any other software app that is cloud-enabled or cloud-only.