HP finds that “Internet of Things” gadgets are sitting ducks

70% of internet gadgets are sitting ducks for attackers

Composite image of duck, Wi-Fi and crosshairs, courtesy of ShutterstockForget muggers and falling pianos!

The real enemies are those malevolent internet-enabled gadgets, curse them.

According to a new report (PDF) from HP Security Research, those smart TVs, those overly intelligent thermostats, and those entirely too spam-spewing refrigerators (email-not-lunch-meat) are all pockmarked with security and privacy holes and probably plotting against us right now.

HP found that 7 out of the 10 internet-enabled devices they tested are vulnerable to some form of attack.

HP Security Research examined some of the most popular internet-connected devices: TVs, webcams, thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.

They unearthed a total of 250 vulnerabilities, for an average of 25 invitations to mayhem per gadget.

Some of the worst of the security holes:

  • Privacy concerns
  • Insufficient authorization
  • Lack of transport encryption
  • Insecure web interface
  • Inadequate software protection

Most of the smart devices – the type of gadgets known collectively as the Internet of Things (IoT) – included some form of cloud service. They all included mobile apps that can be used to control or access the device remotely.

Unfortunately, 80% of the devices and their cloud and/or mobile app components allowed lame passwords.

Aha, “1234”, we meet again!

Sins in the IoT go beyond weak passwords to include insecure password recovery mechanisms, poorly protected credentials, and feeble passwords allowed not only on the device but also on the mobile apps and with the data stored in the cloud on somebody else’s computer.

That’s pretty basic stuff, IoT, and thus HP Security Research regrets to inform you and your vendor parents that you’ve flunked kindergarten:

A strong password policy is Security 101 and most solutions failed.

A majority of the devices also fell asleep at their desks when it comes to encryption, failing to encrypt network services transmitting data via the internet and the local network.

The fact that the data is getting passed between, say, the internet-enabled lawn sprinkler and the cloud and mobile application controlling/accessing it compounds the importance of this missed step, the researchers pointed out.

Six of the 10 devices had web interface problems that included persistent cross-site scripting, also known as XSS, poor session management and/or weak default credentials.

A majority of devices, along with their cloud and mobile counterparts, let an attacker identify valid user accounts by fiddling with mechanisms such as their password reset features – particularly worrisome when you’re talking about devices and data that users access via the cloud.

The researchers were also rather alarmed to find that 60% of the devices they examined had issues including unencrypted downloads of software/firmware updates.

In fact, the researchers themselves intercepted some of the downloads, extracted them and mounted them as a file system in Linux – a convenient lab table for vivisection and modification into a potentially nasty new form.

If this sounds OWASPish, it should.

The study is an outgrowth of the OWASP Internet of Things Top 10 Project, which HP started after hearing about all the things that could go wrong with all the IoT stuff vendors are cranking out: cars, lighting systems, refrigerators, telephones, SCADA systems, traffic control systems, home security systems, TVs, and DVRs, among a growing list.

Just like other OWASP (Open Web Application Security Project) projects, IoT security is multifaceted, says HP’s Miessler:

You need to look at all the surface areas discussed in the report and in the OWASP Internet of Things Top 10 Project in order to have a complete view of your risk.

One big problem with IoT security is that all the bugs that bedevil the plain old internet are being sucked up into this new “thing” universe, he said.

From a statement released with the report:

The current state of Internet of Things security seems to take all the vulnerabilities from existing spaces, e.g. network security, application security, mobile security, and Internet-connected devices, and combine them into a new (even more insecure) space, which is troubling.

Troubling indeed.

The report gives advice to vendors on how to clean up the IoT, including conducting a security review of the device and all associated components that encompasses automated scanning of web interfaces, manual review of network traffic, reviewing the need of physical ports such as USB, reviewing authentication and authorization, and reviewing the interactions of the devices with the cloud and mobile apps.

Advice, in short, that has nothing to do with the newness or uniqueness of the Internet of Things and everything to do with plain old computer security best practice.

The OWASP Internet of Things Top 10 site is there for you, vendors, to help you ferret out the issues during such a security review, before somebody else steps in and does it for you.

As it is, many of the vulnerabilities identified in the research are low-hanging fruit and should be easy to remedy, the researchers said. They might have added “…but should not have been on the tree in the first place” too.

It you’re using IoT devices then make sure that you keep up to date with the latest patches so you can benefit from any fruit picking at the earliest opportunity.

HP only tested ten devices but if their results are reflective of the large ecosystem of IoT devices then we should be concerned. It has taken a long time and a lot of high profile data breaches for the web to get serious about security. Please, let’s not go through it all again with our toasters, fridges, thermostats, lampshades, cameras, cars…

Composite image of duck, crosshairs and Wi-Fi courtesy of Shutterstock.