HP finds that "Internet of Things" gadgets are sitting ducks

Filed Under: Data loss, Featured, Malware, Privacy, Security threats, Vulnerability

Composite image of duck, Wi-Fi and crosshairs, courtesy of ShutterstockForget muggers and falling pianos!

The real enemies are those malevolent internet-enabled gadgets, curse them.

According to a new report (PDF) from HP Security Research, those smart TVs, those overly intelligent thermostats, and those entirely too spam-spewing refrigerators (email-not-lunch-meat) are all pockmarked with security and privacy holes and probably plotting against us right now.

HP found that 7 out of the 10 internet-enabled devices they tested are vulnerable to some form of attack.

HP Security Research examined some of the most popular internet-connected devices: TVs, webcams, thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.

They unearthed a total of 250 vulnerabilities, for an average of 25 invitations to mayhem per gadget.

Some of the worst of the security holes:

  • Privacy concerns
  • Insufficient authorization
  • Lack of transport encryption
  • Insecure web interface
  • Inadequate software protection

Most of the smart devices - the type of gadgets known collectively as the Internet of Things (IoT) - included some form of cloud service. They all included mobile apps that can be used to control or access the device remotely.

Unfortunately, 80% of the devices and their cloud and/or mobile app components allowed lame passwords.

Aha, "1234", we meet again!

Sins in the IoT go beyond weak passwords to include insecure password recovery mechanisms, poorly protected credentials, and feeble passwords allowed not only on the device but also on the mobile apps and with the data stored in the cloud on somebody else's computer.

That's pretty basic stuff, IoT, and thus HP Security Research regrets to inform you and your vendor parents that you've flunked kindergarten:

A strong password policy is Security 101 and most solutions failed.

A majority of the devices also fell asleep at their desks when it comes to encryption, failing to encrypt network services transmitting data via the internet and the local network.

The fact that the data is getting passed between, say, the internet-enabled lawn sprinkler and the cloud and mobile application controlling/accessing it compounds the importance of this missed step, the researchers pointed out.

Six of the 10 devices had web interface problems that included persistent cross-site scripting, also known as XSS, poor session management and/or weak default credentials.

A majority of devices, along with their cloud and mobile counterparts, let an attacker identify valid user accounts by fiddling with mechanisms such as their password reset features - particularly worrisome when you're talking about devices and data that users access via the cloud.

The researchers were also rather alarmed to find that 60% of the devices they examined had issues including unencrypted downloads of software/firmware updates.

In fact, the researchers themselves intercepted some of the downloads, extracted them and mounted them as a file system in Linux - a convenient lab table for vivisection and modification into a potentially nasty new form.

If this sounds OWASPish, it should.

The study is an outgrowth of the OWASP Internet of Things Top 10 Project, which HP started after hearing about all the things that could go wrong with all the IoT stuff vendors are cranking out: cars, lighting systems, refrigerators, telephones, SCADA systems, traffic control systems, home security systems, TVs, and DVRs, among a growing list.

Just like other OWASP (Open Web Application Security Project) projects, IoT security is multifaceted, says HP's Miessler:

You need to look at all the surface areas discussed in the report and in the OWASP Internet of Things Top 10 Project in order to have a complete view of your risk.

One big problem with IoT security is that all the bugs that bedevil the plain old internet are being sucked up into this new "thing" universe, he said.

From a statement released with the report:

The current state of Internet of Things security seems to take all the vulnerabilities from existing spaces, e.g. network security, application security, mobile security, and Internet-connected devices, and combine them into a new (even more insecure) space, which is troubling.

Troubling indeed.

The report gives advice to vendors on how to clean up the IoT, including conducting a security review of the device and all associated components that encompasses automated scanning of web interfaces, manual review of network traffic, reviewing the need of physical ports such as USB, reviewing authentication and authorization, and reviewing the interactions of the devices with the cloud and mobile apps.

Advice, in short, that has nothing to do with the newness or uniqueness of the Internet of Things and everything to do with plain old computer security best practice.

The OWASP Internet of Things Top 10 site is there for you, vendors, to help you ferret out the issues during such a security review, before somebody else steps in and does it for you.

As it is, many of the vulnerabilities identified in the research are low-hanging fruit and should be easy to remedy, the researchers said. They might have added "...but should not have been on the tree in the first place" too.

It you're using IoT devices then make sure that you keep up to date with the latest patches so you can benefit from any fruit picking at the earliest opportunity.

HP only tested ten devices but if their results are reflective of the large ecosystem of IoT devices then we should be concerned. It has taken a long time and a lot of high profile data breaches for the web to get serious about security. Please, let's not go through it all again with our toasters, fridges, thermostats, lampshades, cameras, cars...

Composite image of duck, crosshairs and Wi-Fi courtesy of Shutterstock.

, , , , ,

You might like

8 Responses to HP finds that "Internet of Things" gadgets are sitting ducks

  1. ricead · 335 days ago

    I've been talking about TOI for decades. I've also seen TV's hacked, cameras remoted, wifi pcmcia cards with spying software on them and NAS boxes that are great little BOTs. It is getting worse as manufacturers rush to be first to market and with low cost, low spec. being the order of the day, security isn't even on the agenda.

    • Yep.. It's quite sad, but definitely not unexpected due to the way things function in the business world today. Security always seems to be low priority over everything else. :/
      Maybe if the average consumer got educated it would be different, but I'd wager that only the minority these days care about security.

  2. Anonymous · 334 days ago

    A friend who lives in an upscale gated community gave me the code to get in the gate: yep, you guessed it, "1234".

  3. LindaB · 334 days ago

    I always said that IoT and 'the cloud' were inherently unsafe and insecure. Glad I am proven correct.
    My S.O. has been saying this for even longer than me and he worked for a software house and saw the risks several yeas ago when 'the cloud' was fiorst being talked about - and it has not improved.
    So thanks to HP and their researchers we feel vindicated. Plus we will not be obtaining any device that is web-enabled apart from our carefully protected PCs. (We don't need a 'smart' anything in the house so we are very happy to go without and be safe.)

  4. Had enough of it all · 333 days ago

    Anyone who thinks Cloud or IOT is a good thing needs to get out of IT, or start wearing brown shirts.

    • Jim · 333 days ago

      Aren't they already wearing red shirts? (As in Star Trek: original series)

  5. MikeP_UK · 333 days ago

    The really worrying thing about this is that there are software people out there who work for the manufacturers of these IoT devices that don't seem to know anything about device or system security and how vital it is to anything that might be connected to an internet service!
    I'm glad I don't use any 'cloud' service and do not have any 'intelligent' IoT devices that are clearly dumb according to the HP research. Even if I have to buy a product that 'intelligent' capabilities, it will not be seeing any RJ45s or WiFi so will npot be connecting to any IoT.

  6. Jim · 333 days ago

    In addition to the IoTs mentioned here, what about application vendors who are moving to a "cloud-only" business model? I'm thinking specifically about Adobe moving Creative Suite to be cloud-only. After their massive break-in a while back, there's no way I would buy into that.

    But, obviously some people ARE buying it. What have they done to secure it? And, apply the same question to any other software app that is cloud-enabled or cloud-only.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.