Menu
Internet of Things devices contain high number of vulnerabilities, study finds

Internet of Things devices contain high number of vulnerabilities, study finds

Security researchers from Hewlett-Packard found 250 security issues when analyzing 10 popular IoT devices

A security audit of 10 popular Internet-connected devices - components of the so-called Internet of Things - identified an alarmingly high number of vulnerabilities.

The study lasted three weeks and was performed by researchers from HP's Fortify division. It targeted devices from some of the most common IoT categories: TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.

All of the analysed devices, which weren't named in the resulting report published Tuesday, communicated with some type of cloud service, as well as mobile applications that allowed users to remotely control them.

The HP researchers identified a total of 250 vulnerabilities ranging from issues that could raise privacy concerns to serious problems like lack of transport encryption, vulnerabilities in the administration Web interface, insecure firmware update mechanisms and weak or poorly protected access credentials.

"Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent cross-site scripting vulnerabilities and weak credentials," the researchers said in their report.

Seventy per cent of devices used unencrypted network services that exposed their connections to cloud services and mobile apps to man-in-the-middle attacks, and 80 per cent failed to enforce the use of sufficiently long or complex passwords. The researchers were able to configure accounts with weak passwords like 1234 or 123456 on most devices, and in many cases the same accounts were used for control via the cloud services or mobile applications.

"An attacker can use vulnerabilities such as weak passwords, insecure password recovery mechanisms, poorly protected credentials, etc. to gain access to a device," the researchers said.

Transport encryption was also lacking during the download of firmware updates on 60 percent of devices. Furthermore, the update files themselves had no protection, meaning an attacker could tamper with them in transit.

Manufacturers should conduct security reviews of their products following the list of top 10 security problems most commonly affecting Internet of Things devices that was compiled by the Open Web Application Security Project (OWASP), the HP researchers said. Many of the vulnerabilities identified as part of this research study are considered "low hanging fruit" and can be easily remediated without affecting the user experience, they said.

A significant number of attacks against home routers, network-attached storage devices, DVRs and other embedded systems have been reported this year, suggesting that attackers are beginning to understand the potential of compromising such devices and are looking for ways to monetise unauthorized access to them.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags intrusiononline safetysecurityhewlett packardAccess control and authenticationExploits / vulnerabilities

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments