Menu
Internet of Things devices contain high number of vulnerabilities, study finds

Internet of Things devices contain high number of vulnerabilities, study finds

Security researchers from Hewlett-Packard found 250 security issues when analyzing 10 popular IoT devices

A security audit of 10 popular Internet-connected devices - components of the so-called Internet of Things - identified an alarmingly high number of vulnerabilities.

The study lasted three weeks and was performed by researchers from HP's Fortify division. It targeted devices from some of the most common IoT categories: TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.

All of the analysed devices, which weren't named in the resulting report published Tuesday, communicated with some type of cloud service, as well as mobile applications that allowed users to remotely control them.

The HP researchers identified a total of 250 vulnerabilities ranging from issues that could raise privacy concerns to serious problems like lack of transport encryption, vulnerabilities in the administration Web interface, insecure firmware update mechanisms and weak or poorly protected access credentials.

"Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent cross-site scripting vulnerabilities and weak credentials," the researchers said in their report.

Seventy per cent of devices used unencrypted network services that exposed their connections to cloud services and mobile apps to man-in-the-middle attacks, and 80 per cent failed to enforce the use of sufficiently long or complex passwords. The researchers were able to configure accounts with weak passwords like 1234 or 123456 on most devices, and in many cases the same accounts were used for control via the cloud services or mobile applications.

"An attacker can use vulnerabilities such as weak passwords, insecure password recovery mechanisms, poorly protected credentials, etc. to gain access to a device," the researchers said.

Transport encryption was also lacking during the download of firmware updates on 60 percent of devices. Furthermore, the update files themselves had no protection, meaning an attacker could tamper with them in transit.

Manufacturers should conduct security reviews of their products following the list of top 10 security problems most commonly affecting Internet of Things devices that was compiled by the Open Web Application Security Project (OWASP), the HP researchers said. Many of the vulnerabilities identified as part of this research study are considered "low hanging fruit" and can be easily remediated without affecting the user experience, they said.

A significant number of attacks against home routers, network-attached storage devices, DVRs and other embedded systems have been reported this year, suggesting that attackers are beginning to understand the potential of compromising such devices and are looking for ways to monetise unauthorized access to them.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags online safetyintrusionAccess control and authenticationExploits / vulnerabilitieshewlett packard

Featured

Slideshows

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Meet the winners of the 2020 Reseller News Innovation Awards

Meet the winners of the 2020 Reseller News Innovation Awards

Reseller News honoured the standout players of the New Zealand channel in front of more than 500 technology leaders in Auckland on 21 October, recognising the achievements of top partners, start-ups, vendors, distributors and individuals.

Meet the winners of the 2020 Reseller News Innovation Awards
Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Show Comments