Menu
Internet of Things devices contain high number of vulnerabilities, study finds

Internet of Things devices contain high number of vulnerabilities, study finds

Security researchers from Hewlett-Packard found 250 security issues when analyzing 10 popular IoT devices

A security audit of 10 popular Internet-connected devices - components of the so-called Internet of Things - identified an alarmingly high number of vulnerabilities.

The study lasted three weeks and was performed by researchers from HP's Fortify division. It targeted devices from some of the most common IoT categories: TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.

All of the analysed devices, which weren't named in the resulting report published Tuesday, communicated with some type of cloud service, as well as mobile applications that allowed users to remotely control them.

The HP researchers identified a total of 250 vulnerabilities ranging from issues that could raise privacy concerns to serious problems like lack of transport encryption, vulnerabilities in the administration Web interface, insecure firmware update mechanisms and weak or poorly protected access credentials.

"Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent cross-site scripting vulnerabilities and weak credentials," the researchers said in their report.

Seventy per cent of devices used unencrypted network services that exposed their connections to cloud services and mobile apps to man-in-the-middle attacks, and 80 per cent failed to enforce the use of sufficiently long or complex passwords. The researchers were able to configure accounts with weak passwords like 1234 or 123456 on most devices, and in many cases the same accounts were used for control via the cloud services or mobile applications.

"An attacker can use vulnerabilities such as weak passwords, insecure password recovery mechanisms, poorly protected credentials, etc. to gain access to a device," the researchers said.

Transport encryption was also lacking during the download of firmware updates on 60 percent of devices. Furthermore, the update files themselves had no protection, meaning an attacker could tamper with them in transit.

Manufacturers should conduct security reviews of their products following the list of top 10 security problems most commonly affecting Internet of Things devices that was compiled by the Open Web Application Security Project (OWASP), the HP researchers said. Many of the vulnerabilities identified as part of this research study are considered "low hanging fruit" and can be easily remediated without affecting the user experience, they said.

A significant number of attacks against home routers, network-attached storage devices, DVRs and other embedded systems have been reported this year, suggesting that attackers are beginning to understand the potential of compromising such devices and are looking for ways to monetise unauthorized access to them.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags online safetyintrusionAccess control and authenticationExploits / vulnerabilitieshewlett packard

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments