This is of increasing concern as the consumer market is flooded with interconnected IoT devices, each able to pass information seamlessly between you, the cloud and each other.
This means that theoretically, hacking into your IoT calorie counter, TV, or home alarm can open the floodgate to your personal computer files, medical information, schedules, contacts, banking information, intellectual property and more!
“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface … With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats,” said Mike Armistead, VP of HP.
Using HP Fortify, 10 popular IoT products were assessed and an astounding 250 vulnerabilities were found. That is 25 per device! These devices included webcams, home alarms, garage door openers, device control hubs and more. So much for privacy and home security.
Here is a breakdown of the security issues found in the devices, their mobile devices, and/or clouds:
- Privacy: 80% had issues with consumer data collection including name, email, credit card, home address, date of birth and health information. Everything needed for identity theft.
- Authorization: 80% had insufficient password protection with respect to length and complexity. These passwords were also accepted on company websites and mobile apps. Like something out of a Mel Brooks film, most of the devices even allowed the password ‘1234’.
- Encryption: 70% had failed to encrypt their communications between devices, mobile apps, the internet or networks. Additionally, 50% of the mobile apps also passed unencrypted data to the cloud, internet or local network.
- Web Interface: 60% of the interfaces asked for XSS persistently and used weak session management, including default credentials (which were of course passed in unencrypted text). Even more disheartening was the fact that 70% of the devices with mobile and cloud interfaces could allow a hacker to find your accounts using password resets and account enumeration features.
- Software Protection: 60% had failed to encrypt data while downloading updates, which is disturbing as many of these downloads could therefore be intercepted, mounted into Linux and modified.
Before the IoT becomes the next Heartbleed bug, software developers, engineers and organizations must close these doors.
Source HP.