Internet of things devices contain high number of vulnerabilities, study finds
A security audit of 10 popular Internet-connected devices—components of the so-called “Internet of things”—identified an alarmingly high number of vulnerabilities.
The study lasted three weeks and was performed by researchers from Hewlett-Packard’s Fortify division. It targeted devices from some of the most common IoT categories: TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.
All of the analyzed devices, which weren’t named in the resulting report published Tuesday, communicated with some type of cloud service, as well as mobile applications that allowed users to remotely control them.
The HP researchers identified a total of 250 vulnerabilities ranging from issues that could raise privacy concerns to serious problems like lack of transport encryption, vulnerabilities in the administration Web interface, insecure firmware update mechanisms and weak or poorly protected access credentials.
“Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent cross-site scripting vulnerabilities and weak credentials,” the researchers said in their report.
Seventy percent of devices used unencrypted network services that exposed their connections to cloud services and mobile apps to man-in-the-middle attacks, and 80 percent failed to enforce the use of sufficiently long or complex passwords. The researchers were able to configure accounts with weak passwords like 1234 or 123456 on most devices, and in many cases the same accounts were used for control via the cloud services or mobile applications.
“An attacker can use vulnerabilities such as weak passwords, insecure password recovery mechanisms, poorly protected credentials, etc. to gain access to a device,” the researchers said.
Transport encryption was also lacking during the download of firmware updates on 60 percent of devices. Furthermore, the update files themselves had no protection, meaning an attacker could tamper with them in transit.
Manufacturers should conduct security reviews of their products following the list of top 10 security problems most commonly affecting Internet of Things devices that was compiled by the Open Web Application Security Project (OWASP), the HP researchers said. Many of the vulnerabilities identified as part of this research study are considered “low hanging fruit” and can be easily remediated without affecting the user experience, they said.
A significant number of attacks against home routers, network-attached storage devices, DVRs and other embedded systems have been reported this year, suggesting that attackers are beginning to understand the potential of compromising such devices and are looking for ways to monetize unauthorized access to them.