Haven't jumped on the Internet of Things (IoT) because of security concerns? New research from HP Fortify shows there's reason for caution.
HP Fortify researchers reviewed ten IoT-connected home security systems and found all of them are vulnerable to account harvesting via the cloud connection or interface.
But that’s not all. They also found all systems could work with weak security passwords, all of them were lacking an account lock-out mechanism, 90 percent didn’t have a two-factor authentication option and 70 percent had problems with systems updates.
More Connections, More Risk
The IoT is literally everywhere. According to Gartner there will be 4.9 billion connected things in use this year, up 30 percent from 2014 — and that number will climb to 25 billion by 2020.
That’s a lot of different doorways into the same system, every one of which needs to be secured from intruders. While at this stage it looks like this will be close to impossible, it shouldn't stop enterprises from protecting their own little piece of this growing IT landscape.
The findings are contained in the second part of IoT research carried out by Fortify over the past few months to find out what issues are facing enterprises with the rise of the IoT.
In the first report, the company looked at 10 devices across multiple product types. It found an average of 20 vulnerabilities per system, spanning TVs, thermostats, home automation hubs, alarm systems and other common domestic devices.
In this second report, it focused specifically on IoT-connected Home Security Systems. It did this by combining manual testing with the use of automated tools. Devices and their components were assessed based on the OWASP (Open Web Application Security Project) Internet of Things Top 10 and the specific vulnerabilities associated with each top 10 category.
The OWASP is a project designed to help manufacturers, developers and consumers better understand the security issues associated with the IoT and to enable users to make better security decisions when building, deploying or assessing IoT technologies.
Not So Secure
Connected home security systems provide all kinds of security features for the home including door and window sensors, motion detectors, video cameras and recording mechanisms that are all connected via the cloud to a mobile device or the web.
According to Daniel Miessler, a practice principal within HP Fortify's Fortify on Demand group, the biggest takeaway from this research is that all of the systems assessed are hackable. Cyber intruders can access home video cameras or security systems remotely, without the system owner knowing it. He noted in a blog post:
The Internet of Things is worse than just a new insecure space: it's a Frankenbeast of technology that links network, application, mobile, and cloud technologies together into a single ecosystem, and it unfortunately seems to be taking on the worst security characteristics of each.
Here are the six main vulnerabilities that HP Fortify identified — a half dozen reasons why hackers should love the IoT.
Authentication And Authorization
Weak passwords, insecure password recovery mechanisms, poorly protected credentials and other weaknesses can be used to gain access to all systems. All of the systems examined failed to insist on sufficiently complex passwords to help keep intruders out. The research also found most systems were unable to lock accounts after a certain number of failed attempts to access them.
Both of these issues enable hackers to access accounts by guessing login credentials. Only one system offered two-factor authentication and only one implemented Apple’s Touch ID for authentication to the mobile application interface.
Transport Encryption is essential for all communications that travel across the internet to protect sensitive data. Without it, home related cloud connections are potentially open to all kinds of attacks.
This can result in the loss of personal information, device security settings and private video. The researchers noted that while systems had some security, the majority had not configured them against some of the more common vulnerabilities like PODDLE.
Insecure Cloud Interfaces
Of all the systems examined, 70 percent used cloud-based interfaces and all of them displayed enumeration issues. Valid user accounts can be identified through feedback received from reset password mechanisms, credential input and sign up pages.
The research showed 50 percent of systems also showed account enumeration concerns with their mobile application interface. Like the problem with cloud interfaces, valid user accounts can be identified through feedback received from reset password functionality mechanisms.
Several of the systems had software issues including the transmission of updates across the web without proper encryption. In one case, firmware was retrieved via FTP allowing the capture of credentials that would give an attacker write-access to the update server.
In addition, only 40 percent of the systems offered automated update functionality that the user could trigger with an update button. Three of ten systems gave users the option to accept or reject updates.
All systems that were surveyed collected some kind of personal information like names, addresses, date of birth, phone number and even credit card numbers. Given the number of security weaknesses, this means that this information is also vulnerable.
While the report has a number of obvious recommendations for consumers — like making sure to use strong passwords and assess the security of the system when shopping — the issues are more complicated for enterprises.
Clearly, moving forward it will be impossible for enterprises to avoid the IoT. But what they should do is keep IoT related devices and the wider enterprise IT infrastructure separate.
The IoT is still untested. Until such a time as security around it has been improved, enterprises need to be careful how they deploy it.