Security concerns are developing faster than the Internet of Things (IoT). But HP claims it is tackling IoT related concerns head on and has identified what it describes as the top five issues for businesses to consider.
The research, carried out by Fortify, part of HP Enterprise Security Products, confirms those security concerns. It shows 70 percent of the most commonly used IoT devices contain vulnerabilities, including password security, encryption and general lack of granular user access permissions.
Always Connected, Always Vulnerable
Issues around mobile security are already a challenge in this era of always connected devices. Think how much greater those challenges will be of a business has, for example, 10 IoT connected devices.
And it’s not going to get any easier. As the IoT evolves, there will be billions of connected devices — and each one represents a potential doorway into your IT infrastructure and your company or personal data.
To produce this top five list, HP reviewed 10 of the most popular devices in some of the most popular IoT niches. It analyzed IoT devices from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garages.
All devices surveyed included some form of cloud service and included mobile applications, which can be used to access or control the devices remotely.
HP noted that all the devices and components that were assessed were based on the Open Web Application Security Project (OWASP) Internet of Things Top 10 list and the specific vulnerabilities associated with each top 10 category.
The OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. It aims to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
Here's the List
The research showed a striking number of vulnerabilities per device ranging from Heartbleed (a vulnerability in the OpenSSL cryptographic software library enabling hackers steal information protected under normal conditions) to Distributed Denials of Service to weak passwords to cross-site scripting.
1. Privacy Concerns: 90 percent of devices collected at least one piece of personal information via the device, the cloud or the device’s mobile application. The vast majority of devices collecting information like name, address, date of birth or even health and credit card information. Even worse is the fact that many devices transmit this information across networks without encryption. If users misconfigure their home network, then they are only one step away from exposing this data through wireless networks. Cloud services, which many of these devices use, are also extremely vulnerable. However, it is likely that the majority of these devices actually need personal information to function.
2. Insufficient Authentication/Authorization: 80 percent failed to require passwords of sufficient complexity and length. A huge number of users and devices rely on weak and simple passwords and authorizations. Citing examples of this, HP found that many devices and their cloud components accepted passwords like “1234” or “123456”. Many users that configured accounts with weak passwords also used the same password in the cloud for cloud products. HP points out that a strong password policy is basic security, but even still most solutions failed.
3. Transport Encryption: 70 percent of devices used unencrypted network services. Transport encryption is where information that is being transferred from one device to another device is encrypted from the outset of any communication. Transport encryption will be crucial given that most of the devices are transmitting data that most people would consider crucial. However, most devices surveyed failed to encrypt data, even when the devices were using the Internet. HP noted that the need for encryption is particularly strong given the amount of information that is being passed between the device, the cloud and mobile applications.
4. Web Interface: 60 percent raised security concerns with their user interfaces. These issues included:
persistent cross-site scripting, poor session management and weak default credentials. From this, hackers were able to identify valid user accounts and take them over using things like password reset features.
5. Insecure Software: 60 percent did not use encryption when downloading software updates. Given the number of software updates that will be required to make everything work together, HP says that it was “alarming” to find that so little of this software was encrypted during downloads. Even worse, some of the downloads that were tested could be intercepted and uploaded into a file system in Linux where the software could be seen or even modified.
What Does it Mean?
HP thinks manufacturers of IoT compatible devices should be taking steps to secure them now before the problem becomes unmanageable. It suggests they:
- Carry out a security review of all devices and components to detect vulnerabilities
- Apply security standards that all devices need to live-up to before production
- Make security a cornerstone of the production life-cycle