Beware of Internet of Things Hacking

HP study finds average IoT Devices had 25 security issues!

Recently, HP announced a study concluding that over 70% of devices on the Internet of Things have serious vulnerabilities, including encryption, password, cross-site scripting, user access and permission.

This is of increasing concern as the consumer market is flooded with interconnected IoT devices, each able to pass information seamlessly between you, the cloud and each other.

This means that theoretically, hacking into your IoT calorie counter, TV, or home alarm can open the floodgate to your personal computer files, medical information, schedules, contacts, banking information, intellectual property and more!

“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface … With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats,” said Mike Armistead, VP of HP.

Using HP Fortify, 10 popular IoT products were assessed and an astounding 250 vulnerabilities were found. That is 25 per device! These devices included webcams, home alarms, garage door openers, device control hubs and more. So much for privacy and home security.

Here is a breakdown of the security issues found in the devices, their mobile devices, and/or clouds:

  • Privacy: 80% had issues with consumer data collection including name, email, credit card, home address, date of birth and health information. Everything needed for identity theft.
  • Authorization: 80% had insufficient password protection with respect to length and complexity. These passwords were also accepted on company websites and mobile apps. Like something out of a Mel Brooks film, most of the devices even allowed the password ‘1234’.
  • Encryption: 70% had failed to encrypt their communications between devices, mobile apps, the internet or networks.  Additionally, 50% of the mobile apps also passed unencrypted data to the cloud, internet or local network.
  • Web Interface: 60% of the interfaces asked for XSS persistently and used weak session management, including default credentials (which were of course passed in unencrypted text). Even more disheartening was the fact that 70% of the devices with mobile and cloud interfaces could allow a hacker to find your accounts using password resets and account enumeration features.
  • Software Protection: 60% had failed to encrypt data while downloading updates, which is disturbing as many of these downloads could therefore be intercepted, mounted into Linux and modified.

Before the IoT becomes the next Heartbleed bug, software developers, engineers and organizations must close these doors.

Source HP.

Written by

Shawn Wasserman

For over 10 years, Shawn Wasserman has informed, inspired and engaged the engineering community through online content. As a senior writer at WTWH media, he produces branded content to help engineers streamline their operations via new tools, technologies and software. While a senior editor at Engineering.com, Shawn wrote stories about CAE, simulation, PLM, CAD, IoT, AI and more. During his time as the blog manager at Ansys, Shawn produced content featuring stories, tips, tricks and interesting use cases for CAE technologies. Shawn holds a master’s degree in Bioengineering from the University of Guelph and an undergraduate degree in Chemical Engineering from the University of Waterloo.