At least 10 of the most popular Internet of Things (IoT) devices have an “alarming number of security vulnerabilities,” according to hardware and cloud solutions company Hewlett-Packard Co.
The company’s security research arm reviewed 10 products in some of the most common IoT niches and found that majority of the devices contained flaws which rendered them vulnerable to various threats ranging from denial of service attacks to the Heartbleed bug to cross-site scripting.
HP did not name the products’ brands but said it analyzed devices from manufacturers of YVs, Webcams, home thermostats, and remote power outlets, sprinkler controllers, hubs for multiple devices, door locks, home alarms, scales and garage door openers.
Awareness of the security issues associated with IoT is important not just for consumers but for channel partners and business as well since the number and diversity of connected device is expected only to explode in the next few years. Many analysts and industry experts foresee devices and sensors connected to the Internet becoming more prevalent in households and various industries. Analyst firm IDC Canada, for instance, is projecting that the market for products and services related to IoT will reach $21 billion within four years. Gartner estimates that by 2020 there will be no less than 26 billion IoT devices.
Even just a couple of security concerns on a single device such as a smart phone “can quickly turn to 50 or 60 concerns” when taking into account multiple IoT devices that the phone is able to connect to, according to the HP report.
Among the findings of the report were:
- Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent cross scripting (a security vulnerability that allows attackers to bypass access controls) and weak credentials
- Ninety per cent of devices collected at least one piece of personal information via the device, the cloud or its mobile application
- Eighty per cent of devices along with the cloud and mobile applications failed to require passwords of sufficient complexity
- Seventy per cent of devices along with the cloud and mobile applications enable attackers to identify valid user accounts through account enumeration
- Seventy per cent of devices used unencrypted services
HP recommends that device manufacturers do the following to reduce security risk:
- Conduct a security review of devices and associated components. This could involve automated scanning of Web interfaces, review of network traffic, physical ports such as USB and a review of authentication and authorization
- Implement security standards that devices need to need before production. The research found that many of the vulnerabilities identified were relatively easy to remediate
- Ensure security is a consideration throughout the product lifecycle. Updates to a product’s software are extremely important in ensuring there is a robust and secure system in place
“A world of interconnected ‘smart’ devices is here, albeit in the early stages,” the HP report said. “In light of the importance of what IoT devices have access to, it’s important to understand their security risk.”