For many consumers, Internet-enabled home security devices may be a tangible manifestation of the Internet of Things. However, they may not be very secure things.
A new report from Hewlett-Packard Co.’s HP Fortify business looked at 10 connected home security devices, as well as their cloud and mobile app components – checking in on your home from your smartphone is an oft-touted benefit of these systems. Connected security devices included door and window sensors, motion detectors, video cameras and recording mechanisms. And the results weren’t pretty.
“We continued to see significant deficiencies in the areas of authentication and authorization along with insecure cloud and mobile interfaces,” said the report. “It is of particular concern to see these deficiencies in systems where the primary function is security.”
While a significant increase in the use of transport encryption such as SSL/TLS was noted, the report added the configuration and implementation weakened the security the encryption technology should normally provide.
Significant vulnerabilities were identified with each device tested, including enumerable usernames, weak password policy and no account lockout. None required a strong password, and just one offered two-factor authentication. Four of the seven systems with cameras allowed multiple people video access, exacerbating account harvest issues, and two allowed video to be streamed locally without authentication.
“Products, services, and ecosystems around Internet of Things will increasingly offer a wide range of benefits that will entice both consumers and businesses,” said the report. “This research does not aim to dampen that enthusiasm, but rather to inform users that these capabilities come with risks, and that it’s in everyone’s best interest to understand those risks before activating these systems.”
HP recommends consumers include security in their feature considerations when shopping for such products, avoid using system defaults for user names and passwords and instead choose good passwords when possible. Enterprises should implement a firewall between Internet of Things devices and the rest of the network, and configure supplemental security features that may not be enabled by default.