7 out of top 10 “Internet of Things” devices riddled with vulnerabilities

Graham Cluley

It has become the trendy thing to connect more and more household and office devices to the internet. It is becoming increasingly common to find yourself typing a WiFI password not just into your smartphone, but also your smoke alarm, your fridge, your printer, your baby monitor, and maybe even your car.

However, are the manufacturers of these internet-enabled devices paying proper care and attention to security and privacy?

Sadly, it seems they are often falling at the first hurdle.

New research published by HP claims “70 percent of the most commonly used Internet of Things (IoT) devices contain serious vulnerabilities.”

On average, 25 vulnerabilities were found by researchers in HP’s study of the top ten most popular IoT devices – with a grand total of 250 security concerns discovered.

According to the research, 90% of devices collected at least one piece of personal information via the device, the cloud or its mobile application. The concerns connected with that are obviously amplified when you consider that 70% of the devices examined used unencrypted network services – opening the door for WiFi-sniffing hackers.

HP also described how the devices’ user interfaces were often found lacking – with six out of 10 vulnerable to a range of issues such as the Heartbleed SSL vulnerability, persistent XSS (cross-site scripting), poor session management and weak default credentials.

80% of devices, along with their cloud and mobile application components, meanwhile failed to require passwords or a sufficient complexity and length – with most allowing passwords like “1234” or “123456”.

70% of devices along with their cloud and mobile application enable an attacker to identify valued user accounts through account enumeration.

Finally, 60% of devices failed to boost confidence when it came to how they went about downloading software updates – with many failing to use any encryption, opening a window of opportunity for malicious hackers.

In HP’s view, this all adds up to a growing problem:

“As the number of connected IoT devices constantly increases, security concerns are also exponentially multiplied. A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business”

I’ve got some questions about HP’s research, however.

Firstly, why did they only test ten iOT devices? That hardly seems a huge sample on which to base an opinion, even if the ones examined are what HP describes as the ones “most commonly used”.

Secondly, which devices did HP test? Their report doesn’t say. Which means, as a possible consumer of one of the “most commonly used” Internet of Things devices, I’m in the dark as to whether my information or network might be at risk. Their report, sadly, doesn’t really go into the required depth to give me – as a potential victim – advice on what I should do next.

Thirdly, has HP informed the manufacturers of the issues and working with them to get the vulnerabilities fixed? It would be nice to think that they were acting responsibly, or at least gave the manufacturers an opportunity to defend the design decisions that they made.

Of course, it’s hard to argue that a sample of only ten internet-enabled devices (albeit ones that HP claims are the most popular) is representative. But I wouldn’t be surprised if many many devices did deserve a poor score card when it comes to their security and design.

So, based upon all this, should we be turning our back on the “internet of things” and refusing to let anything which is internet-enabled from darkening our doorstep?

I don’t think so.

IoT is here to stay, and no amount of raised voices about some devices’ lax attitude to security and privacy is going to prevent more and more people from embracing the concept with open arms. Closing your eyes and sticking your fingers in your ears isn’t going to be a solution.

Instead, we need to call upon the manufacturers and developers to take the security of these devices more seriously, just as we would if they were building mobile phones rather than refrigerators.

One way clearly to raise the importance of getting things right in the device-maker’s mind is to publicise when they’ve done it wrong, and warn purchasers to be on their guard. That’s what happened earlier this month when security researchers found an internet-enabled LED light bulb could potentially be exploited by hackers.

Lets hope, for all of our sakes, that programmers of IoT devices learn some good security lessons and build in security and privacy from the beginning, rather than add it later as a (probably insecurely transmitted) software update.

This article originally appeared on the Lumension blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.