IoT devices are filled with security flaws, researchers warn
We are living in an increasingly interconnected world, and the so-called Internet of Things is our (inescapable) future. But how safe will we, our possessions and our information be as these wired and interconnected devices begin to permeate our lives?
The current situation is not satisfactory, as HP’s researchers have discovered.
Using standard testing techniques, they have analyzed 10 of the most popular TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers, and have come across “an alarmingly high average number of vulnerabilities per device.”
The flaws included the Heartbleed bug, DoS vulnerabilities, weak passwords, lack of encryption, and so on.
All the tested devices had mobile applications though which they could be accessed and controlled remotely, and most included some form of cloud service.
The researchers found that:
- Web interfaces of six of the 10 tested devices are vulnerable to cross-site scripting, have poor session management and weak default credentials
- 80 percent of the tested devices failed to require passwords of sufficient complexity and length, and 70 percent of the devices with the cloud and mobile app allow attackers to identify user account through account enumeration.
- 90 percent of devices collected at least one piece of personal information via the device, the cloud or the device’s mobile app
- 70 percent don’t use encryption when transmitting collected data that might be sensitive via the Internet and the local network
- 60% of devices displayed software and/or firmware issues.
Mark Sparshott, Director of EMEA at Proofpoint, pointed out that while current bots typically send thousands of phishing emails in different campaigns, which allows defenders to identify and blacklist them, future IoT botnets will be 100 or 1,000 times larger.
“It is conceivable that a future IoT bot could send just 1 phish and never appear on any reputation block list,” he noted. “The IoT and the increasing use of zero-day threats to bypass signature-based security systems means that enterprise security strategies have to evolve to leverage cloud based dynamic sandboxing and malware analysis as well as focus on reducing the time to remediate the inevitable breach through automated security response.”
In order to minimize the risks, HP researchers have advised manufacturers to test and secure their devices and its various components.
“Implement security and review processes early on so that security is automatically baked in to your product,” they suggested, and added that implementing security standards and keeping to them will significantly improve their product’s security posture.