The Internet of Things (IoT) is truly gaining steam across the world, but there is a cautionary caveat when it comes to the new trend: 70 percent of the most popular IoT devices contain vulnerabilities, a new study said.
To get those results, HP, which conducted the study, used its HP Fortify on Demand application security testing service to check ten of the most commonly used IoT devices and their cloud and mobile application components.
The list includes TVs, power outlets, webcams, smart hubs, home thermostats, sprinkler controllers, home alarms, scales, garage door openers, and door locks.
A total of 250 security holes ended up discovered in the tested IoT devices — on average, 25 per device, according to HP’s report, “Internet of Things Security: State of the Union.” The issues relate to privacy, insufficient authorization, lack of transport encryption, inadequate software protection, and insecure Web interfaces.
In one case, the study shows 80 percent of the tested devices, including their corresponding cloud and mobile apps, raised privacy concerns regarding the collection of user data such as names, email addresses, physical addresses, date of birth, financial and health information.
When it comes to authorization, quite a few of the products fail to enforce strong passwords, allowing customers to set passwords like “1234” not only on the devices themselves, but also on websites and mobile apps.
HP said 70 percent of tested IoT devices don’t encrypt Internet and local network communications, with half of their applications lacking transport encryption. For 60 percent of devices, manufacturers haven’t ensured software updates end up downloaded in a secure manner, in some cases enabling attackers to intercept them.
As far as Web interfaces go, six of the ten products have persistent cross-site scripting (XSS) vulnerabilities, easy-to-guess default credentials, and poor session management. Flaws in the cloud and mobile apps of 70 percent of devices can end up exploited to determine valid user accounts through the password reset feature or account enumeration.
Looking down the road, Gartner predicted by 2020, there will be 26 billion IoT devices, with the companies that provide such products and services generating incremental revenue over $300 billion. HP believes device manufacturers attempt to launch their products as quickly as possible in an effort to gain market share, but they neglect security.
The company advised manufacturers to conduct a security review of their devices and all their associated components, and implement security standards that products must meet before they go into production. They should also implement security and review processes to ensure that security is in all the phases of the product lifecycle.