Internet of Things devices riddled with security errors, claims HP

HP Fortify study finds devices protected by weak passwords and unencrypted network services

Internet of Things (IoT) devices are riddled with basic security flaws, such as weak passwords, unencrypted network services, insecure interfaces and cross-site scripting risks.

That is the conclusion of a study into 10 connected devices examined by HP Fortify. However, the security arm of the hardware giant has declined to name the flawed devices, claiming that its aim was to raise awareness of the security risks that IoT devices pose at this immature stage in the technology's development.

"Suddenly, everything from refrigerators to sprinkler systems are wired and interconnected, and while these devices have made life easier, they've also created new attack vectors for hackers," concluded the report.

The report analysed connected televisions, home thermostats, sprinkler controllers, door locks, home alarms and garage door openers, among other devices. Most were backed up by some form of cloud service and included mobile applications to enable people to use the devices remotely.

The main concerns of the report were as follows:

• Ninety per cent of devices collected at least one piece of personal information via the device, the cloud or its associated mobile application;
• Six-out-of-10 were vulnerable to common security issues, including cross-site scripting errors and weak passwords;
• Eighty per cent failed to require passwords of sufficient length and complexity;
• Seventy per cent used unencrypted network services;
• Seventy per cent of devices, along with their cloud and mobile application, enable an attacker to identify valid user accounts through account enumeration - such as revealing too much information with error messages in response to speculative log-on efforts.

HP Fortify also questioned the level of information collection, particularly of highly personal information - which the device may then transmit to associated cloud services, unencrypted.

"With many devices collecting some form of personal information such as name, address, date of birth, health information and even credit card numbers, those concerns are multiplied when you add in cloud services and mobile applications that work alongside the device.

"And with many devices transmitting this information unencrypted on your home network, users are one network misconfiguration away from exposing this data to the world via wireless networks. Cloud services, which we discovered most of these devices use, are also a privacy concern as many companies race to take advantage of the cloud and services it can provide from the internet. Do these devices really need to collect this personal information to function properly?" asked the report.

The lack of security among connected devices would appear to be pervasive, according to the report, which called for proper security standards to be established that all connected devices ought to adhere to before being put into production.