HP report claims ‘Internet of things’ is indefensible

Posted on August 2, 2014 08:22 am

HP has revealed that 70% of connected devices are penetrable to security threats. They described as manufacturers fault for rushing to sell devices before they’re ready. Internet of Things State of the Union Study found that 10 of the most popular Internet of Things devices.Fortify on Demand researchers did not reveal the brand names of the tested devices but reported that the manufacturers had been alerted to the security flaws. The devices included TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers could be hacked. On average, each device had 25 vulnerabilities, including those linked to privacy, insufficient authorisation, inadequate software protection,lack of transport encryption and insecure web interfaces. The recent research report http://fortifyprotect.com/HP_IoT_Research_Study.pdf from HP’s Fortify on Demand division found that that some of the vulnerabilities include insufficient or non existent authentication mechanisms with weak passwords, data and firmware being transmitted in the clear without encryption, as well as insecure web interfaces for the devices.

“A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business. – HP Fortify on Demand. The researchers found that nine out of ten devices collected at least one item of personal information and most  of the devices tested used a form of cloud service, and all included mobile applications to remotely control them, with the information in many cases being transmitted unencrypted to and from cloud services.The researchers analysed networked consumer devices such as televisions, webcams, home thermostats, remote power outlets and home automation controls.Report authors pointed out that the problem isn’t limited to consumer devices, and warned that enterprises need to consider if their industrial control and supervisory control and data acquisition systems are secure as well. Context was able to extract encryption variables from the LIFX firmware, and use these to decode wi-fi credentials to access the 802.15.4 6LoWPAN network unnoticed. LIFX was notified of the flaw and issued a patch.The report concluded: “A world of interconnected ‘smart’ devices is here, albeit in the early stages. By 2020, Gartner predicts, the Internet of Things will be made up of 26 billion ‘units’.” Fortunately, there’s still time to secure devices before consumers are at risk, it said, but manufacturers must take action now to ensure products coming off production lines are free of vulnerabilities.

Contador Harrison