Many Internet of Things devices communicate insecurely, warns HP's Fortify unit.
Internet Of Things: 8 Pioneering Ideas
(Click image for larger view and slideshow.)
The Internet of Things, even as it ushers in a new era of comfort and automated convenience, may turn out to be a web of risk and exposure, according to HP's Fortify security software unit.
HP tested 10 popular devices likely to be included on the Internet of things and found 70% of them contained security exposures. On the average, each device contained 25 holes, or risks of compromising the home network. One example was lawn sprinkler controls. Another was a remote-controlled home thermostat.
Devices on the IoT typically communicate through the use of unencrypted data, sometimes via a WiFi network that's easily snooped. The devices are prone to cross-site scripting, where an active agent, input in the manner of legitimate user data, is picked up by a second device where it functions intrusively.
"Have you input your credit card information into your TV? That might not be an IoT best-practice," says Maria Bledsoe, senior manager of the Fortify unit, with a whiff of sarcasm creeping into the discussion.
The Internet of Things is expected to include 26 billion devices by 2020, according to Gartner. IoT product and service suppliers will generate revenues of $300 billion in 2020. But there may be some pitfalls on the way to device Nirvana.
Looking at 10 types of devices, HP's Fortify unit found 250 vulnerabilities. In addition to thermostats, TVs, and lawn sprinkler controllers, the devices included home webcams, door locks, garage door openers, scales, home alarms, hubs for multiple devices, and remote power outlets.
These days such devices often have a connection to an internal application provided by the manufacturer or third parties. HP didn't specifically name the devices inspected, but two popular networked thermostats are Nest Labs and Honeywell Lyric.
Of the devices, along with their cloud and mobile application components, 80% did not require passwords of sufficient complexity and length, according to the HP report, and 90% collected at least one piece of personal information.
Further, 70% of devices or their mobile and cloud components allowed an attacker to identify a valid account through account enumeration. For example, suppose an attacker knows the names of three household members and enters one of them in a login process. The device's response may tell him that the account name already exists and then request a password. The attacker could then enter another name and be told whether it was legitimate or not, without ever needing to submit a password, until he had a rough map of the accounts on the device.
Six out of the 10 devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could be intercepted, extracted, and mounted as a file system in Linux, where the code could be viewed and modified.
Also, 70% routinely used unencrypted network services and transmitted credentials in plain text, a known security exposure.
Some exposures were trivial, such as allowing "1234" as a password, Bledsoe told us. Others were more serious, with potentially graver consequences. Leading Bledsoe's list of more serious flaws: lack of transport encryption, since it leaves open the possibility of losing account names and passwords.
If devices are added to a corporate network the added exposure increases the attack surface, not just for IoT devices but for other computing devices on the network. Companies can protect themselves to some extent by demanding that device suppliers check their embedded software for exposures (and HP will gladly offer a service to help do this). Homeowners, however don't have that kind of clout. They can take the standard precautions, such as eliminating foolish default passwords like 1234, but they are not really in a position to insist that manufacturers verify that the embedded software contains no vulnerabilities.
"We need to sound a warning bell," says Bledsoe. Until devices have built-in security and transport encrypted data, the Internet of Things threatens to expand attack vectors and multiply vulnerabilities. There are few products, other than traditional anti-malware software for PCs, that can stand watch over connected devices functioning in the home.
Bledsoe concedes that little data will likely be stolen out of the lawn sprinkler controller. But if it's on the home network, she cautions, "It's a gateway into the home. You've basically left an open door."
And if you're been secretly watering your lawn at night during a drought emergency, then even the data on the sprinkler controller can land you in hot water if it ends up in the wrong hands.
Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today. (Free registration required.)
Charles Babcock is an editor-at-large for InformationWeek, having joined the publication in 2003. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive Week. He is a graduate of Syracuse ... View Full Bio
SaaS As Innovation Driver?Software as a service is the clear No. 1 way enterprises consume cloud. InformationWeek's SaaS Innovation Survey reveals three tips to get the most from SaaS: Make it a popularity contest. Have an escape plan. And remember that identity is the new perimeter.