Cloud // Software as a Service
News
7/29/2014
10:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

HP Warns Of IoT Security Risks

Many Internet of Things devices communicate insecurely, warns HP's Fortify unit.

Internet Of Things: 8 Pioneering Ideas
Internet Of Things: 8 Pioneering Ideas
(Click image for larger view and slideshow.)

The Internet of Things, even as it ushers in a new era of comfort and automated convenience, may turn out to be a web of risk and exposure, according to HP's Fortify security software unit.

HP tested 10 popular devices likely to be included on the Internet of things and found 70% of them contained security exposures. On the average, each device contained 25 holes, or risks of compromising the home network. One example was lawn sprinkler controls. Another was a remote-controlled home thermostat.

Devices on the IoT typically communicate through the use of unencrypted data, sometimes via a WiFi network that's easily snooped. The devices are prone to cross-site scripting, where an active agent, input in the manner of legitimate user data, is picked up by a second device where it functions intrusively.

"Have you input your credit card information into your TV? That might not be an IoT best-practice," says Maria Bledsoe, senior manager of the Fortify unit, with a whiff of sarcasm creeping into the discussion.

[How could barcodes help expand and enable the IoT? Read The Internet of (Passive) Things.]

The Internet of Things is expected to include 26 billion devices by 2020, according to Gartner. IoT product and service suppliers will generate revenues of $300 billion in 2020. But there may be some pitfalls on the way to device Nirvana.

Looking at 10 types of devices, HP's Fortify unit found 250 vulnerabilities. In addition to thermostats, TVs, and lawn sprinkler controllers, the devices included home webcams, door locks, garage door openers, scales, home alarms, hubs for multiple devices, and remote power outlets.

These days such devices often have a connection to an internal application provided by the manufacturer or third parties. HP didn't specifically name the devices inspected, but two popular networked thermostats are Nest Labs and Honeywell Lyric.

Of the devices, along with their cloud and mobile application components, 80% did not require passwords of sufficient complexity and length, according to the HP report, and 90% collected at least one piece of personal information.

Further, 70% of devices or their mobile and cloud components allowed an attacker to identify a valid account through account enumeration. For example, suppose an attacker knows the names of three household members and enters one of them in a login process. The device's response may tell him that the account name already exists and then request a password. The attacker could then enter another name and be told whether it was legitimate or not, without ever needing to submit a password, until he had a rough map of the accounts on the device.

Six out of the 10 devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could be intercepted, extracted, and mounted as a file system in Linux, where the code could be viewed and modified.

Also, 70% routinely used unencrypted network services and transmitted credentials in plain text, a known security exposure.

Some exposures were trivial, such as allowing "1234" as a password, Bledsoe told us. Others were more serious, with potentially graver consequences. Leading Bledsoe's list of more serious flaws: lack of transport encryption, since it leaves open the possibility of losing account names and passwords.

If devices are added to a corporate network the added exposure increases the attack surface, not just for IoT devices but for other computing devices on the network. Companies can protect themselves to some extent by demanding that device suppliers check their embedded software for exposures (and HP will gladly offer a service to help do this). Homeowners, however don't have that kind of clout. They can take the standard precautions, such as eliminating foolish default passwords like 1234, but they are not really in a position to insist that manufacturers verify that the embedded software contains no vulnerabilities.

"We need to sound a warning bell," says Bledsoe. Until devices have built-in security and transport encrypted data, the Internet of Things threatens to expand attack vectors and multiply vulnerabilities. There are few products, other than traditional anti-malware software for PCs, that can stand watch over connected devices functioning in the home.

Bledsoe concedes that little data will likely be stolen out of the lawn sprinkler controller. But if it's on the home network, she cautions, "It's a gateway into the home. You've basically left an open door."

And if you're been secretly watering your lawn at night during a drought emergency, then even the data on the sprinkler controller can land you in hot water if it ends up in the wrong hands.

Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today. (Free registration required.)

Charles Babcock is an editor-at-large for InformationWeek, having joined the publication in 2003. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive Week. He is a graduate of Syracuse ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
BrianRay
50%
50%
BrianRay,
User Rank: Apprentice
8/7/2014 | 9:04:07 AM
Security from the start
I think the real key is designing security in from the very beginning. http://www.link-labs.com/blog/the-2-hows-of-iot-security
batye
50%
50%
batye,
User Rank: Ninja
8/3/2014 | 12:38:14 AM
Re: Maybe we should rename it the Insecurity of Things
Could not agree more... as everyone want it now... but tend to forget about security... or hide the problem...
batye
50%
50%
batye,
User Rank: Ninja
8/3/2014 | 12:36:00 AM
Re: Ah, we've seen this movie before
this days Co. try to spend less but get more... or pretend they getting more... paying at the end with security holes...
batye
50%
50%
batye,
User Rank: Ninja
8/3/2014 | 12:34:51 AM
Re: Ah, we've seen this movie before
same here in Canada we do have same problem with Target.... we are in the same boat :)
batye
50%
50%
batye,
User Rank: Ninja
8/3/2014 | 12:33:58 AM
Re: Ah, we've seen this movie before
yes, it like arm race, during Cold War... as this days nothing is secure...
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
7/31/2014 | 4:43:00 PM
Re: Ah, we've seen this movie before
Drew,

Very,Very True![And I am sure Informationweek also agrees].

The big issue is why don't the Manufacturers spend more Secure Coding Best Practices and related issues?

Its not that difficult-It costs time and Money.

And when everyone is simply engaged in an Arms Race to push Solutions out faster than the next ,These "Minor" things can be overlooked.

Here's some clear-cut Research even the Security Firms are failing at the job they are supposed do-Decisively.

http://www.networkworld.com/article/2459761/antivirus-products-riddled-with-security-flaws-researcher-says.html

Regards

Ashish.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
7/30/2014 | 1:08:38 PM
Re: ah, we’ve seen this before
If you are still using IoT then I guess you have yourself to blame because I am very sure that something bad is going to happen to you. This has been said like a million times and I just don't have better words to warn you. Thank you for this great article.
Laurianne
50%
50%
Laurianne,
User Rank: Author
7/29/2014 | 5:31:40 PM
Re: Ah, we've seen this movie before
Drew, exactly right -- and I was already frustrated by Target :)
Drew Conry-Murray
IW Pick
100%
0%
Drew Conry-Murray,
User Rank: Ninja
7/29/2014 | 5:17:10 PM
Re: Ah, we've seen this movie before
That's what's so frustrating! We can guarantee that IoT devices will be hackable, and we have the recent history of the Web to demonstrate that people can and will find vulnerabilities and create exploits, whether for the lulz, vandalism, or to commit crime. We know it's going to happen, and yet still we have to go through the whole stupid dance.

The first time someone gets hurt or ripped off by an IoT vuln and the manufacturer says "I had no idea!" I propose that the CEO has to have the words "I'm a jackass" tatooed to his or her head.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
7/29/2014 | 4:22:26 PM
Re: Maybe we should rename it the Insecurity of Things
In the consumer industry, I'd say no one at this point because most of the outcomes of a hacked IoT device aren't that severe.The problem is, when security gets added on later once real problems arise, it means systems are less safe than if security had been built in from the start.

We might see more consumer-oriented action if the automotive industry gets deeply into IoT, i.e. as the car becomes more of a mobile hotspot and has apps that connect to third-party devices and systems, like reporting on your driving behavior to your insurance company, or ordering and paying in advance for a meal on at a turnpike rest stop. Once you add payments to the IoT mix, you get the security incentive.

However, I'd say medical device manufacturers and the healthcare industry have a significant stake in driving IoT security standards, if only for liability issues. Same for the use of IoT in industrial controls and manufacturing.
Page 1 / 2   >   >>
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Here’s what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.