Cloud // Software as a Service
News
7/29/2014
10:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

HP Warns Of IoT Security Risks

Many Internet of Things devices communicate insecurely, warns HP's Fortify unit.

Internet Of Things: 8 Pioneering Ideas
Internet Of Things: 8 Pioneering Ideas
(Click image for larger view and slideshow.)

The Internet of Things, even as it ushers in a new era of comfort and automated convenience, may turn out to be a web of risk and exposure, according to HP's Fortify security software unit.

HP tested 10 popular devices likely to be included on the Internet of things and found 70% of them contained security exposures. On the average, each device contained 25 holes, or risks of compromising the home network. One example was lawn sprinkler controls. Another was a remote-controlled home thermostat.

Devices on the IoT typically communicate through the use of unencrypted data, sometimes via a WiFi network that's easily snooped. The devices are prone to cross-site scripting, where an active agent, input in the manner of legitimate user data, is picked up by a second device where it functions intrusively.

"Have you input your credit card information into your TV? That might not be an IoT best-practice," says Maria Bledsoe, senior manager of the Fortify unit, with a whiff of sarcasm creeping into the discussion.

[How could barcodes help expand and enable the IoT? Read The Internet of (Passive) Things.]

The Internet of Things is expected to include 26 billion devices by 2020, according to Gartner. IoT product and service suppliers will generate revenues of $300 billion in 2020. But there may be some pitfalls on the way to device Nirvana.

Looking at 10 types of devices, HP's Fortify unit found 250 vulnerabilities. In addition to thermostats, TVs, and lawn sprinkler controllers, the devices included home webcams, door locks, garage door openers, scales, home alarms, hubs for multiple devices, and remote power outlets.

These days such devices often have a connection to an internal application provided by the manufacturer or third parties. HP didn't specifically name the devices inspected, but two popular networked thermostats are Nest Labs and Honeywell Lyric.

Of the devices, along with their cloud and mobile application components, 80% did not require passwords of sufficient complexity and length, according to the HP report, and 90% collected at least one piece of personal information.

Further, 70% of devices or their mobile and cloud components allowed an attacker to identify a valid account through account enumeration. For example, suppose an attacker knows the names of three household members and enters one of them in a login process. The device's response may tell him that the account name already exists and then request a password. The attacker could then enter another name and be told whether it was legitimate or not, without ever needing to submit a password, until he had a rough map of the accounts on the device.

Six out of the 10 devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could be intercepted, extracted, and mounted as a file system in Linux, where the code could be viewed and modified.

Also, 70% routinely used unencrypted network services and transmitted credentials in plain text, a known security exposure.

Some exposures were trivial, such as allowing "1234" as a password, Bledsoe told us. Others were more serious, with potentially graver consequences. Leading Bledsoe's list of more serious flaws: lack of transport encryption, since it leaves open the possibility of losing account names and passwords.

If devices are added to a corporate network the added exposure increases the attack surface, not just for IoT devices but for other computing devices on the network. Companies can protect themselves to some extent by demanding that device suppliers check their embedded software for exposures (and HP will gladly offer a service to help do this). Homeowners, however don't have that kind of clout. They can take the standard precautions, such as eliminating foolish default passwords like 1234, but they are not really in a position to insist that manufacturers verify that the embedded software contains no vulnerabilities.

"We need to sound a warning bell," says Bledsoe. Until devices have built-in security and transport encrypted data, the Internet of Things threatens to expand attack vectors and multiply vulnerabilities. There are few products, other than traditional anti-malware software for PCs, that can stand watch over connected devices functioning in the home.

Bledsoe concedes that little data will likely be stolen out of the lawn sprinkler controller. But if it's on the home network, she cautions, "It's a gateway into the home. You've basically left an open door."

And if you're been secretly watering your lawn at night during a drought emergency, then even the data on the sprinkler controller can land you in hot water if it ends up in the wrong hands.

Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today. (Free registration required.)

Charles Babcock is an editor-at-large for InformationWeek, having joined the publication in 2003. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive Week. He is a graduate of Syracuse ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Author
7/29/2014 | 4:18:51 PM
Ah, we've seen this movie before
The suppliers of devices for the Internet of Things are engaged in a feature race, not a race to be secure. The first round of competition will focus on features and ease of use, as did the first round of browser competition and the race to get Windows established. It's only after the problems crop up that we remember that this also happened the last time we had a wave ripple out to computing devices and over the Internet.

 
Laurianne
50%
50%
Laurianne,
User Rank: Author
7/29/2014 | 3:43:21 PM
Re: Maybe we should rename it the Insecurity of Things
Drew, among the network of device makers, who has a financial incentive to push for industry-wide IoT security standards?
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
7/29/2014 | 2:37:59 PM
Re: Maybe we should rename it the Insecurity of Things
It's very frustrating to see the same kinds of issues cropping up in the IoT world that we're already struggling with on the Web. My guess is that part of the issue is manufacturers don't think there can be much harm done if these devices are compromised. And perhaps that's true while we've got tiny islands of IoT devices that don't connect to other systems. But connectivity inevitably gets extended, and it's not hard to imagine some kind of uber control service that runs both your home security system and your sprinklers. How ironic would it be for a fancy home security system to get compromised because of vulnerabilities in a lawn sprinkler?
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
7/29/2014 | 1:38:52 PM
Maybe we should rename it the Insecurity of Things
70% of tested devices had vulnerabilities, is it just me or does that seem like it should be setting off a lot of red flags?  As more devices become connected, how are we ensuring that these devices are meeting security and privacy guidelines and standards?  It seems as if we are more happy to have these devices and ignore the inherent risks than hold these manufacturers responsible for these vulnerabilities.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
7/29/2014 | 1:14:43 PM
the benefits of insecurity
Technical insecurity is job security. The Internet of Things will ensure employment for capable security professionals for the foreseeable future.
<<   <   Page 2 / 2
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Hereís what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.