HP Warns Of IoT Security Risks - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Software as a Service
10:45 AM
Connect Directly

HP Warns Of IoT Security Risks

Many Internet of Things devices communicate insecurely, warns HP's Fortify unit.

Internet Of Things: 8 Pioneering Ideas
Internet Of Things: 8 Pioneering Ideas
(Click image for larger view and slideshow.)

The Internet of Things, even as it ushers in a new era of comfort and automated convenience, may turn out to be a web of risk and exposure, according to HP's Fortify security software unit.

HP tested 10 popular devices likely to be included on the Internet of things and found 70% of them contained security exposures. On the average, each device contained 25 holes, or risks of compromising the home network. One example was lawn sprinkler controls. Another was a remote-controlled home thermostat.

Devices on the IoT typically communicate through the use of unencrypted data, sometimes via a WiFi network that's easily snooped. The devices are prone to cross-site scripting, where an active agent, input in the manner of legitimate user data, is picked up by a second device where it functions intrusively.

"Have you input your credit card information into your TV? That might not be an IoT best-practice," says Maria Bledsoe, senior manager of the Fortify unit, with a whiff of sarcasm creeping into the discussion.

[How could barcodes help expand and enable the IoT? Read The Internet of (Passive) Things.]

The Internet of Things is expected to include 26 billion devices by 2020, according to Gartner. IoT product and service suppliers will generate revenues of $300 billion in 2020. But there may be some pitfalls on the way to device Nirvana.

Looking at 10 types of devices, HP's Fortify unit found 250 vulnerabilities. In addition to thermostats, TVs, and lawn sprinkler controllers, the devices included home webcams, door locks, garage door openers, scales, home alarms, hubs for multiple devices, and remote power outlets.

These days such devices often have a connection to an internal application provided by the manufacturer or third parties. HP didn't specifically name the devices inspected, but two popular networked thermostats are Nest Labs and Honeywell Lyric.

Of the devices, along with their cloud and mobile application components, 80% did not require passwords of sufficient complexity and length, according to the HP report, and 90% collected at least one piece of personal information.

Further, 70% of devices or their mobile and cloud components allowed an attacker to identify a valid account through account enumeration. For example, suppose an attacker knows the names of three household members and enters one of them in a login process. The device's response may tell him that the account name already exists and then request a password. The attacker could then enter another name and be told whether it was legitimate or not, without ever needing to submit a password, until he had a rough map of the accounts on the device.

Six out of the 10 devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could be intercepted, extracted, and mounted as a file system in Linux, where the code could be viewed and modified.

Also, 70% routinely used unencrypted network services and transmitted credentials in plain text, a known security exposure.

Some exposures were trivial, such as allowing "1234" as a password, Bledsoe told us. Others were more serious, with potentially graver consequences. Leading Bledsoe's list of more serious flaws: lack of transport encryption, since it leaves open the possibility of losing account names and passwords.

If devices are added to a corporate network the added exposure increases the attack surface, not just for IoT devices but for other computing devices on the network. Companies can protect themselves to some extent by demanding that device suppliers check their embedded software for exposures (and HP will gladly offer a service to help do this). Homeowners, however don't have that kind of clout. They can take the standard precautions, such as eliminating foolish default passwords like 1234, but they are not really in a position to insist that manufacturers verify that the embedded software contains no vulnerabilities.

"We need to sound a warning bell," says Bledsoe. Until devices have built-in security and transport encrypted data, the Internet of Things threatens to expand attack vectors and multiply vulnerabilities. There are few products, other than traditional anti-malware software for PCs, that can stand watch over connected devices functioning in the home.

Bledsoe concedes that little data will likely be stolen out of the lawn sprinkler controller. But if it's on the home network, she cautions, "It's a gateway into the home. You've basically left an open door."

And if you're been secretly watering your lawn at night during a drought emergency, then even the data on the sprinkler controller can land you in hot water if it ends up in the wrong hands.

Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today. (Free registration required.)

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
7/29/2014 | 5:31:40 PM
Re: Ah, we've seen this movie before
Drew, exactly right -- and I was already frustrated by Target :)
Charlie Babcock
Charlie Babcock,
User Rank: Author
7/29/2014 | 4:18:51 PM
Ah, we've seen this movie before
The suppliers of devices for the Internet of Things are engaged in a feature race, not a race to be secure. The first round of competition will focus on features and ease of use, as did the first round of browser competition and the race to get Windows established. It's only after the problems crop up that we remember that this also happened the last time we had a wave ripple out to computing devices and over the Internet.

User Rank: Author
7/29/2014 | 3:43:21 PM
Re: Maybe we should rename it the Insecurity of Things
Drew, among the network of device makers, who has a financial incentive to push for industry-wide IoT security standards?
Thomas Claburn
Thomas Claburn,
User Rank: Author
7/29/2014 | 1:14:43 PM
the benefits of insecurity
Technical insecurity is job security. The Internet of Things will ensure employment for capable security professionals for the foreseeable future.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll