Almost three quarters of top Internet of Things device manufacturers are failing to plug grave vulnerabilities that have the potential to damage the credibility of the sector.
HP’s numbers show that 70 per cent of commonly used Internet of Things [IoT] devices have vulnerabilities that include password security, encryption and a lack of granular user access permissions.
“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface,” said Mike Armistead, vice president and general manager, Fortify, Enterprise Security Products, HP. “With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.”
HP used its Fortify on Demand suite to scan 10 of the most popular IoT devices, as well as their cloud and mobile app components, and this in turn uncovered an average of 25 vulnerabilities per device thus totalling 250 security concerns across all tested products.
Devices tested included TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.
Eight of the 10 devices tested raised privacy concerns regarding collection of consumer data including credit card credentials and various pieces of personal data such as names and addresses.
When it comes to device passwords, 80 per cent of those tested failed to ask for passwords of sufficient complexity and length, for example there was a worrying tendency to stick to simple passwords like “1234”.
Encryption is another area that is sorely lacking attention in the IoT sector with 70 per cent of devices failing to encrypt communications to the Internet and local network, and 50 per cent didn’t provide encrypted communications to the cloud, Internet or local network.
Six of the 10 devices had a user interface that raised security worries due to persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text.
Software updates are another place that hackers can find a safe haven, as 60 per cent don’t use encryption when downloading them. Finally, the research found that 70 per cent of devices with cloud and mobile components allow an attacker to hack valid user accounts through account enumeration or password reset.
Gartner estimated that there will be approximately 26 billion IoT units installed by 2020 and that the industry will generate some $300 billion [£177.5 billion], mostly in services, by the same year.