IoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries
PALO ALTO, Calif. — HP today released results of a study revealing 70 percent of the most commonly used Internet of Things (IoT) devices contain vulnerabilities, including password security, encryption and general lack of granular user access permissions.
With the rise of IoT, the number and diversity of connected devices is expected to increase exponentially. According to Gartner, “the Internet of Things” will include 26 billion units installed by 2020. IoT product and service suppliers will generate incremental revenue exceeding $300 billion, mostly in services, in 2020.”(1)
This spike in demand is pushing manufacturers to quickly bring to market connected devices, cloud access capabilities and mobile applications in order to gain share. While this increase in IoT devices promises benefits to consumers, it also opens the doors for security threats ranging from software vulnerabilities to denial-of-service (DOS) attacks to weak passwords and cross-site scripting vulnerabilities.
“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface,” said Mike Armistead, vice president and general manager, Fortify, Enterprise Security Products, HP. “With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.”
HP leveraged HP Fortify on Demand to scan 10 of the most popular IoT devices, uncovering, on average, 25 vulnerabilities per device—totaling 250 security concerns across all tested products. The IoT devices tested—along with their cloud and mobile application components—were from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.
The most common and easily addressable security issues reported include:
- Privacy concerns: Eight of the 10 devices tested, along with their corresponding cloud and mobile application components, raised privacy concerns regarding the collection of consumer data such as name, email address, home address, date of birth, credit card credentials and health information. Moreover, 90 percent of tested devices collected at least one piece of personal information via the product itself, the cloud or its mobile application.
- Insufficient authorization: 80 percent of IoT devices tested, including their cloud and mobile components, failed to require passwords of sufficient complexity and length, with most devices allowing password such as “1234.” In fact, many of the test accounts HP configured with weak passwords were also used on the products’ websites and mobile applications.
- Lack of transport encryption: 70 percent of IoT devices analyzed did not encrypt communications to the internet and local network, while half of the devices’ mobile applications performed unencrypted communications to the cloud, internet or local network. Transport encryption is crucial given that many of the tested devices collected and transmitted sensitive data across channels.
- Insecure web interface: Six of the 10 devices evaluated raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text. Seventy percent of devices with cloud and mobile components would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
- Inadequate software protection: 60 percent of devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could even be intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.
To protect against security hazards that come along with the rise of IoT, it is imperative for organizations to implement an end-to-end approach to identify software vulnerabilities before they are exploited. Solutions like HP Fortify on Demand enable organizations to test the security of software quickly, accurately, affordably and without any software to install or manage—proactively eliminating the immediate risk in legacy applications and the systemic risk in application development.
Conducted by HP Fortify and leveraging HP Fortify on Demand, the Internet of Things Security: State of the Union study tested 10 of the most commonly used IoT devices for vulnerabilities using standard testing techniques that combined manual testing along with the use of automated tools. Devices and their cloud, network and client application components were assessed based on the OWASP Internet of Things Top 10 list and the specific vulnerabilities associated within each category.
HP will be addressing the latest trends in enterprise security at the Black Hat USA 2014 conference, taking place Aug. 2-7 in Las Vegas. Visit the HP booth (No. 911) for an IoT product demo and “Capture the Flag” hacking contest. Additional information on HP’s presence at the show can be found here.