Isolated flaws in “connected” devices such as Wi-Fi lighting systems make headlines – but the problem is far deeper than thought, with 70% of the most popular such gadgets having serious security flaws according to a report by HP.
Devices under test included televisions, home thermostats and door locking systems – and on average, each had 25 serious flaws, some of which could hand private information to attackers, according to Phys.org..
The researchers did not name the products, saying their goal was not to “name and shame”.
Devices collected and stored private data such as names, email addresses and credit card details, and also failed to encrypt such data. Others allowed users to set weak passwords – with several devices allowing passwords such as “1234”. Half of the devices under test did not encrypt communications to the cloud, network or internet.
The study, described by EWeek as unique, focused not just on the devices themselves, but on the networks they interacted with.
A typical “connected device” will connect to a network, to a mobile device, and to a cloud service. Each of these connections poses risks. As yet, this troubling aspect of IoT devices has not been studied intensively.
Daniel Miessler, practice principal at HP, said: “The current state of Internet of Things security seems to take all the vulnerabilities from existing spaces – network security, application security, mobile security and Internet-connected devices – and combine them into a new, even more insecure space, which is troubling.”
CBR said that the findings raised questions over the security of industrial control systems, which also integrate with other networks, and which may not have examined in such detail.
HP called for vendors to address security issues with their devices – and also suggested more radical solutions.
“You can put the IoT devices on another separate network,” Miessler said.”You should separate networks so that any IoT devices can’t interact with other things on the protected network.”
Recently, a vulnerability in LiFX, a well-known Kickstarter-funded lighting system where a network of bulbs can be controlled via smartphone app was described by Electronics Weekly as a “warning for all Internet of Things companies”.
Speaking toElectronics Weekly, Context’s Michael Jordon said, ““It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritised as highly as it should be in many connected devices We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children’s toys.”
Author Rob Waugh, We Live Security