A new study published by HP on Tuesday reveals that 70% of the most popular Internet of Things (IoT) devices contain serious vulnerabilities.
The company used its HP Fortify on Demand application security testing service to check ten of the most commonly used IoT devices and their cloud and mobile application components. The list includes TVs, power outlets, webcams, smart hubs, home thermostats, sprinkler controllers, home alarms, scales, garage door openers, and door locks.
According to HP's report,"Internet of Things Security: State of the Union", a total of 250 security holes have been found in the tested IoT devices — on average, 25 per device. The issues are related to privacy, insufficient authorization, lack of transport encryption, inadequate software protection, and insecure Web interfaces.
For example, the study shows that 80% of the tested devices, including their corresponding cloud and mobile apps, raised privacy concerns regarding the collection of user data such as names, email addresses, physical addresses, date of birth, financial and health information.
When it comes to authorization, many of the products fail to enforce strong passwords, allowing customers to set passwords like "1234" not only on the devices themselves, but also on websites and mobile apps.
HP says 70% of tested IoT devices don't encrypt Internet and local network communications, with half of their applications lacking transport encryption. For 60% of devices, manufacturers haven't ensured that software updates are downloaded in a secure manner, in some cases enabling attackers to intercept them.
As far as Web interfaces are concerned, six of the ten products are plagued by persistent cross-site scripting (XSS) vulnerabilities, easy-to-guess default credentials, and poor session management. Flaws in the cloud and mobile apps of 70% of devices can be exploited to determine valid user accounts through the password reset feature or account enumeration.
Gartner predicts that by 2020, there will be a total of 26 billion IoT devices, with the companies that provide such products and services generating incremental revenue that exceeds $300 billion. HP believes many device manufacturers attempt to launch their products as quickly as possible in an effort to gain market share, but they neglect security.
The company advised manufacturers to conduct a security review of their devices and all their associated components, and implement security standards that products must meet before they go into production. They should also implement security and review processes to ensure that security is taken seriously in all the phases of the product lifecycle.
"While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface," commented Mike Armistead, vice president and general manager, Fortify, Enterprise Security Products, HP. "With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats."