Security Experts:

Connect with us

Hi, what are you looking for?



70 Percent of IoT Devices Vulnerable to Cyberattacks: HP

A new study published by HP on Tuesday reveals that 70% of the most popular Internet of Things (IoT) devices contain serious vulnerabilities.

A new study published by HP on Tuesday reveals that 70% of the most popular Internet of Things (IoT) devices contain serious vulnerabilities.

The company used its HP Fortify on Demand application security testing service to check ten of the most commonly used IoT devices and their cloud and mobile application components. The list includes TVs, power outlets, webcams, smart hubs, home thermostats, sprinkler controllers, home alarms, scales, garage door openers, and door locks.

According to HP’s report,Internet of Things Security: State of the Union,  a total of 250 security holes have been found in the tested IoT devices — on average, 25 per device. The issues are related to privacy, insufficient authorization, lack of transport encryption, inadequate software protection, and insecure Web interfaces.

Internet of Things Security ReportFor example, the study shows that 80% of the tested devices, including their corresponding cloud and mobile apps, raised privacy concerns regarding the collection of user data such as names, email addresses, physical addresses, date of birth, financial and health information.

When it comes to authorization, many of the products fail to enforce strong passwords, allowing customers to set passwords like “1234” not only on the devices themselves, but also on websites and mobile apps.

HP says 70% of tested IoT devices don’t encrypt Internet and local network communications, with half of their applications lacking transport encryption. For 60% of devices, manufacturers haven’t ensured that software updates are downloaded in a secure manner, in some cases enabling attackers to intercept them.

As far as Web interfaces are concerned, six of the ten products are plagued by persistent cross-site scripting (XSS) vulnerabilities,  easy-to-guess default credentials, and poor session management. Flaws in the cloud and mobile apps of 70% of devices can be exploited to determine valid user accounts through the password reset feature or account enumeration.

Gartner predicts that by 2020, there will be a total of 26 billion IoT devices, with the companies that provide such products and services generating incremental revenue that exceeds $300 billion. HP believes many device manufacturers attempt to launch their products as quickly as possible in an effort to gain market share, but they neglect security.

The company advised manufacturers to conduct a security review of their devices and all their associated components, and implement security standards that products must meet before they go into production. They should also implement security and review processes to ensure that security is taken seriously in all the phases of the product lifecycle.

“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface,” commented Mike Armistead, vice president and general manager, Fortify, Enterprise Security Products, HP. “With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.”

Related Reading: Top 10 Things Cybersecurity Professionals Need to Know About the Internet of Everything

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.