CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Connected Home Security Systems Easy to Hack: HP

A study conducted by HP shows that a majority of popular Internet-connected home security systems can be easily accessed by malicious parties due to their lack of proper protection mechanisms.

A study conducted by HP shows that a majority of popular Internet-connected home security systems can be easily accessed by malicious parties due to their lack of proper protection mechanisms.

Internet of Things (IoT) security has made numerous headlines over the past months after experts have demonstrated that every type of machine that connects to the Web, including cars, can be hacked. A report published by HP in July 2014 revealed that 70% of IoT devices are plagued by serious vulnerabilities.

Researchers have now analyzed 10 of the most common connected home security systems and the results are worrying.

All of the tested systems allow the use of weak passwords – most of them only require a six-character alphanumeric password – and they all lack mechanisms to lock the account after a certain number of failed authentication attempts. Seven of the solutions also allow account enumeration through their cloud-based Web interfaces, while five of them allow account enumeration through their mobile application interface. Attackers can identify valid accounts based on feedback from the signup page or the password reset mechanism.

By leveraging these vulnerabilities, a malicious actor can brute-force account credentials, log in to the mobile or Web interface, and gain access to video feeds, HP said in its report.

Unfortunately, only one of the tested home security solutions allows users to enhance account protection through the use of two-factor authentication.

“Many of these systems included the ability to add users to the system. Whether these users are known persons (e.g. neighbors or family members), the addition of accounts using weak passwords with access to video cameras for example only raises the risk of an attacker identifying an account to use for access to the system,” the report says.

Recent events have demonstrated that encryption is very important when it comes to securing communications. While all of the systems analyzed by HP implement SSL/TLS transport encryption, half of them exhibited improper configuration or poor implementation of the security protocols.

Advertisement. Scroll to continue reading.

Another problem is with software and firmware updates. Seven of the ten analyzed solutions had serious issues, HP said.

“Issues included using cleartext protocols to authenticate to the download server, failing to use encryption to transfer update files, and failing to detect that the update package had been modified. One system had all three of these issues plus it allowed write access to the update server, meaning we could replace the software others were downloading,” explained Daniel Miessler, head of research at HP’s Fortify on Demand and leader of the OWASP Internet of Things Top 10 Project. “Not only that, but the download location hosted lots of software, not just the package for the product we had.”

In addition to video feeds, hackers could also gain access to users’ personal information because all of the systems tested by researchers collect details such as names, addresses, dates of birth, and even credit card numbers. Given that accounts are not properly protected, this information could easily become compromised.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.