A study conducted by HP shows that a majority of popular Internet-connected home security systems can be easily accessed by malicious parties due to their lack of proper protection mechanisms.
Internet of Things (IoT) security has made numerous headlines over the past months after experts have demonstrated that every type of machine that connects to the Web, including cars, can be hacked. A report published by HP in July 2014 revealed that 70% of IoT devices are plagued by serious vulnerabilities.
Researchers have now analyzed 10 of the most common connected home security systems and the results are worrying.
All of the tested systems allow the use of weak passwords – most of them only require a six-character alphanumeric password – and they all lack mechanisms to lock the account after a certain number of failed authentication attempts. Seven of the solutions also allow account enumeration through their cloud-based Web interfaces, while five of them allow account enumeration through their mobile application interface. Attackers can identify valid accounts based on feedback from the signup page or the password reset mechanism.
By leveraging these vulnerabilities, a malicious actor can brute-force account credentials, log in to the mobile or Web interface, and gain access to video feeds, HP said in its report.
Unfortunately, only one of the tested home security solutions allows users to enhance account protection through the use of two-factor authentication.
“Many of these systems included the ability to add users to the system. Whether these users are known persons (e.g. neighbors or family members), the addition of accounts using weak passwords with access to video cameras for example only raises the risk of an attacker identifying an account to use for access to the system,” the report says.
Recent events have demonstrated that encryption is very important when it comes to securing communications. While all of the systems analyzed by HP implement SSL/TLS transport encryption, half of them exhibited improper configuration or poor implementation of the security protocols.
Another problem is with software and firmware updates. Seven of the ten analyzed solutions had serious issues, HP said.
“Issues included using cleartext protocols to authenticate to the download server, failing to use encryption to transfer update files, and failing to detect that the update package had been modified. One system had all three of these issues plus it allowed write access to the update server, meaning we could replace the software others were downloading,” explained Daniel Miessler, head of research at HP’s Fortify on Demand and leader of the OWASP Internet of Things Top 10 Project. “Not only that, but the download location hosted lots of software, not just the package for the product we had.”
In addition to video feeds, hackers could also gain access to users’ personal information because all of the systems tested by researchers collect details such as names, addresses, dates of birth, and even credit card numbers. Given that accounts are not properly protected, this information could easily become compromised.