Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Connected Home Security Systems Easy to Hack: HP

A study conducted by HP shows that a majority of popular Internet-connected home security systems can be easily accessed by malicious parties due to their lack of proper protection mechanisms.

A study conducted by HP shows that a majority of popular Internet-connected home security systems can be easily accessed by malicious parties due to their lack of proper protection mechanisms.

Internet of Things (IoT) security has made numerous headlines over the past months after experts have demonstrated that every type of machine that connects to the Web, including cars, can be hacked. A report published by HP in July 2014 revealed that 70% of IoT devices are plagued by serious vulnerabilities.

Researchers have now analyzed 10 of the most common connected home security systems and the results are worrying.

All of the tested systems allow the use of weak passwords – most of them only require a six-character alphanumeric password – and they all lack mechanisms to lock the account after a certain number of failed authentication attempts. Seven of the solutions also allow account enumeration through their cloud-based Web interfaces, while five of them allow account enumeration through their mobile application interface. Attackers can identify valid accounts based on feedback from the signup page or the password reset mechanism.

By leveraging these vulnerabilities, a malicious actor can brute-force account credentials, log in to the mobile or Web interface, and gain access to video feeds, HP said in its report.

Unfortunately, only one of the tested home security solutions allows users to enhance account protection through the use of two-factor authentication.

“Many of these systems included the ability to add users to the system. Whether these users are known persons (e.g. neighbors or family members), the addition of accounts using weak passwords with access to video cameras for example only raises the risk of an attacker identifying an account to use for access to the system,” the report says.

Recent events have demonstrated that encryption is very important when it comes to securing communications. While all of the systems analyzed by HP implement SSL/TLS transport encryption, half of them exhibited improper configuration or poor implementation of the security protocols.

Advertisement. Scroll to continue reading.

Another problem is with software and firmware updates. Seven of the ten analyzed solutions had serious issues, HP said.

“Issues included using cleartext protocols to authenticate to the download server, failing to use encryption to transfer update files, and failing to detect that the update package had been modified. One system had all three of these issues plus it allowed write access to the update server, meaning we could replace the software others were downloading,” explained Daniel Miessler, head of research at HP’s Fortify on Demand and leader of the OWASP Internet of Things Top 10 Project. “Not only that, but the download location hosted lots of software, not just the package for the product we had.”

In addition to video feeds, hackers could also gain access to users’ personal information because all of the systems tested by researchers collect details such as names, addresses, dates of birth, and even credit card numbers. Given that accounts are not properly protected, this information could easily become compromised.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.