Connect with us

Hi, what are you looking for?



Connected Home Security Systems Easy to Hack: HP

A study conducted by HP shows that a majority of popular Internet-connected home security systems can be easily accessed by malicious parties due to their lack of proper protection mechanisms.

A study conducted by HP shows that a majority of popular Internet-connected home security systems can be easily accessed by malicious parties due to their lack of proper protection mechanisms.

Internet of Things (IoT) security has made numerous headlines over the past months after experts have demonstrated that every type of machine that connects to the Web, including cars, can be hacked. A report published by HP in July 2014 revealed that 70% of IoT devices are plagued by serious vulnerabilities.

Researchers have now analyzed 10 of the most common connected home security systems and the results are worrying.

All of the tested systems allow the use of weak passwords – most of them only require a six-character alphanumeric password – and they all lack mechanisms to lock the account after a certain number of failed authentication attempts. Seven of the solutions also allow account enumeration through their cloud-based Web interfaces, while five of them allow account enumeration through their mobile application interface. Attackers can identify valid accounts based on feedback from the signup page or the password reset mechanism.

By leveraging these vulnerabilities, a malicious actor can brute-force account credentials, log in to the mobile or Web interface, and gain access to video feeds, HP said in its report.

Unfortunately, only one of the tested home security solutions allows users to enhance account protection through the use of two-factor authentication.

“Many of these systems included the ability to add users to the system. Whether these users are known persons (e.g. neighbors or family members), the addition of accounts using weak passwords with access to video cameras for example only raises the risk of an attacker identifying an account to use for access to the system,” the report says.

Advertisement. Scroll to continue reading.

Recent events have demonstrated that encryption is very important when it comes to securing communications. While all of the systems analyzed by HP implement SSL/TLS transport encryption, half of them exhibited improper configuration or poor implementation of the security protocols.

Another problem is with software and firmware updates. Seven of the ten analyzed solutions had serious issues, HP said.

“Issues included using cleartext protocols to authenticate to the download server, failing to use encryption to transfer update files, and failing to detect that the update package had been modified. One system had all three of these issues plus it allowed write access to the update server, meaning we could replace the software others were downloading,” explained Daniel Miessler, head of research at HP’s Fortify on Demand and leader of the OWASP Internet of Things Top 10 Project. “Not only that, but the download location hosted lots of software, not just the package for the product we had.”

In addition to video feeds, hackers could also gain access to users’ personal information because all of the systems tested by researchers collect details such as names, addresses, dates of birth, and even credit card numbers. Given that accounts are not properly protected, this information could easily become compromised.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.