A worrying 70% of the ten most common Internet of Things devices contain security vulnerabilities, according to a new study by HP Fortify which uncovered a total of 250 flaws across the products tested.
The device tested, including their cloud and mobile app elements, were from the following categories: TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.
HP then tested them with manual and automated tools and assessed their security rating according to the vendor neutral OWASP Internet of Things Top 10 list of vulnerability areas.
The results raised significant concerns regarding user privacy and the potential for said devices and their cloud and app elements to be exploited by attackers.
Some 80% of devices studied allowed weak passwords; 70% didn’t encrypt data transmissions out to the internet; 60% had cross-site scripting or other flaws in their web interface; and 60% didn’t use encryption when downloading software updates.
In addition, 80% raised privacy concerns in terms of the sheer amount of personal data being collected, said HP.
A total of 250 security concerns were uncovered across all tested devices, which boils down to 25 on average per device.
“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface,” said Mike Armistead, general manager of Fortify, in a prepared statement.
“With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.”
HP urged device manufacturers to undertake a security review of their IoT products and associated elements like web interface and network traffic, and to implement basic security controls to eliminate the “lower hanging fruit” of common vulnerabilities.
“Implement security and review processes early on so that security is automatically baked in to your product,” the report continued. “Updates to your product’s software are extremely important and ensuring there is a robust system in place to support this is key.”
For IT leaders in large organizations there was also a word of warning: don’t assume IoT is just a consumer security issue.
“Corporations need to be looking at how their ICS and SCADA systems fare when looked at under a similar light,” Fortify principal security architect Daniel Miessler wrote in a blog post.
Antti Tikkanen, director of security response at F-Secure, said the problems uncovered in this report were just the tip of the iceberg as far as IoT security risks are concerned.
“One problem that I see is that while people may be used to taking care of the security of their computers, they are used to having their toaster ‘just work’ and would not think of making sure the software is up-to-date and the firewall is configured correctly,” he told Infosecurity.
“At the same time, the criminals will definitely find ways to monetize the vulnerabilities. Your television may be mining for Bitcoins sooner than you think, and ransomware in your home automation system sounds surprisingly efficient for the bad guys.”
He argued that the industry needs more security professionals involved in developing IoT devices.
“We can’t really afford a long learning curve to get this right,” said Tikkanen.