‘Internet Of Things’ A Hacker’s Paradise
The Internet of Things, also known as IoT, is a world where every device is connected to the Internet and can be controlled 0- and hacked – remotely.
HP’s security division Fortify now reports that 70pc of today’s connected devices are vulnerable to attack – not just in the consumer space, but in the business and corporate spaces, too.
Hackers are taking advantage of existing vulnerabilities in the network security, app security, mobile security and Internet-connected device security space and blending them all together to create powerful new hacks that are being exploited today, and into the future.
The stats are worrying, with 25 vulnerabilities found per device, on average, totalling 250 vulnerabilities, in devices as diverse as TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, connected scales and garage door openers.
Most of these devices included a “cloud service” component, and all of the devices tested included mobile apps to access or control the devices remotely.
The vulnerabilities included privacy concerns, insufficient authorisation, insecure web interfaces and inadequate software protection, which is an alarming list of vulnerabilities to be encountering in 2014.
When it comes to privacy, 90pc of the devices tested collected “at least one piece of personal information via the device, the cloud or its mobile application”, while 80pc “failed to require passwords of a sufficient complexity or length”, with many of the same passwords used to access cloud services.
Six out of ten devices provided user interfaces were vulnerable to a range of issues such as persistent XSS and weak credentials.
70pc did not encrypt communications to the internet and local network, while 60pc had security concerns with their user interfaces and 60pc did not use encryption when downloading software updates.
Given Gartner’s prediction of 26 billion IoT devices by 2020, it seems clear that device makers have to dramatically ramp up security lest users face what could end up as highly publicised security failures.
In creating the report, HP’s Fortify division purchased the top 10 IoT devices, took them to an employee’s home and tested them thoroughly over a 3 week period.
Fortify recommends manufacturers, businesses and consumers read the OWASP (Open Web Application Security Project) Internet of Things Top 10 Project to get a high-level understanding of the risks.
HP/Forfity’s IoT Security media release is here, and the report available to download in PDF format here.