A security scan of 10 popular Internet of Things (IoT) devices revealed that a number of issues, including unencrypted communications and inadequate authentication, left user data vulnerable.
The findings, revealed in an HP study (PDF) released Tuesday, showed that, on average, each IoT device contained 25 vulnerabilities. Included in the test were a range of IoT devices – TVs, webcams, home alarms, hubs for controlling multiple devices, remote power outlets, door locks, garage door openers, home thermostats, sprinkler controllers and scales.
HP Fortify, which conducted the study, also tested various components of the devices, since the majority of them utilized some form of cloud service and all included mobile applications allowing remote access or control of the device, the report said.
While the names of the device manufacturers were not revealed in the study, HP Fortify confirmed that it was in the midst of the vulnerability disclosure process with vendors.
Daniel Miessler, practice principal for Fortify on Demand at HP Fortify, told SCMagazine.com in a Tuesday interview that most of the scanned devices collected personal data about users – and failed to properly secure the information.
The study said that 90 percent of the IoT devices collected at least one piece of personal information about users via the device, the cloud or its mobile application. Due to the type of data collected in some instances, such as names, addresses, credit card information or health data, 80 percent of the devices were said to raise privacy concerns for users.
“It often times is just part of the functionality of the app or the device,” Miessler said. “Or the company is trying to get information about the customer and they are not realizing that the infrastructure of the network or connectivity might not be secure,” he added.
In the report findings, HP Fortify also revealed that 70 percent of the IoT devices used unencrypted network services, and that 80 percent of devices (including their cloud and mobile application components) “failed to require passwords of a sufficient complexity and length” for access.
“We saw a mix [of things],” Miessler said. “Some of the data was being sent in a way that had no encryption whatsoever. And we saw some [data] that had a decent level of encryption, say between the mobile [component] and the device itself, but maybe no encryption going into the cloud. Because there are so many [IoT] components, that’s where the breakdown happened,” he explained.
The study directed IoT device manufacturers to carry out security reviews of their products, including automated web interface scans, manual reviews of network traffic, and checking authentication methods employed by IoT devices. HP also encouraged vendors to view the OWASP Internet of Things Top 10 website, created by the Open Web Application Security Project, for security tips.