Internet of Things devices contain high number of vulnerabilities, study finds

Security researchers from Hewlett-Packard found 250 security issues when analyzing 10 popular IoT devices

A security audit of 10 popular Internet-connected devices - components of the so-called Internet of Things - identified an alarmingly high number of vulnerabilities.

The study lasted three weeks and was performed by researchers from HP's Fortify division. It targeted devices from some of the most common IoT categories: TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.

All of the analysed devices, which weren't named in the resulting report published Tuesday, communicated with some type of cloud service, as well as mobile applications that allowed users to remotely control them.

The HP researchers identified a total of 250 vulnerabilities ranging from issues that could raise privacy concerns to serious problems like lack of transport encryption, vulnerabilities in the administration Web interface, insecure firmware update mechanisms and weak or poorly protected access credentials.

"Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent cross-site scripting vulnerabilities and weak credentials," the researchers said in their report.

Seventy per cent of devices used unencrypted network services that exposed their connections to cloud services and mobile apps to man-in-the-middle attacks, and 80 per cent failed to enforce the use of sufficiently long or complex passwords. The researchers were able to configure accounts with weak passwords like 1234 or 123456 on most devices, and in many cases the same accounts were used for control via the cloud services or mobile applications.

"An attacker can use vulnerabilities such as weak passwords, insecure password recovery mechanisms, poorly protected credentials, etc. to gain access to a device," the researchers said.

Transport encryption was also lacking during the download of firmware updates on 60 percent of devices. Furthermore, the update files themselves had no protection, meaning an attacker could tamper with them in transit.

Manufacturers should conduct security reviews of their products following the list of top 10 security problems most commonly affecting Internet of Things devices that was compiled by the Open Web Application Security Project (OWASP), the HP researchers said. Many of the vulnerabilities identified as part of this research study are considered "low hanging fruit" and can be easily remediated without affecting the user experience, they said.

A significant number of attacks against home routers, network-attached storage devices, DVRs and other embedded systems have been reported this year, suggesting that attackers are beginning to understand the potential of compromising such devices and are looking for ways to monetise unauthorized access to them.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityonline safetyintrusionAccess control and authenticationExploits / vulnerabilitieshewlett packard

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?