Excited about the promise of the shiny new Internet of Things? Good. Because hackers are too. Or at least they should be, according to a study by computing giant Hewlett-Packard.
The company’s Fortify application security unit conducted an analysis of the 10 most popular consumer Internet things on the market and found 250 different security vulnerabilities in the products, for an average of 25 faults each. Unfortunately, HP doesn’t identify each product but does describe them in broad brushstrokes: They were from the manufacturers of “TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.”
As a basic rule, these devices often run stripped-down versions of the Linux operating system, and so will have many of the same basic security concerns that you might expect to be in place on a server or other computer running Linux. The problem is, the people building them aren’t going to the effort to secure them the way they would a more traditional computer.
What’s happening, says Mike Armistead, VP and general manager of HP’s Fortify unit, is that manufacturers are rushing to get their products on the market without doing the harder work of locking their devices down against the most basic kinds of attacks.
Magnifying the potential for the problem is the fact that once one device is compromised, overlapping vulnerabilities can lead an attack from one to the other. If that seems like alarmist paranoia, remember that one of the most damaging hacking attacks in history, the Target breach, in which information on more than 70 million people was compromised, was carried out by way of an attack on a system used to manage and maintain the heating and ventilation system in the company’s stores.
- Eight devices failed to require passwords stronger than “1234” either on the device itself or on a corresponding website.
- Seven of the devices tested do no encryption when communicating with the Internet or a local network, meaning whatever data they’re sending is going out, sensitive or not, “in the clear.”
- Six devices had weak security on their interfaces, were vulnerable to persistent cross-site scripting attacks, had weak default sign-in credentials, or transmitted sign-in credentials like passwords “in the clear.” (See the bit about encryption above.)
- Six devices didn’t encrypt software updates during the download. That’s especially alarming because bad guys could create a software update that looks legit and basically reprogram the device to do whatever they want it to. Consider what that means when a Webcam or a garage door opener are connected to the Internet and then use your imagination.
- Take all the above into consideration, and then add this: Nine of the 10 devices collected at least some kind of personal information: An email address, a home address, a name or date of birth.
To conduct the study, researchers at HP’s Fortify did what they do all the time: They subjected the devices to the company’s Fortify on Demand service, which basically tests software for known and potential security problems.
So how big will the Internet of Things be? One educated guess by the research firm Gartner says it could swell to include 26 billion individual devices by 2020.
As Armistead put it: “For a hacker, that’s a pretty big new target to attack.”
Consider yourself warned.