Among the 10 most commonly used Internet of Things (IoT) devices, seven contain vulnerabilities related to passwords, encryption and general lack of granular user access permissions.
These devices were from makers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.
According to a study by HP Fortify, a spike in demand for IoT is pushing manufacturers to quickly bring to market connected devices, cloud access capabilities and mobile applications in order to gain market share.
While the influx of IoT devices promises benefits to consumers, it also opens the doors for security threats ranging from software vulnerabilities to denial-of-service attacks to weak passwords and cross-site scripting vulnerabilities.
“With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats,” said Mike Armistead, VP and general manager, Fortify, Enterprise Security Products, HP.
Of the 10 devices – along with their corresponding cloud and mobile application components – test results raised privacy concerns regarding the collection of consumer data such as name, email address, home address, date of birth, credit card credentials and health information.
The same number of devices failed to require passwords of sufficient complexity and length, with most allowing password such as “1234.”
Seven of the 10 devices did not encrypt communications to the internet and local network, while half of the devices’ mobile applications performed unencrypted communications to the cloud, internet or local network.
Six of the devices raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text. Seven devices would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
Further, six of the devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could even be intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.