Seven of the 10 devices did not encrypt communications to the internet and local network, while half of the devices’ mobile applications performed unencrypted communications to the cloud, internet or local network.
Six of the devices raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text. Seven devices would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
Further, six of the devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could even be intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.