HP Warns Of Internet Of Things Danger
Connecting devices to the Internet is a great idea, but shouldn’t we do it securely?
The much-hyped Internet of Things is a security nightmare, according to research by HP. Everyday devices are sprouting Internet connections, but they are also loaded with obvious flaws, including the Heartbleed error and passwords sent as plain text.
The Internet of Things is supposed to make existence more efficient and reliable by adding connections and sensors to everyday items, to perform tasks such as turning off heating and tracking the performance of transport systems. A widely-quoted prediction suggests that 26 billion devices will be connected to the Internet of Things by 2020 – and HP warns that an unseemly rush for market share is creating a lot of sloppy and downright dangerous security gaffes.
Things can only get broken
“This spike in demand is pushing manufacturers to quickly bring to market connected devices, cloud access capabilities and mobile applications in order to gain share,” says HP’s release. “While this increase in IoT devices promises benefits to consumers, it also opens the doors for security threats ranging from software vulnerabilities to denial-of-service (DOS) attacks to weak passwords and cross-site scripting vulnerabilities.”
HP used its Fortify On Demand testing service, to probe ten popular Internet of Things devices, including TVs, door locks, home alarms, webcams, lawn sprinklers, thermostats and power sockets. Each was accessible from the Internet and they all had flaws, adding up to 250 in total, or an average of 25 for each device.
The vulnerabilities included poor password security, poor or non-existent encryption. The consequences could include attackers sabotaging home security and electricity systems.
Eight of the devices raised privacy concerns by collecting too much personal data, and the same number failed to require strong enough passwords. Seven out of ten transmitted private data unencrypted, ans six had web interfaces vulnerable to attacks such as cross-site scripting (XSS).
HP urges IoT vendors to shape up, and meet basic security criteria aimed at the Internet of Things, such as those provided by the Open Web Application Security Project (OWASP).