'Internet of Things' full of vulnerabilities

By

Research report reveals popular consumer devices are insecure.

A recent research report [PDF] from HP's Fortify on Demand division found that seven out of ten of the most commonly used Internet of Things consumer devices contain serious security vulnerabilities.

'Internet of Things' full of vulnerabilities

Fortify on Demand said that some of the vulnerabilities include insufficient or non existent authentication mechanisms with weak passwords, data and firmware/software being transmitted in the clear without encryption, as well as insecure web interfaces for the devices.

Devices were found to be vulnerable to the OpenSSL "Heartbleed" flaw but also to cross-site scripting or XSS, Fortify on Demand said.

"A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business. - HP Fortify on Demand.

Further heightening security concerns, the researchers found that nine out of ten devices collected at least one item of personal information.

Most  of the devices tested used a form of cloud service, and all included mobile applications to remotely control them, with the information in many cases being transmitted unencrypted to and from cloud services.

The researchers analysed networked consumer devices such as televisions, webcams, home thermostats, remote power outlets and home automation controls.

Fortify on Demand pointed out that the problem isn't limited to consumer devices, and warned that enterprises need to consider if their industrial control and supervisory control and data acquisition systems are secure as well.

Earlier this month, security firm Context showed that it was possible to hack the wi-fi enabled LIFX light bulbs.

Context was able to extract encryption variables from the LIFX firmware, and use these to decode wi-fi credentials to access the 802.15.4 6LoWPAN network unnoticed. LIFX was notified of the flaw and issued a patch.

Fortify on Demand researchers did not reveal the brand names of the tested devices but reported that the manufacturers had been alerted to the security flaws.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
hpinfointernet of thingsiotsecsecurityvulnerabilities

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?