'Internet of Things' full of vulnerabilities

By on
'Internet of Things' full of vulnerabilities

Research report reveals popular consumer devices are insecure.

A recent research report [PDF] from HP's Fortify on Demand division found that seven out of ten of the most commonly used Internet of Things consumer devices contain serious security vulnerabilities.

Fortify on Demand said that some of the vulnerabilities include insufficient or non existent authentication mechanisms with weak passwords, data and firmware/software being transmitted in the clear without encryption, as well as insecure web interfaces for the devices.

Devices were found to be vulnerable to the OpenSSL "Heartbleed" flaw but also to cross-site scripting or XSS, Fortify on Demand said.

"A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business. - HP Fortify on Demand.

Further heightening security concerns, the researchers found that nine out of ten devices collected at least one item of personal information.

Most  of the devices tested used a form of cloud service, and all included mobile applications to remotely control them, with the information in many cases being transmitted unencrypted to and from cloud services.

The researchers analysed networked consumer devices such as televisions, webcams, home thermostats, remote power outlets and home automation controls.

Fortify on Demand pointed out that the problem isn't limited to consumer devices, and warned that enterprises need to consider if their industrial control and supervisory control and data acquisition systems are secure as well.

Earlier this month, security firm Context showed that it was possible to hack the wi-fi enabled LIFX light bulbs.

Context was able to extract encryption variables from the LIFX firmware, and use these to decode wi-fi credentials to access the 802.15.4 6LoWPAN network unnoticed. LIFX was notified of the flaw and issued a patch.

Fortify on Demand researchers did not reveal the brand names of the tested devices but reported that the manufacturers had been alerted to the security flaws.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?