An HP study has revealed that the majority of interconnected household devices likely possess large security holes. According to HP’s Fortify webpage, 70 percent of the ten connected devices tested using HP’s Fortify on Demand were vulnerable to some sort of attack. The security software-as-a-service (SaaS) released the results of its testing in a July 2014 Internet of Things State of the Union Study.
The “Internet of Things” refers to devices that are linked together via wireless, mobile, or cloud connections. According to HP’s study, these physical household objects are embedded with sensors, actuators, and low-power Systems on Chips in order to connect with the digital world. This does not only apply to traditional “tech” gear; although it does include televisions, smart hubs, and webcams, the term also applies to everyday devices such as sprinkler controls, garage door openers, and alarm systems.
The study revealed vulnerabilities in privacy, authentication, encryption, web interfaces, and software. A startling eight out of the ten devices HP tested raised privacy concerns. The study comments on the high amount of collected data and asks, “Do these devices really need to collect this personal information to function properly?”
A majority of the devices only possessed minimum password requirements, allowing passwords as simple as “1234” to authenticate the user. HP scolds the producers in its report, reminding electronics vendors that a strong password policy is Security 101.
Transport encryption concerns information that is transmitted over a wireless connection. Most of the tested devices failed to encrypt this information, which often contains sensitive data. Additionally, HP found the web interfaces for these products possessed poor security management. Many of these interfaces were basic enough that attackers could gain access to user accounts via password reset requests.
Six out of the ten devices did not encrypt their software updates or even protect the update files themselves. HP points to this as a major cause for concern, as these “smart” devices are increasingly software-based.
HP recommends electronics producers themselves take a number of steps to ensure the security of their interconnected devices. Vendors are encouraged to make the same assessment of their own products using the OWASP Internet of Things Top 10 List as a basis for their security review. The study strongly encouraged a set of industry-wide security standards that all vendors can adhere to. It also requested vendors make security a priority “throughout the product lifestyle.”
HP used Fortify on Demand, which implements “standard testing techniques” to assess vulnerabilities. The SaaS provides “managed application security testing available on demand.” According to the report, Fortify on Demand used both manual and automated testing to obtain results and information from the devices. Its assessment criteria is based on the OWASP Top 10 List.
The OWASP Internet of Things Top 10 List is a checklist of security gaps that individuals, businesses, and electronics vendors should assess during a security review. The assessment should look for an insecure web interface, insufficient authentication, insecure network services, a lack of transport encryption, privacy concerns, an insecure cloud and mobile interface, insufficient security configurability, insecure software and firmware, and poor physical security.
The Open Web Application Security Project (OWASP) created the OWASP Foundation in 2001 as an international effort to ensure system and application security standards. Its core values are openness, innovation, global participation, and integrity. The Top 10 List draws its assessment criteria from the top ten observed security gaps in devices such as cars, lighting systems, and traffic control systems. Although HP Fortify on Demand sponsors the list, OWASP is by nature an open-source and collaborative non-profit project.