In a just released study, Hewlett Packard's Fortity on Demand research team reports that the Internet of Things in the home is not just insecure, it is a Frankenbeast. In a blog commenting on the report Daniel Miessler, Principal Security Architect with Fortify on Demand wrote:
“Five years ago, we decided that mobile was the real place to be. So everyone started building mobile apps while ignoring everything we've learned from securing web and thick-client applications. And now we have the Internet of Things (IoT). If we continued in this trend we'd have a new space that ignores the security lessons from mobile, but it's actually much worse than that.”
He describes it as a Frankenbeast of technology (Figure 1 ) that links network, application, mobile, and cloud technologies together into a single ecosystem, that seems to be taking on the worst security characteristics of each.
Figure 1. The HP Study reveals virtually all aspects of Internet of Things connectivity in the home is insecure.
According to the study, 100 percent of the devices they studied that were used in home security contained significant vulnerabilities, including password security, encryption and authentication issues. In the ten security systems they tested along with their cloud and mobile application components, they found that that none of the systems required the use of a strong password and 100 percent of the systems failed to offer two-factor authentication. Some of the common and easily avoidable security issues they found included:https://www.hpfod.com/docs/InternetOfThings.pdf
Insufficient authorization: All systems that included their cloud-based web interfaces and mobile interfaces failed to require passwords of sufficient complexity and length with most only requiring a six character alphanumeric password. All systems also lacked the ability to lock out accounts after a certain number of failed attempts.
Insecure Interfaces: All cloud-based web interfaces tested exhibited security concerns enabling a potential attacker to gain account access through account harvesting which uses three application flaws; account enumeration, weak password policy and lack of account lockout. Similarly five of the ten systems tested exhibited account harvesting concerns with their mobile application interface exposing consumers to similar risks.
Privacy Concerns: All systems collected some form of personal information such as name, address, date of birth, phone number and even credit card numbers. Exposure of this personal information is of concern given the account harvesting issues across all systems. It is also worth noting that the use of video is a key feature of many home security systems with viewing available via mobile applications and cloud-based web interfaces. The privacy of video images from inside the home becomes an added concern.
Lack of transport encryption: While all systems implemented transport encryption such as SSL/TLS, many of the cloud connections remain vulnerable to attacks (e.g. POODLE attack). The importance of properly configured transport encryption is especially important since security is a primary function of these systems.
“The biggest takeaway is the fact that we were able to brute force against all 10 systems,” said Miessler,,”meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather and watch home video remotely.
“With complex systems like IoT, breaking security is often all about chaining smaller vulnerabilities together, and that's what we saw when looking at these home security systems. We can expect to see more of the same across the IoT space precisely because of the complexity of merging network, application, mobile, and cloud components into one system.”
To learn more about about Internet of Things security issues and possible solutions, be sure to read “Consumer electronics: opportunities in the face of troubling security road blocks,” and “Developing ARM based secure designs you can trust,” which contain links to Tech Focus Newsletterswith a variety of design articles and technical papers.
Embedded.com Site Editor Bernard Cole is also editor of the twice-a-week Embedded.com newsletters as well as a partner in the TechRite Associates editorial services consultancy. If you want to see a calendar of topics for the weekly Tech Focus newsletter or have a topic you would like to see covered, he welcomes your feedback. Send an email to , or call 928-525-9087.