Recently, Fortify, the security division of Hewlett-Packard analyzed the ten most popular consumer devices that are currently considered as part of the IoT. They didn’t name any specific manufacturer but did say that they looked at one each of “TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers”. According to Fortify there was an average of 25 security weaknesses found in each device they analyzed.
All of the devices included a smartphone application to control them. The weaknesses are pretty glaring. 8 of the 10 devices had very week passwords. 9 of the 10 devices gathered some personal information about the owner such as an email address, home address or user name. 7 of 10 devices had no encryption and sent out data in a raw format. 6 of the devices didn’t encrypt updates, meaning that a hacker could fake an update and take over the device.
This is not much of a shock and the lack of IoT security has been reported before. It’s been clear that most manufacturers of these kinds of devices are not providing the same kind of security for these devices that is done for computers and smartphones. But this is the first time that anybody has looked at the most popular devices in such detail and has documented all of the kinds of weaknesses they found.
It’s fairly obvious that before the IoT becomes an everyday thing in households that these kinds of weaknesses have to be fixed. Otherwise, a day will come when there will be some spectacular security failure of an IoT device that will affect many households, and the whole industry will be set back a step.
It’s obvious that security really matters for some of these devices. If things like door locks, garage door openers and security systems can be easily hacked due to poor device security then the whole reason for buying such devices has been negated. I read last week that hackers have figured out how to hack into smart car locks and push-button car starters and that a car using those devices is no longer safe from being stolen. For a few years these devices gave some added protection against theft, but now they are perhaps easier to steal than a traditional vehicle and certainly easier to steal than a car using a physical anti-theft device like the Club.
I know that I am not going to be very quick to adopt IoT devices that might allow entry into my home. I don’t really need the convenience that might come from having my front door unlock as I pull into the driveway if this same feature means that a smart thief can achieve easy entry to my home.
So aside from home security devices, what’s the danger of having less secure devices like smart lights, or a smart stove or a smart sprinkler system? There is always the prank sort of hacking like disabling your lights or making your oven heat all day at high heat. But the real danger is that access to such devices might give a hacker access to everything else in your house.
Most of us use pretty good virus protection and other tools to lower the risk of somebody hacking into our computer systems to get access to personal information and banking and monetary systems. But what if a hacker can gain access to your computers through the backdoor of a smart light bulb or a smart refrigerator? This is not a far-fetched scenario. It was reported that the hack of Target that stole millions of credit card numbers was initiated by entry to the company’s heating and ventilation systems.
It’s obvious that these manufacturers are taking the fast path to market rather than taking the time to implement good security systems. But they must realize that they will not be forgiven if their device is the cause of multiple data breaches and that in the worst case their whole product line could dry up overnight. One would hope that efforts like the one just taken by HP will wake up the device makers. With that said, they face a formidable tasks since fixing an average of 25 security flaws is a big order.