Internet of Things devices full of security gaps, study shows
In an increasingly interconnected world where everything from televisions to refrigerators to cars is connected to the Internet, the data collected by the so-called "Internet of Things" is a natural target for hackers. However, IoT devices currently available on the market don't afford all the security protections we need, experts say.
A study by HP reveals that 70 percent of the most common IoT devices had security vulnerabilities. Those weaknesses ranged from the recent Heartbleed bug to weak password requirements. HP also warned that many of the same vulnerabilities that affect other technologies -- network, mobile and apps -- have just been combined to create an even more insecure product.
When HP reviewed ten of the most popular devices -- including TVs, webcams, home thermostats, remote power outlets, sprinkler controls and automatic door locks -- a majority of them raised privacy concerns. HP did not reveal the brand names of the items tested.
Researchers found that 90 percent of the devices collected at least one piece of personal information via the device, cloud or mobile application. Privacy concerns were also flagged when researchers found that most devices, as well as their cloud and mobile applications, could allow an attacker to identify their accounts.
Most of the devices allowed weak passwords (such as "1234") or poorly protected credentials, which could make it relatively easy for an attacker to gain control of them.
Seventy percent of the devices tested also did not use transport encryption, the report said, meaning that sensitive data being passed between the device, cloud and mobile application might be hackable. Insecure software updates were also found on 60 percent of devices.
The Open Web Application Security Project (OWASP) is a non-for-profit that focuses on improving software security. Its Internet of Things Top 10 list hits on each of the issues raised in the HP report as well as some additional areas of concern. OWASP mentioned poor physical security, which includes use of USB ports and SD card readers. If an attacker were able to get ahold of the storage used in the device, they could make modifications to the software itself.
The industry analysis firm Gartner predicts that by 2020, more than 26 billion items will be connected the Internet of Things. The HP report notes that while the technology is catching on fast, it is still in its early stages, giving manufacturers an opportunity to tighten security standards before more consumers are put at risk.