In a recent study, every connected home security system tested by HP contained significant vulnerabilities, including but not limited to password security, encryption, and authentication issues.
HP's Fortify on Demand security service assessed the top 10 home security devices – such as video cameras and motion detectors – along with their cloud and mobile application components. It uncovered vulnerabilities in all of them. None of the systems required the use of a strong password, for example, and 100 per cent of the systems failed to offer two-factor authentication.
Connected home security systems are part of the booming Internet of Things (IoT) market, and vendors are understandably keen to carve out a slice of the action – with fast time-to-market, rather than data security, at the forefront of their thinking.
Manufacturers are under pressure to release security systems that deliver remote monitoring capabilities. Ironically, however, the network connectivity and access that are necessary for remote monitoring mean the security risks associated with such systems are significantly greater than those associated with older, disconnected systems.
All systems that HP tested, including cloud-based web interfaces and mobile interfaces, failed to require passwords of sufficient length and complexity, with most only requiring a six-character alphanumeric password. All the systems also lacked the ability to lock out accounts after a certain number of failed login attempts, leaving the door open to brute force attacks.
All accessed systems collected some form of personal information, such as names, addresses, dates of birth, phone numbers, and even credit card numbers. That’s bad, because account-harvesting issues were pervasive across all systems tested.
Gartner forecasts that 4.9 billion connected things will be in use in 2015, up 30 per cent from 2014, and the figure will reach 25 billion by 2020.
The new HP study highlights how ill-equipped the market is delivering secure products, re-emphasising an observation we’ve heard from several security firms over recent months: The lessons learnt in the client-server, mobile, and cloud technology markets are not being applied when it comes to the IoT, including such devices as connected home security systems and smart meters.
Default passwords and poor crypto are the order of the day, laying the groundwork for a more expensive security retrofit down the line.
HP’s Home Security Systems report tested 10 of the most commonly used home security IoT devices for vulnerabilities using a combination of manual testing and automated tools. Devices and their components were assessed based on the OWASP Internet of Things Top 10 and the specific vulnerabilities associated with each top 10 category.
The US Federal Trade Commission recently analysed the balance between security and privacy concerns in development of IoT devices. This might act as a spur for regulation at some point.
For now, HP advises consumers to implement secure home networks before adding insecure IoT devices, applying complex passwords, account lockouts, and two-factor authentication in order to make their IoT experience more secure. ®