February 10, 2015
An HP Internet of Things Research Study released today contains warnings for consumers of IoT-based devices and enterprises who have either committed to implementing them or plan to do so soon.
Consumers, the study notes, need to include security in the feature considerations when evaluating potential product purchases, avoid using system defaults for usernames and passwords whenever possible and choose good passwords when the option is available.
Enterprises are urged to “implement segmentation between Internet of Things devices and the rest of the network using a firewall or filtering technology.”
For the purpose of the study, HP reviewed 10 of the most popular home security systems and found an “alarmingly high number of authentication and authorization issues along with concerns regarding mobile and cloud-based Web interfaces.
“The intent of these systems is to provide security and remote monitoring to a home owner, but given the vulnerabilities we discovered, the owner of the home security system may not be the only monitoring the home,” the authors of the report wrote.
“In our ongoing research, we continued to see significant deficiencies in the areas of authentication and authorization along with insecure cloud and mobile interfaces. It is of particular concern to see these deficiencies in systems where the primary function is security.
All 10 systems tested allowed the use of weak passwords, were “vulnerable to account harvesting, allowing attackers to guess login credentials and gain access, and lacked an account lockout mechanism that would prevent automation attacks.”
In addition, they all “collected some form of personal information such as named, address, data of birth, phone number and even credit card numbers. Exposure of this personal information is of concern given the account enumeration issues and use of weak passwords across all systems.”
Gartner Inc. is forecasting that “4.9 billion connected things” will be in use this year, an increase of 30% from 2014.
Further information on the report is available at www.hp.com.