A new HP study found that new smart home automation products on the market are anything but secure from hacker intrusions.
Yes, the Internet of Things (IoT) smart home automation market is hot. Apple’s (AAPL) got a new smart home automation platform, Google (GOOG) bought Nest and Dropcam and Microsoft (MSFT) launched a new startup accelerator for the segment.
But Hewlett-Packard (HPQ), which doesn’t have a presence in the IoT smart home market, just conducted a study through its Fortify application security unit, examining for security vulnerabilities in 10 popular “TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.”
Guess what HP found? Some 250 different security flaws in the products, which equates to 25 vulnerabilities per device. HP didn’t identify the products but it’s clear the manufacturers aren’t fly-by-nighters.
“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface,” said Mike Armistead, vice president and general manager, Enterprise Security Products at HP Fortify. “With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.”
HP said its data from the study showed that 70 percent of the devices common to the burgeoning IoT are security flawed, including poor passwords, encryption and lack of “granular user access permissions.”
What does HP make of it all? Vendors are pushing connected smart home devices on the market before they’re ready for prime time—as in fortified against malware intruders. It’s HP’s belief that a race for market share is compromising the new devices, opening “doors for security threats ranging from software vulnerabilities to denial-of-service (DOS) attacks to weak passwords and cross-site scripting vulnerabilities.”
Here’s some highlights from the study:
- Eight of the 10 devices tested raised privacy concerns regarding the collection of consumer data such as name, email address, home address, date of birth, credit card credentials and health information.
- 80 percent of devices tested failed password security with most devices allowing passwords such as 1234.
- 70 percent of IoT devices examined failed to encrypt communications to the Internet and local network and half allowed unencrypted communications.
- The user interfaces of six of the 10 devices tested had issues such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text.
- 60 percent of devices didn’t deploy encryption with software downloads.
With Gartner projecting IoT devices and objects will number some 26 billion units by 2020 worth an additional $300 billion to product and service vendors, buttoning down the security seems like a pretty obvious thing to do. Well, at least HP thinks so.