According to forecasts by Gartner, by 2020 there will be in circulation of more than 26 billion connected devices. EMC Corporation forecasts the digital universe of Internet of Things has doubled every two years and may be increased 10-fold between 2013 and 2020 from 4.4 trillion to 44 trillion gigabytes. But at the same time, TV, webcam, refrigerators, ovens, thermostats, and a host of other smart devices will become an easy prey for hackers.
One study, conducted by the Division of HP Fortify unit has revealed the presence of a large number of vulnerabilities in 10 Internet of Things (IoT) devices. HP did not release the names of the producers, specifying only that the majority of them uses cloud services and all include a mobile app for remote control.
HP Security Research reviewed 10 of the most popular devices and found that most of the devices have high average number of vulnerabilities per device including Heartbleed, denial of service, weak password or cross site scripting. Specifically, it was confirmed that the presence of vulnerabilities included in the top 10 device is part of the Open Web Application Security Project (OWASP). The results are quite alarming, since a single bug may facilitate chain attacks, whereas in a smart home, there may be dozens of devices interconnected.
Almost 90 percent of the devices examined in the report collect personal information such as name, address, date of birth, email, credit card number, etc. that are transmitted in un-encrypted format over the local network and on the cloud, thus endangering the privacy of users. Nearly 80 percent of the device does not require the use of complex passwords. Six of the ten devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS, poor session management and weak default credentials.
Moreover, over 70 percent of IoT devices with cloud and mobile applications enable a hacker to identify valid user accounts through account enumeration. In addition, the report says 60 percent of devices displayed issues, including no encryption during downloading of the update along with the update files themselves not being protected in some manner. In fact some downloads were intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.
These devices often run on a stripped down version of Linux, and thus will contain many of the same potential security issues that you would expect on a server or another computer running Linux. The problem is that these devices are not developed with the same attention to security as the case with a more traditional computer and server.
Gartnet in a recent report unveiled that the top digital security trends for industries are software-defined security, big data security analytics, intelligent/context-aware security analytics, application isolation, endpoint threat detection & response, website protection, adaptive access, people-centric security and securing the Internet of Things.
HP recommends manufacturers to conduct extensive testing on their devices before handing over to users, because it is quite easy to fix vulnerabilities, without damaging the user experience of the users.