HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to AttackIoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries
PALO ALTO, Calif. - HP today released results of a study revealing 70 percent of the most commonly used Internet of Things (IoT) devices contain vulnerabilities, including password security, encryption and general lack of granular user access permissions.
With the rise of IoT, the number and diversity of connected devices is expected to increase exponentially. According to Gartner, the Internet of Things will include 26 billion units installed by 2020. IoT product and service suppliers will generate incremental revenue exceeding $300 billion, mostly in services, in 2020. (1)
This spike in demand is pushing manufacturers to quickly bring to market connected devices, cloud access capabilities and mobile applications in order to gain share. While this increase in IoT devices promises benefits to consumers, it also opens the doors for security threats ranging from software vulnerabilities to denial-of-service (DOS) attacks to weak passwords and cross-site scripting vulnerabilities.
While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface, said Mike Armistead, vice president and general manager, Fortify, Enterprise Security Products, HP. With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.
HP leveraged HP Fortify on Demand to scan 10 of the most popular IoT devices, uncovering, on average, 25 vulnerabilities per device-totaling 250 security concerns across all tested products. The IoT devices tested-along with their cloud and mobile application components-were from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.
The most common and easily addressable security issues reported include:
Privacy concerns: Eight of the 10 devices tested, along with their corresponding cloud and mobile application components, raised privacy concerns regarding the collection of consumer data such as name, email address, home address, date of birth, credit card credentials and health information. Moreover, 90 percent of tested devices collected at least one piece of personal information via the product itself, the cloud or its mobile application.
Insufficient authorization: 80 percent of IoT devices tested, including their cloud and mobile components, failed to require passwords of sufficient complexity and length, with most devices allowing password such as 1234. In fact, many of the test accounts HP configured with weak passwords were also used on the products' websites and mobile applications.
Lack of transport encryption: 70 percent of IoT devices analyzed did not encrypt communications to the internet and local network, while half of the devices' mobile applications performed unencrypted communications to the cloud, internet or local network. Transport encryption is crucial given that many of the tested devices collected and transmitted sensitive data across channels.
Insecure web interface: Six of the 10 devices evaluated raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text. Seventy percent of devices with cloud and mobile components would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
Inadequate software protection: 60 percent of devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could even be intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.
To protect against security hazards that come along with the rise of IoT, it is imperative for organizations to implement an end-to-end approach to identify software vulnerabilities before they are exploited. Solutions like HP Fortify on Demand enable organizations to test the security of software quickly, accurately, affordably and without any software to install or manage-proactively eliminating the immediate risk in legacy applications and the systemic risk in application development.
Methodology
Conducted by HP Fortify and leveraging HP Fortify on Demand, the Internet of Things Security: State of the Union study tested 10 of the most commonly used IoT devices for vulnerabilities using standard testing techniques that combined manual testing along with the use of automated tools. Devices and their cloud, network and client application components were assessed based on the OWASP Internet of Things Top 10 list and the specific vulnerabilities associated within each category.
Additional information about application security and further details resulting from the study are available at hp.com/go/fortifyresearch/iot.
HP will be addressing the latest trends in enterprise security at the Black Hat USA 2014 conference, taking place Aug. 2-7 in Las Vegas. Visit the HP booth (No. 911) for an IoT product demo and Capture the Flag hacking contest. Additional information on HP's presence at the show can be found here.
(1) Gartner, Forecast: The Internet of Things, Worldwide, 2013, November 2013.
2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the e
Most recent headlines
04/08/2024
Dalet, a leading technology and service provider for media-rich organizations, is excited to announce Santiago Solanas as its new Chief Executive Officer (CEO)....
03/06/2024
Dalet, a leading technology and service provider for media-rich organizations, a...
28/04/2024
Mediahaus delivers the first SRT live-streaming sports production over 5G with U...
26/04/2024
Sundance Film Festival CDMX 2024 kicks-off today with screenings in 5 theaters in Mexico City and the opening-night film, FRIDA, directed by Carla Guti rrez...
26/04/2024
[Editor's Note: This interview is part of a larger feature about the women d...
26/04/2024
Once again this year, SGL Carbon opened its doors to interested children and young people. On the occasion of the German Girls and Boys Day, which took place on...
26/04/2024
Orders1 of $5.5 billion; book-to-bill of 1.06x
Revenue of $5.2 billion, up 17%,...
26/04/2024
Five Considerations For Communications Modernization In The 21st Century
In the digital-enabled battlespace, the Joint Force needs to shoot, move and communica...
26/04/2024
CBS Sports has launched Champions League as a new, 24-hour streaming channel that will serve as the year-round destination for nonstop highlights of the UEFA ...
26/04/2024
Despite tough competition in the streaming space, Roku reported solid results in Q1 2024, beating revenue expectations, with total net revenue up 19% YoY to $88...
26/04/2024
LONDON AND TORONTO Pinewood Toronto Studios has appointed Sarah Farrell as general manager of the Studios in downtown Toronto....
26/04/2024
Quantum to Offer Advanced Filesharing Technology and Performance in StorNext and...
26/04/2024
FilmLight Colour Awards welcomes 2024 entries and introduces new Emerging Talen...
26/04/2024
Picture Shop Announces Chris Evans as Head of Unscripted
Brie Clayton April 26, 2024
0 Comments
Picture Shop announced Chris Evans will lead Unscripte...
26/04/2024
Participate in a Survey - The Impact of AI on Media and the Creative Industry
Pascal Wagner April 26, 2024
0 Comments
By participating in this survey,...
26/04/2024
Toy maker Mattel said it is working with Samsung to launch its first free ad-supported streaming television (FAST) channels later this year....
26/04/2024
Trusted Media Brands (TMB) said it named Marty Moe as president....
26/04/2024
Ron Howard is the director on Jim Henson Idea Man, a documentary that premieres on Disney Plus May 31. Henson of course created Kermit the Frog, Miss Piggy, Big...
26/04/2024
The ice continues to melt under the regional sports network business as the Seattle Kraken of the National Hockey League have made a long-term deal to broadcast...
26/04/2024
Heading into the upfronts, Warner Bros. Discovery said it launched Olli, a first-party data platform advertiser can use for converged, targeted advertising camp...
26/04/2024
CBS has renewed the drama The Equalizer, which will see season five on in 2024-2025. Queen Latifah stars....
26/04/2024
The CW has entered into an exclusive multiyear broadcast partnership for the Miss USA Pageant and the Miss Teen USA Pageant. The 73rd Miss USA Pageant will air ...
26/04/2024
Fuse Media isn't mincing words in a campaign urging its young viewers to register and participate in the 2024 elections....
26/04/2024
Dead Boy Detectives, a series from Neil Gaiman about a detective agency staffed by ghosts, debuts on Netflix April 25. George Rexstrew and Jayden Revri are in t...
26/04/2024
The Story Collective has gradually repurposed the former Mortlake Brewery to include production offices, workshops and sound stages
By Matthew Corrigan
Publi...
26/04/2024
Perkett joins the company following a 25 year career in product management, product marketing, engineering and user experience (UX) across multiple industries
...
26/04/2024
Teradek, the industry leader in wireless video transmitters and receivers, announced today the launch of new Bolt 6 LT 750 and Bolt 6 Monitor Module 750 RX with...
26/04/2024
NEW YORK Amagi has appointed Richard Perkett chief product officer (CPO)....
26/04/2024
WASHINGTON, D.C. The National Association of Broadcasters (NAB) has announced the results of the 2024 NAB Radio and Television Board of Directors elections. The...
26/04/2024
EL SEGUNDO, Calif. & NEW YORK Mattel has announced a deal to launch its first three 24/7 free ad supported streaming (FAST) channels on Samsung TV Plus, Samsung...
26/04/2024
PORTLAND, Maine Viewers here can now receive the NextGen TV signals of five local stations with the launch of ATSC 3.0 service from host station WPFO, which is ...
26/04/2024
TORONTO Rogers Communications has signed a 10-year agreement with Comcast to bring the latest Xfinity products and technology to Canadians....
26/04/2024
Calrec is very pleased to announce the benefits of its highly flexible approach to customer service has been recognized with a third award for the Argo range. T...
26/04/2024
New Adobe Photoshop with Advanced Generative Fill and Generate Image Brings New ...
26/04/2024
Trends And Takeaways From NAB Show 2024
Melanie Ciotti April 25, 2024
0 Comments
NAB's Eric Trabb (right) awards SNS with two NAB Show Product of ...
26/04/2024
Sony's Ci Media Cloud Keeps NHRA Moving
Brie Clayton April 25, 2024
0 Comments
Cloud-Based Media Asset Management and Collaboration Platform Accel...
26/04/2024
Capitol Broadcasting & Leadership Triangle Collaborate for Third Year
Capitol B...
26/04/2024
The staff at CBC Radio have been hard at work creating several new features for listeners and viewers. Several debuts are taking place this spring.
I have nev...
26/04/2024
26 Apr 2024
Cricket Finds Its Digital Home in Bangladesh: VEON's Banglalink...
26/04/2024
NBA Playoffs 2024: ESPN Rolls Out Huge Production Operation for Busy First Round Tech deployments include miked on-field personnel, shot-distance tracking, AR g...
26/04/2024
NHL Stanley Cup Playoffs: ESPN Ops Team Navigates Both Sides of the Border With ...
26/04/2024
Behind the Scenes at the 2024 NFL Draft in Detroit (Photo Gallery) After just the first round, the 2024 NFL Draft has already made quite an impression in Detroi...
26/04/2024
NFL Draft 2024: Van Wagner Powers Onsite Entertainment Experience for Record Cro...
26/04/2024
Rohde & Schwarz presents spectrum dominance in all domains at AOC Europe Rohde & Schwarz demonstrates the next generation of SIGINT/EW systems and sensor fusi...
26/04/2024
MCine Mauritius is to use Qube Wire for all future DCP deliveries across their e...
26/04/2024
Skeem Saam' May Spoiler: Has Lehasa killed Khwezi?The Skeem Saam' May teasers mention Lehasa being apologetic about killing someone. Is it his baby mam...
26/04/2024
Skeem Saam: Thursday's episode, 25 April 2024 [video]Missed an episode of Skeem Saam? No problem! Watch the latest episode of your favourite South African s...
26/04/2024
Prison Journalism: Some issues to considerWesley Leong was incarcerated at the age of 15 in 1996 at Pollsmoor Prison. He is currently part of Restore's rese...
26/04/2024
Tonight on Scandal: A line is crossed and a mother starts to lose focusDon't miss Friday, 26 April's riveting episode of South African soapie Scandal! o...
HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to AttackIoT devices averaged 25 vulnerabilities per product, indicating expanding attack surface for adversaries
