HP: Most IoT Devices Lack Security, Open to Attack
A recent study from Hewlett-Packard reveals that 70 percent of Internet of Things (IoT) devices — including sensors and connected infrastructure — are seriously vulnerable to attack. The Internet of Things State of the Union Studyfrom HP’s Fortify on Demand division came about after hearing a lot about IoT, but saw nothing that focused on the complete picture of IoT security.
HP began the study by starting the OWASP Internet of Things Top 10 Project, which aims to educate individuals on the main facets of IoT security that people should be concerned with. The company then used that project as a baseline for testing the top 10 IoT devices being used today and rigorously tested them for about three weeks.
What They Found
On average, 25 vulnerabilities were found per device, totaling 250 vulnerabilities. Highlights include:
- Privacy concerns
- Insufficient authorization
- Lack of transport encryption
- Insecure web interface
- Inadequate software protection
Daniel Miessler, practice principal with Fortify on Demand, states:
We hope that this study will help consumers, SMBs, corporations, and manufacturers to gain some level of improved understanding of their risk related to Internet of Things security, and to place some focus on the issues highlighted in the report when making decisions in the future.
There are a number of things that HP hopes people take from the report, including:
- Internet of Things security is not one-dimensional. Individuals need to look at all the surface areas discussed in the report and in the OWASP Internet of Things Top 10 Project in order to have a complete view of their risk.
- IoT Security is not just a consumer problem. Corporations need to be looking at how their ICS and SCADA systems fare when looked at under a similar light.
- The current state of Internet of Things security seems to take all the vulnerabilities from existing spaces, e.g. network security, application security, mobile security, and Internet-connected devices, and combine them into a new (even more insecure) space, which is troubling.
You can check out the full IoT State of the Union Study by clicking on this link.