原创 Why IoT in the home is a security Frankenbeast

"Five years ago, we decided that mobile was the real place to be. So everyone started building mobile apps while ignoring everything we've learned from securing web and thick-client applications. And now we have the Internet of Things (IoT). If we continued in this trend we'd have a new space that ignores the security lessons from mobile, but it's actually much worse than that."

He describes it as a Frankenbeast of technology (figure) that links network, application, mobile, and cloud technologies together into a single ecosystem, that seems to be taking on the worst security characteristics of each.

Figure: The HP Study reveals virtually all aspects of Internet of Things connectivity in the home is insecure.

According to the study, 100 percent of the devices they studied that were used in home security contained significant vulnerabilities, including password security, encryption and authentication issues. In the ten security systems they tested along with their cloud and mobile application components, they found that that none of the systems required the use of a strong password and 100 percent of the systems failed to offer two-factor authentication. Some of the common and easily avoidable security issues they found included: https://www.hpfod.com/docs/InternetOfThings.pdf

Insufficient authorization: All systems that included their cloud-based web interfaces and mobile interfaces failed to require passwords of sufficient complexity and length with most only requiring a six character alphanumeric password. All systems also lacked the ability to lock out accounts after a certain number of failed attempts.

Insecure Interfaces: All cloud-based web interfaces tested exhibited security concerns enabling a potential attacker to gain account access through account harvesting which uses three application flaws; account enumeration, weak password policy and lack of account lockout. Similarly five of the ten systems tested exhibited account harvesting concerns with their mobile application interface exposing consumers to similar risks.

Privacy Concerns: All systems collected some form of personal information such as name, address, date of birth, phone number and even credit card numbers. Exposure of this personal information is of concern given the account harvesting issues across all systems. It is also worth noting that the use of video is a key feature of many home security systems with viewing available via mobile applications and cloud-based web interfaces. The privacy of video images from inside the home becomes an added concern.

Lack of transport encryption: While all systems implemented transport encryption such as SSL/TLS, many of the cloud connections remain vulnerable to attacks (e.g. POODLE attack). The importance of properly configured transport encryption is especially important since security is a primary function of these systems.

"The biggest takeaway is the fact that we were able to brute force against all 10 systems," said Miessler,,"meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather and watch home video remotely.

"With complex systems like IoT, breaking security is often all about chaining smaller vulnerabilities together, and that's what we saw when looking at these home security systems. We can expect to see more of the same across the IoT space precisely because of the complexity of merging network, application, mobile, and cloud components into one system."