Hewlett-Packard

Hewlett-Packard revealed Tuesday shocking results of a security testing study which showed that owners of Internet-connected home security systems contain significant vulnerabilities, including password security, encryption and authentication issues.

Home security systems, such as video cameras and motion detectors, have gained popularity as they have joined the booming Internet of Things (IoT) market and have grown in convenience. The new HP study reveals how ill-equipped the market is from a security standpoint for the magnitude of growth expected around IoT.

According to Gartner, 4.9 billion connected things will be in use in 2015, and will reach 25 billion by 2020.

All systems that included their cloud-based web interfaces and mobile interfaces failed to require passwords of sufficient complexity and length with most only requiring a six character alphanumeric password. All systems also lacked the ability to lock out accounts after a certain number of failed attempts.

All cloud-based web interfaces tested exhibited security concerns enabling a potential attacker to gain account access through account harvesting which uses three application flaws; account enumeration, weak password policy and lack of account lockout. Similarly five of the ten systems tested exhibited account harvesting concerns with their mobile application interface exposing consumers to similar risks.

All systems collected some form of personal information such as name, address, date of birth, phone number and even credit card numbers. Exposure of this personal information is of concern given the account harvesting issues across all systems. It is also worth noting that the use of video is a key feature of many home security systems with viewing available via mobile applications and cloud-based web interfaces. The privacy of video images from inside the home becomes an added concern.

While all systems implemented transport encryption such as SSL/TLS, many of the cloud connections remain vulnerable to attacks such as the POODLE attack. The importance of properly configured transport encryption is critical as security is a primary function of these systems.

Manufacturers are offering connected security systems that deliver remote monitoring capabilities. The network connectivity and access necessary for remote monitoring presents new security concerns that did not exist for the previous generation of systems that have no internet connectivity.

The HP study questions whether connected security devices actually make our homes safer or put them at more risk by providing easier electronic access via insecure IoT products. HP leveraged HP Fortify on Demand to assess 10 home security IoT devices along with their cloud and mobile application components, uncovering that none of the systems required the use of a strong password and 100 percent of the systems failed to offer two-factor authentication.

See more here:
HP discovers security threats that underline Internet of Things systems

Related Posts
February 11, 2015 at 9:24 am by Mr HomeBuilder
Category: Home Security