HP Fortify: Defense for the Internet of Things (IoT)

Spanning TVs to home thermostats, the Internet of Things (IoT) trend is helping us to be more connected than ever. But the rising number of IoT devices also means we are facing an ever increasing number of security risks. To understand the extent of the threat, HP Fortify, part of our Enterprise Security Products organization, conducted the Internet of Things Security: State of the Union study.

The results were clear: 70 percent of the most commonly used IoT devices contain vulnerabilities, including password security, encryption and software protection. And the results highlight the importance of ensuring that these products have application security built into them from the beginning—making it possible to protect consumers and enterprises by staying ahead of the adversary.

For the study, we leveraged HP Fortify on Demand to test 10 of the most commonly used IoT devices—along with their cloud and mobile application components. In the process we uncovered an average of 25 vulnerabilities per device. These devices included TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage-door openers.

The most common and easily addressable security issues reported include:

  • Privacy concerns: 80 percent of the devices tested, along with their corresponding cloud and mobile application components, raised privacy concerns regarding the collection of consumer data such as name, email address, home address, date of birth, credit card credentials and health information.
  • Insufficient authorization: 80 percent of IoT devices tested, including their cloud and mobile components, failed to require passwords of sufficient complexity and length. Most devices allowed password such as “1234”.
  • Lack of transport encryption: 70 percent of the devices failed to encrypt communications to the internet and local network, while half of the devices’ mobile applications performed unencrypted communications to the cloud, internet or local network—leaving sensitive data vulnerable during its transmission across channels.
  • Insecure web interface: 60 percent of devices evaluated raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text. 70 percent of devices with cloud and mobile components would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
  • Inadequate software protection: 60 percent of devices did not use encryption when downloading software updates. Some downloads could even be intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.

To protect against these security hazards that come with the rise of IoT, it’s critical for organizations to implement an end-to-end approach to identify application security vulnerabilities before they are exploited.

Solutions like HP Fortify on Demand enable organizations to test the security of software quickly, accurately, affordably and without any software to install or manage—proactively eliminating the immediate risk in legacy applications and the systemic risk in application development.