HP Study Finds Alarming Vulnerabilities with Internet of Things (IoT) Home Security Systems

HP Fortify OnDemand finds that 100 percent of top security systems studied display significant security deficiencies

PALO ALTO, Calif., February 10, 2015 — HP today released results of a security testingstudy revealing that owners of Internet-connected home security systems may not be the only ones monitoring their homes. The study found that 100 percent of the studied devices used in home security contain significant vulnerabilities, including password security, encryption and authentication issues.

Home security systems, such as video cameras and motion detectors, have gained popularity as they have joined the booming Internet of Things (IoT) market and have grown in convenience. Gartner, Inc. forecasts that 4.9 billion connected things will be in use in 2015, up 30 percent from 2014, and will reach 25 billion by 2020.(1) The new HP study reveals how ill-equipped the market is from a security standpoint for the magnitude of growth expected  around IoT.

Manufacturers are quickly bringing to market connected security systems that deliver remote monitoring capabilities. The network connectivity and access necessary for remote monitoring presents new security concerns that did not exist for the previous generation of systems that have no internet connectivity.

The HP study questions whether connected security devices actually make our homes safer or put them at more risk by providing easier electronic access via insecure IoT products. HP leveraged HP Fortify on Demand to assess 10 home security IoT devices along with their cloud and mobile application components, uncovering that none of the systems required the use of a strong password and 100 percent of the systems failed to offer two-factor authentication. 

The most common and easily addressable security issues reported include:

  • Insufficient authorization: All systems that included their cloud-based web interfaces and mobile interfaces failed to require passwords of sufficient complexity and length with most only requiring a six character alphanumeric password. All systems also lacked the ability to lock out accounts after a certain number of failed attempts.
  • Insecure Interfaces: All cloud-based web interfaces tested exhibited security concerns enabling a potential attacker to gain account access through account harvesting which uses three application flaws; account enumeration, weak password policy and lack of account lockout. Similarly five of the ten systems tested exhibited account harvesting concerns with their mobile application interface exposing consumers to similar risks.
  • Privacy Concerns: All systems collected some form of personal information such as name, address, date of birth, phone number and even credit card numbers. Exposure of this personal information is of concern given the account harvesting issues across all systems. It is also worth noting that the use of video is a key feature of many home security systems with viewing available via mobile applications and cloud-based web interfaces. The privacy of video images from inside the home becomes an added concern. 
  • Lack of transport encryption: While all systems implemented transport encryption such as SSL/TLS, many of the cloud connections remain vulnerable to attacks (e.g. POODLE attack).  The importance of properly configured transport encryption is especially important since security is a primary function of these systems.

“As we continue to embrace the convenience and availability of connected devices, we must understand how vulnerable they could make our homes and families,” said Jason Schmitt (@raidschmitt), vice president and general manager, Fortify, Enterprise Security Products (@HPsecurity), HP. “With ten of the top security systems lacking fundamental security features, consumers must be diligent about adopting simple and practical security measures when they’re available, and device manufacturers must take ownership in building security into their products to avoid exposing their customers unknowingly to serious threats.”

As IoT product manufacturers work to incorporate much needed security measures, consumers are urged to consider security when choosing a monitoring system for their home. Implementing secure home networks before adding insecure IoT devices, instituting complex passwords, account lockouts and two-factor authentication are only a few measures consumers can take to make their IoT experience more secure. Legislators are also getting involved, with the U.S. Federal Trade Commission releasing a recent report analyzing the balance between security and privacy concerns with development of the IoT devices.

For more information, visit the first report in this IoT series, 2014 HP Internet of Things Research Study, which reviews the security of the top 10 most common IoT devices. Additionally, the most recent HP Security Briefing, Episode 20: The Internet of Things: A Security Overview looks at how the advent of millions of connected devices affects network security from a practical standpoint.

Methodology
Conducted by HP Fortify and leveraging HP Fortify on Demand, HP’s Home Security Systems study tested 10 of the most commonly used home security IoT devices for vulnerabilities using standard security testing techniques that combined manual testing along with the use of automated tools. Devices and their components were assessed based on the OWASP Internet of Things Top 10 and the specific vulnerabilities associated with each top 10 category.

The resulting data and percentages in this report were drawn from the 10 IoT systems tested. Given the popularity and similarity among the 10 devices, HP Fortify believes the results provide a good indicator of where the market currently stands as it relates to security and the Internet of Things.

Additional information about application security and further details resulting from the study are available at hp.com/go/fortifyresearch/iot.

Join HP Software on Linkedin and follow @HPSoftware on Twitter. To learn more about HP Fortify and HP Enterprise Security Products on Twitter, please follow @HPsecurity and join HP Enterprise Security on Linkedin.

(1) Gartner, Press Release, “Gartner Says 4.9 Billion Connected "Things" Will Be in Use in 2015” November 2014. http://www.gartner.com/newsroom/id/2905717.

© 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Media contacts

About HP

HP Inc. creates technology that makes life better for everyone, everywhere. Through our portfolio of printers, PCs, mobile devices, solutions, and services, we engineer experiences that amaze. More information about HP Inc. is available at http://www.hp.com.