Feeds

'Things' on the Internet-of-things have 25 vulnerabilities apiece

Leaking sprinklers, overheated thermostats and picked locks all online

Internet Security Threat Report 2014

Ten of the most popular Internet of Things devices contain an average of 25 security vulnerabilities, many severe, HP researchers have found.

HP's investigators found 250 vulnerabilities across the Internet of Things (IoT) devices each of which had some form of cloud and remote mobile application component and nine that collected personal user data.

Flaws included the Heartbleed vulnerability, cross site scripting, weak passwords and denial of service.

Some of the unnamed devices contained users' credit card data, date of birth details and name and address records.

"And with many devices transmitting this information unencrypted on your home network, users are one network misconfiguration away from exposing this data to the world via wireless networks," the company wrote in a report (PDF).

"Cloud services, which we discovered most of these devices use, are also a privacy concern as many companies race to take advantage of the cloud and services it can provide from the internet.

"Do these devices really need to collect this personal information to function properly?"

Most devices accepted the world's dumbest passwords including 12345 to secure remotely-accessible accounts and did not encrypt connections.

Six of the 10 had bugged web interfaces that contained persistent cross-site scripting, poor session management and weak default credentials and password-reset managers.

The report urges vendors to follow the OWASP Internet of Things Top Ten 2014 used to conduct the IoT test.

It recommended all IoT devices undergo a security review covering all components, build according to security standards and apply infosec to all stages of the development lifecycle. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.