In January, we shared a somewhat facetious headline describing how hackers were using refrigerators and televisions to send malicious waves of spam mail, but the growing problem is a serious one for personal data as well. According to security research from Helwett Packard, 70 percent of devices commonly referred to as the Internet of Things (IoT) pose security threats.
These devices – which range from water sprinklers to refrigerators – can share private data like social security numbers, banking information, addresses, birth dates and sometimes even credit card information.
According to the security research team at Hewlett Packard, most IiT devices lack proper authentication and password protection:
An attacker can use vulnerabilities such as weak passwords, insecure password recovery mechanisms, poorly protected credentials, etc. to gain access to a device. A majority of devices along with their cloud and mobile components failed to require passwords of sufficient complexity and length with most allowing passwords such as “1234” or “123456”. In fact, many of the accounts we configured with weak passwords were also used on cloud websites as well as the product’s mobile application. A strong password policy is Security 101 and most solutions failed.
Further, most devices were not using encryption to hide personal data from hackers, they also lacked a secure web interface. The software/firmware used to control the devices were highly problematic even before installation:
Given that software is what makes these devices function, it was rather alarming that 60 percent of devices displayed issues including no encryption during downloading of the update along with the update files themselves not being protected in some manner. In fact some downloads were intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.
By the year 2020, the IoT is expected to rise to 22 billion devices, which will eclipse 7.3 billion smartphones. “The fact is, that today, many categories of connected things in 2020 don’t yet exist. As product designers dream up ways to exploit the inherent connectivity that will be offered in intelligent products, we expect the variety of devices offered to explode,” said Peter Middleton, research director at Gartner. As costs decline, it will be easier to connect anything and everything to the Web, but it could mean a particularly dangerous time for personal data.