A new report claims that a couple of security concerns on a single device in IoT can quickly turn into 50 or 60 concerns with multiple devices.
A recent report by HP Security Research reviewed 10 devices that it considered popular and common in IoT and found a range of problems from Heartbleed to DoS to cross-site scripting.
Among the concerns highlighted by the researchers are the following:
80% of devices raised privacy concerns because many devices are collecting some or all of your personal information. Exasperating the situation is communications over networks, cloud based systems, and the use of mobile phones.
80% of devices failed to ask for passwords of sufficient length and complexity. There was, in general, a lack of authentication and authorization commensurate with the need to have stronger access controls.
70% had no encryption of data over the network or through the Internet.
60% had UI issues that raised security issues. These included cross-site scripting, poor session management and weak default credentials. So, for example, a simple password reset could be maliciously exploited without the right mechanism in place to protect the user.
60% had no encryption when downloading software and firmware. This lack of protection leaves such updates and controlling software open to interception and extraction for malicious purposes.
Of course, this is a report from a vendor perspective so, there is some element of fear mongering in order to sell services and support around HP's own solutions to these problems, but the researchers claim to have used standard testing techniques combining manual and automatic testing. Devices and drivers were assessed based on OWASP IoT Top 10 list and the specific issues OWASP associates with each top 10 category.
However, there is no denying that the number of IoT devices coming onto the market and being connected up is increasing every day. This just may be a wake up call for the industry.