Internet-connected “smart” home security devices, sometimes referred to as part of the “Internet of Things,” have been rising in popularity in recent years. Gadget-makers clearly see an opportunity to combine new technologies with old, giving many of the utilitarian devices you’d typically find around the home with shiny new technology features. As a result, many people are eager to supplement their existing home security setup with devices like cameras, locks, lighting, and motion detectors which can be controlled and accessed from a smart phone or a remote portal over the internet.
But while some of these futuristic-seeming device may be quickly becoming a reality, the assurance that they make your family and your home safer is still something of a science-fiction.
Researchers at HP Fortify (Hewlett Packard’s application security testing team) recently tested 10 of the newest IoT connected home security systems and found that all 10 were rife with security flaws across the board. According to the report, “the intent of these systems is to provide security and remote monitoring to a home owner… given the vulnerabilities we discovered, the owner of the home security system may not be the only one monitoring the home.”
Here are some of the highlights of HP’s findings (or lowlights may be more appropriate):
Some of the most egregious flaws were found in all 10 systems tested. For one, every system allowed the use of weak passwords, with either a weak password policy or no password policy at all. Combine this with the fact that all 10 systems failed to implement any kind of account lockout defense due to failed login attempts. And all but one of the systems had no option for two-factor authentication. Given that IoT devices with weak passwords or default passwords have already been taken advantage of in mass cyberattacks, this is concerning.
More concerning is that all 10 systems were found vulnerable to account harvesting via the cloud interface. That means account credentials can be obtained via a brute force attack, then the attacker can log in as the user on the web and mobile interfaces. This would allow an attacker to see if you are home, if you’re away, and most frighteningly, they would even be able to watch video in your home from anywhere in the world.
7 of the 10 systems were vulnerable to a different kind of flaw called security posture variance, which means that attackers can keep pounding on various vectors to find the weakest link between cloud, web, and mobile interfaces.
7 out of 10 systems also had series issues with software updates, such as failing to use encryption to transfer update files, failing to detect that an update package had been modified, and using cleartext protocols to authenticate to the download server. One systems even had all three of these issues, and allowed write access to the update server, which meant that researchers could have replaced that software that others were downloading for that product, and for other products hosted on that server.
According to HP’s Daniel Miessler, “The Internet of Things is worse than just a new insecure space: it's a Frankenbeast of technology that links network, application, mobile, and cloud technologies together into a single ecosystem, and it unfortunately seems to be taking on the worst security characteristics of each.”
Clearly, there is still a long way to go for IoT-connected home security devices to really be providing an improvement in home security.