The web-connected appliances on the “internet of things” promise to make life way more convenient for you and me. But according to a security study by Hewlett-Packard, the most popular smart devices are about as secure as an unlocked screen door. Think twice before you share your street address with your TV.
Researchers at HP’s Fortify security arm examine the top 10 internet-connected home appliances or devices, and what they found was terrifying: the group of products had 250 different security flaws of the sort that hackers could take advantage of. Yes, on average, that means each device could be compromised 25 different ways.
The Fortify report doesn’t name the devices by brand, but Re/code says the items came from manufacturers of “TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.” Y’know, basically anything you’d think of as an Internet of Things thing.
What’s behind this hellstew of insecurity? Basically, most of these devices run a stripped-down version of Linux. The software comes in with some very basic vulnerabilities, and the companies making the devices aren’t locking up those security gaps the way they would with a traditional computing gadget.
And we’re talking some very basic vulnerabilities: of the 10 devices tested, seven sent all data (including personal identifying info) to the web completely un-encrypted, while six transmitted password info unencrypted. Six of the devices tested don’t encrypt software updates, meaning a baddie could make a convincing-looking software update that takes over the device and operates it under the hacker’s beck and call. Oh, and nine of the 10 devices collect some type of user identifying info, like street address, date of birth, name or email address.
It’s a shame, particularly because the security threat of web-connected appliances is something the tech world already knows about. Let’s just hope a high-level and damning report like this one does something (anything!) t0 get device makers to start securing their stuff. The last thing anyone needs is a hacker sneaking on their network through their refrigerator. [Re/code]