Why we need to make the Internet of Things more secure

Although the Internet of Things is expanding, it seems manufacturers are not paying enough attention to protecting their products from being hacked, thus putting current and future customers in harm’s way.

One of the trends that most companies are quickly lining up to adopt is the Internet of Things (IoT), or, as some refer to it – the Internet of Everything. While the concept is to connect appliances like TVs, refrigerators and air conditioners to the internet in order to make our lives easier, it seems that there is a high price tag attached – having sensitive personal information exposed to hackers.

HP, through its security division Fortify, took on the challenge to test the 10 most popular devices  in the Internet-of-Things market. This study was carried out to understand how users are actually exposed to a security breach, just because they want to remotely turn their air conditioning on before arriving home from a long day at the office.

According to the findings, 70 percent of the common devices in the market have significant vulnerabilities, including privacy issues, insufficient permissions, lack of encryption, insecure web interface for managing some of the devices, and finally, minimal protection on the software itself. The study found no less than 250 different security weaknesses, with an average of 25 weaknesses in each device!

While the company has focused only on 10 devices, those are some of the most popular devices in the IoT domain. In other words, if you have already purchased a device that has the ability to connect to the internet, it is most likely to come with these security weaknesses right out of its package.

To get a bit more specific, 9 out of the 10 devices stored at least one personal data item about its users, such as email address, full name, date of birth, or even home address. The problem becomes even worse due to the fact that 8 out of those 10 devices did not ask for a stronger password than a simple combination of ‘1234’ to connect to the service or the device. To top this, 7 out of the 10 devices did not use encrypted communication network services, which means the information passed between the user and the device was available to anyone with a simple sniffer. Further, 6 devices did not even encrypt the software updates while downloading, so they could potentially download a virus posing as the relevant update and in turn put all of the other devices connected to the home network or the enterprise network at jeopardy.

HP did not reveal the devices that were tested, for obvious reasons. However, the company mentioned that the devices are of a varied range, including TVs, webcams, domestic power heat registers, all the way to remote controllers, sprinkler, hubs for different devices, door locks, home alarm systems, electronic scales and even home parking remote controls. Most of the devices tested offered some kind of cloud service, where all were using mobile applications allowing access and control on the various devices.

Due to the fact that most of the devices that were tested run a simplified version of the Linux operating system, the existing security threats which are relevant to the operating system also apply to the devices. Unfortunately for the users, manufacturers do not seem to have adequately protected their devices against these vulnerabilities; well, at least not yet.

But manufacturers may be missing the bigger picture. While hacking into a refrigerator that is connected to the internet is not so interesting by itself (unless the hacker’s purpose is to cause someone food poisoning), due to the fact that the refrigerator is connected to the same network which the home laptops and mobile devices are connected to, it may become more significant. The other connected devices may be more interesting to hackers, as they store valuable information such as personal details, usernames and passwords for different services, such as social networks, bank accounts, and so on.

This is not the first time that the Internet of Things is being scrutinized by security companies.A report published last January by Proofpoint, another security company, presented similar findings. Nonetheless, it seems that the manufacturers have not wised up and put more effort into securing their products. At the end of the day, these security breaches may affect manufacturers too, and could jeopardize the sensitive data stored in their servers and hence, their goodwill.

Unfortunately, there is not too much we can do currently as consumers. However, as wise consumers, it may be worthwhile for all of us to think twice before running to purchase a variety of products, only because they can connect to the internet, while having our security and privacy in mind.

This article is published in collaboration with TCS. Publication does not imply endorsement of views by the World Economic Forum.

To keep up with the Agenda subscribe to our weekly newsletter.

Author: Ben Gilad is responsible for interacting with the Israeli technology eco-system stakeholders at TCS.

Image: A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin. REUTERS/Pawel Kopczynski