An HPE survey finds that basic vulnerabilities have not yet been addressed by major IoT based appliance makers
Internet of Things (IoT) is clearly ruling the Consumer Electronics Show (CES) 2016 at Las Vegas. Coming at the beginning of the year, CES sets the agenda for the rest of the year—on what is going to be the big thing for the year—and IoT is clearly the flavor this year. While Intel CEO Brian Krzanich, in the show opener keynote, started with showing off Intel’s Curie IoT platform and announced that the button-sized wearable hardware module, based on Curie will be available in this quarter itself and will cost less than $10.
Toyota announced advances on its connected car initiative (see Toyota announnces dedicated data center... ) while companies started showing everything from smart home appliances to toys. In fact, smart home has become a recurring theme this year.
And CES is just seeing formal announcements to substantiate something that is already the talk of the town, literally—with smart cities globally basing their entire planning leveraging IoT. India itself isseeing big action around smart cities.
Gartner has predicted that, in 2016 itself, there would be 6.4 billion connected things out of which a quarter will be used by smart cities.
As major bloggers and publications covering CES report, the excitement over IoT is completely around its capability to ‘change’ our lives for better and security is completely missing from the mainstream discussion. One can identify with that as the ground reality in Indian smart city technology narrative is not very different.
An HP Enterprise report of Internet of Things Research Study published recently confirms that this observation may not be far off the mark. The research, based on review of most popular devices in some of the most common IoT niches revealed an “alarmingly high average number of vulnerabilities per device.” Vulnerabilities ranged from Heartbleed to denial of service to weak passwords to cross-site scripting, said the research report.
It analyzed IoT devices from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers. A majority of devices included some form of cloud service and all devices included mobile applications that can be used to access or control the devices remotely, said the report.
Some of the findings from the research are telling. It found that
- 90% of devices collected at least one piece of personal information via the device, the cloud, or its mobile application.
- 70% of devices used unencrypted network service
- 80% of devices along with their cloud and mobile application components failed to require passwords of a sufficient complexity and length
- 70% of devices along with their cloud and mobile application enable an attacker to identify valid user accounts through account enumeration
- Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS and weak credentials
Now, these are some of the basic tests. A more advanced attacker can exploit many more vulnerabilities.
We are going to use many of these in our homes that will be connected, fully or partially, to the smart city infrastructure, which would have more points of vulnerabilities.
Now, imagine this. Beyond privacy and data breach fears, what if there’s a sort of DDoS attack that target core smart city infrastructure. Theoretically, the city may “come to a halt”
India is starting its journey now. It probably makes immense sense to put security first and not as an afterthought.