All studied products failed to meet basic security standards

Feb 12, 2015 12:50 GMT  ·  By

A study on some of the most popular Internet-connected security devices reveals notable flaws touching on authentication and authorization, as well as cloud-based and mobile web interfaces.

The researchers from HP tested ten of the newest such devices and discovered that, in many cases, deficient integration of protection mechanisms would actually allow a third party the possibility to use them against their owner.

Sub-par authentication mechanism

“The intent of these systems is to provide security and remote monitoring to a home owner, but given the vulnerabilities we discovered, the owner of the home security system may not be the only one monitoring the home,” the researchers say in a recent report.

The array of weaknesses ranges from lack of two-factor authentication (2FA), which was present only in one case, and account enumeration issues for both the mobile and cloud-based interface to poor implementation of the SSL/TLS secure communication standard, which allowed leveraging the POODLE vulnerability.

One weakness shared by all tested devices was the fact that weak passwords were allowed, the lowest standard being a six-character alphanumeric string. This, together with insecure password recovery or poorly protected log-ins could lead to unauthorized third-party access to the device.

The possibility of brute-force attacks was also identified by the researchers, as some systems had no limitation to the number of failed log-in attempts.

Weak protection of information

Account enumeration flaws were observed in seven cases. These would allow someone to learn the user account of a target from the responses returned by different authorization-related services, such as the feedback from a password reset action or upon failed log-ins.

HP informs that several of the studied systems raised concerns regarding the firmware update mechanism, which would rely on an unencrypted connection for the transfer. Even more worrying was the fact that one of the systems delivered the update file via FTP and allowed capturing the credentials, which gave write access to the server.

Apart from the possibility to take control of the security devices, HP says that all of them collected different types of personal information, some including payment card data and phone numbers along with name, address and/or date of birth.

One of the best recommendations for consumers is to change the default username and password provided by the manufacturer to a strong pair. Also a sound advice is to pay attention to the security features available.

Enterprises can isolate the Internet of Things devices from the rest of the network in order to avoid intrusion.