The 2014 HP Internet of Things Research Study did an analysis of 10 common home security systems (which it does not name). The study notes, “In our ongoing research, we continued to see significant deficiencies in the areas of authentication and authorization along with insecure cloud and mobile interfaces.”
The study revealed:
- All 10 of the systems were vulnerable to account harvesting via the cloud interface. That means attackers are allowed to just continue to guess the login credentials until they get it right, and then log in to the web and mobile interfaces to know when homeowners are away or home, or even watch video of the home.
- All 10 of the systems allowed weak passwords, noting that “12345” was allowed to be use.
- All 10 systems failed to implement account lockout defense.
- 7 out of 10 systems had serious issues with their software updates.
- 9 out o 10 systems lacked a two-factor authentication option.
“The biggest takeaway is the fact that we were able to brute force against all 10 systems, meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather and watch home video remotely,” says the report.
The report concludes, “We can expect to see more of the same across the IoT space precisely because of the complexity of merging network, application, mobile, and cloud components into one system.”
Click here to view the infographic.