Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
research study
2015 report
Table of contents
3 Report findings
3 Background on devices
4 Research findings
4 Privacy concerns
6 Conclusion
6 Conduct a security review of your device and all associated components.
6 Implement security standards that all devices must meet before production.
6 Ensuring security is a consideration throughout the product lifecycle.
6 Methodology
The internet of things is here
Few revolutionary technologies have
Overview
created new value pools, displaced
incumbents, changed lives, liquefied Suddenly, everything from refrigerators to sprinkler systems
industries, and made a trillion dollar
economic impact. That is, until the
are wired and interconnected, and while these devices have
internet of things (IoT) sprang to life.
Today, the next big thing is embedding
made life easier, they’ve also created new attack vectors
sensors, actuators, and traditional for hackers. These devices are now collectively called the
low-power systems on chips (SoCs) into
physical objects to link them to the digital internet of things (IoT). IoT devices are poised to become
world.1
more pervasive in our lives than mobile phones and will
have access to the most sensitive personal data such as
social security numbers and banking information. As the
number of connected IoT devices constantly increase,
security concerns are also exponentially multiplied. A
couple of security concerns on a single device such as a
mobile phone can quickly turn to 50 or 60 concerns when
considering multiple IoT devices in an interconnected home
or business. In light of the importance of what IoT devices
have access to, it’s important to understand their security
risk.
1
Sri Solur GM Wearables and IoT HPE. The internet
of things and wearables: Driving the next phase
of personal computing: h30614.www3.hp.com/
Discover/Events/LasVegas2014/SessionDetail/
b91e8602-2768-409a-a07a-487618cdd630
Research findings
IoT
70 percent
of devices along with their
70 percent cloud and mobile
application enable an
of devices used
attacker to identify valid
unencrypted network
user accounts through
service.
account enumeration.
2
Internet of things HPE Security Research Study, Craig
Smith and Daniel Miessler, HPE Fortify, June 2014
Insufficient authentication Insecure Web interface
80 percent failed to and authorization Six of the 10 devices we tested displayed
require passwords of An attacker can use vulnerabilities such as concerns with their Web interface. These
concerns were issues such as persistent cross-
weak passwords, insecure password recovery
sufficient complexity mechanisms, poorly protected credentials, site scripting, poor session management,
and length. etc. to gain access to a device. A majority of and weak default credentials. We identified
a majority of devices along with their cloud
devices along with their cloud and mobile
components failed to require passwords of and mobile counterparts that enable an
sufficient complexity and length with most attacker to determine valid user accounts
allowing passwords such as “1234” or “123456.” using mechanisms such as the password
In fact, many of the accounts we configured reset features. These issues are of particular
concern for devices that offer access to
70 percent did with weak passwords were also used on cloud
websites as well as the product’s mobile devices and data via a cloud website.
not encrypt application. A strong password policy is
OWASP internet of things Top 10–I1 Insecure
communications Security 101 and most solutions failed.
Web Interface
to the Internet and OWASP internet of things Top 10–I2 Insufficient
local network. Authentication/Authorization
Insecure software and
firmware
Lack of transport encryption
Given that software is what makes these
Transport encryption is crucial given that devices function, it was rather alarming
many of these devices are collecting and that 60 percent of devices displayed issues
60 percent raised transmitting data that can be considered including no encryption during downloading
sensitive in nature. We found that a majority of the update along with the update files
security concerns with of the devices failed to encrypt network themselves not being protected in some
their user interfaces. services transmitting data via the Internet manner. In fact some downloads were
and the local network. The importance intercepted, extracted, and mounted as a file
of transport encryption rises significantly system in Linux® where the software could be
when you consider that data is being passed viewed or modified.
between the device and the cloud, and a
mobile application. OWASP internet of things Top 10–I9 Insecure
Software/Firmware
60 percent did not use OWASP internet of things Top 10–I4 Lack of
encryption when Transport Encryption
downloading software
updates
Conclusion Ensuring security is a consideration
throughout the product lifecycle.
A world of interconnected “smart” devices Implement security and review processes
is here, albeit in the early stages. By 2020, early on so that security is automatically
Gartner predicts, the internet of things will baked in to your product. Updates to your
be made up of 26 billion “units.”3 Fortunately, product’s software are extremely important
there’s still time to secure devices before and ensuring there is a robust system in place
consumers are at risk. Below are some actions to support this is key. And when it comes to
that manufacturers of these devices can take your products end-of-life, do your best to
now to secure these devices: leave that product as secure as possible to
both protect your brand and to be a good
Conduct a security review of your device internet of things citizen.
and all associated components.
This includes some fairly straightforward and
simple testing such as automated scanning Methodology
of your Web interface, manual review of your
network traffic, reviewing the need of physical HPE Fortify on Demand used standard
ports such as USB, reviewing authentication testing techniques, which combined manual
and authorization, and reviewing the testing along with the use of automated tools.
interactions of the devices with their cloud Devices and their components were assessed
and mobile application counterparts. To help based on the OWASP internet of things
in the review process an OWASP internet of Top 10 list and the specific vulnerabilities
things top 10 project site has been created to associated with each top 10 category.
assist vendors with securing their products.
After all, it’s better to find vulnerabilities on All data and percentages for this study were
your own terms rather than having someone drawn from the 10 IoT devices tested during
else find them for you. this study. While there are certainly large
numbers of IoT devices already on the market,
Implement security standards that all and that number continues to grow on a daily
devices must meet before production. basis, we believe the similarity in results of
There are many basic security controls which, this subset provides a good indicator of where
once put in place, can raise the security the market currently stands as it relates to
posture of a device significantly. Many of security and the internet of things.
the vulnerabilities identified as part of this
research are considered “low hanging fruit”
and are relatively easy to remediate without Learn more at
Gartner Says the internet of things Installed
hpe.com/go/fortifyondemand
3
Base Will Grow to 26 Billion Units By 2020 affecting the experience of your users.