The IT industry is getting increasingly excited about the potential of the Internet of Things (IoT) but behind that excitement hidden dangers lurk, according to a new report from HP.
HP isn't the only one to voice concerns: in the US the FTC is taking a closer look at the IoT and in the UK Ofcom is investigating a framework for this technology so it can evolve in a way which benefits consumers.
What concerns HP is that, as soon as the IT industry solves one security issue, it then moves on to creates another."It seems that every time we introduce a new space in IT we lose 10 years from our collective security knowledge," said HP's Daniel Miessler in a recent article. Miessler is the leader of the OWASP Internet of Things Top 10 Project and heads the research team at HP Fortify on Demand.
"Around 10 years ago we started talking about applications being the horizon technology, and we proceeded to build a global application portfolio ignoring the security lessons learned from the network world," he said.
"Then, five years ago, we decided that mobile was the real place to be. So everyone started building mobile apps while ignoring everything we've learned from securing web and thick-client applications."
The issue that concerns him now is, "If we continued in this trend we'd have a new space that ignores the security lessons from mobile, but it's actually much worse than that."
How bad? Well the IoT is not just a new insecure space, he said, "it's a Frankenbeast of technology that links network, application, mobile, and cloud technologies together into a single ecosystem, and it unfortunately seems to be taking on the worst security characteristics of each."
In a recent report on IoT security issues, HP Fortify on Demand looked at 10 devices across multiple product types and found that on average there were 20 vulnerabilities per system, spanning TVs, thermostats, home automation hubs, and alarm systems.
For Miessler this was an important moment. As he put it, "It was as if everything we'd learned over the last 25 years in security had been extracted from memory." He said that during their tests, the researchers saw credentials being sent over clear text and every common web and mobile vulnerability "you'd only expect in a web or mobile security lab".
"Securing the IoT will be our greatest challenge as an information security community," Miessler said. "This is true not only because we are starting over from square one again (as we always seem to do), but because the surface area is - by definition - much larger."
In terms of practical help in dealing with these issues, Miessler pointed to the work of the Open Web Application Security Project (OWASP) which last year came up with a list of 10 key issues around the IoT. These were:
- Insecure web interfaces
- Insufficient authorisation or authentication
- Insecure network services
- A lack of transport encryption
- Concerns over privacy
- Insecure cloud interfaces
- Insecure mobile interfaces
- Insufficient allowance for configuring security systems
- Insecure software and firmware
- Poor physical security
OWASP uses a simple step system for making systems more secure. To take the first issue, insecure web interfaces, OWASP says that first you should look at anyone who has access to the web interface, mobile interface, or cloud interface including internal and external users.
You should be aware that attackers use weak passwords, insecure password recovery mechanisms, poorly protected credentials, or lack of granular access control to access a particular interface.
None of this is rocket science and is everyday common practice for security professionals. The issue for organisations is how much of this can they make common practice for all their users.
After considering all possible external threats, the next step would be to look at the internal weaknesses: for example an organisation's authentication may not be sufficient when weak passwords are used or they are poorly protected.
As Miessler puts it: "Buckle in, folks. There is turbulence ahead."
HP's full report, titled Internet of Things Security Study: Home Security Systems Report, can be found here.