Home security systems are insecure and have weak authentication and authorization practices, according to Hewlett-Packard research. Cue the irony alert.
HP, as part of its ongoing research into Internet of things security, followed up to examine the most popular home security systems. The remote monitoring capabilities of these systems is a big perk, but the sensor network as well as interfaces can be hacked.
In its research report, HP noted that there are insecure cloud and mobile connections in these home security systems, which feature door and window sensors, motion detectors, video cameras and recorders tied to the Web or mobile device.
Also see: CNET smart home appliances
The report was based on data from HP's Fortify on demand.
HP reviewed a total of ten off-the-shelf home security systems revealing an alarmingly high number of authentication and authorization issues along with concerns regarding mobile and cloud-based Web interfaces. The intent of these systems is to provide security and remote monitoring to a home owner, but given the vulnerabilities we discovered, the owner of the home security system may not be the only one monitoring the home.
Here's a look at the security holes in the 10 most popular home security systems examined.
- 10 of 10 systems allowed unrestricted account enumeration through cloud and mobile interfaces.
- An imperfect 10 systems had weak passwords, lacked an account lockout system and were vulnerable to account harvesting.
- Seven of 10 systems had a security variance between their cloud interfaces and mobile apps.
- One out of 10 mobile applications used Apple's Touch ID for authentication and only one system had two-factor authentication.
- Seven of 10 systems make video streaming available to cloud and mobile interfaces. Those streams can be hacked from any place.
- Of the seven systems with cameras, four gave access to additional users.
As far as best practices go, HP said that consumers need to consider security as part of the connected home product purchase. Enterprise need to segment Internet of things devices from their broader networks and enable all security options at their disposal.