Flawed Password Protection Is Just The Beginning Of Smart-Home Security Issues

The doors are locked, the windows are closed, and the kids are finally in bed. A feeling of warmth and safety usually follows lights-out each night, but that might no longer be the case after a new study found that homeowners who use smart technology in their house are actually making themselves more vulnerable than before.

Hewlett-Packard’s Fortify security team released the results of a new study Tuesday that declared the Internet of Things, the name colloquially given to the interconnection of unique computer devices, a “Frankenbeast” when it comes to information security. And it’s not the kind of faraway information that’s compromised when a Sony or Home Depot is hacked but the passwords protecting actual families’ Wi-Fi networks, garage door openers and alarm protection systems -- even your coffee maker is vulnerable.

Researchers didn’t identify exactly what kind of equipment they examined, only disclosing that they looked at 10 products and found an average of 20 security flaws within each system.

This is the second such study that HP’s Fortify team has completed. In the first, conducted last summer, they tried to determine how well equipped smart TVs, webcams, smart thermostats, remote power outlets, garden sprinkler controls, door locks, home alarms, bathroom scales, garage door openers and a hub for controlling multiple devices were for an attempted hack.

“It was as if everything we’d learned over the last 25 years had been extracted from memory,” Fortify researcher Daniel Miessler said in a statement regarding the latest study. “We saw credentials being sent over clear text, network ports listening with root shells without a password, private data leakage, and every common Web and mobile vulnerability you’d expect in a Web or mobile security lab.”

Fortify researchers found that none of the systems they examined implemented a common defense that limits the number of times a user can enter username/password credentials before being locked out of the account. Cybercriminals exploit this with brute force hacks, in which they deploy malware that automatically enters hundreds of the most common passwords (e.g., password, password1, etc.) until one is successful.

Other findings included a widespread failure to adopt two-factor authentication, which security experts have repeatedly stressed is one of the only ways to securely log onto a website. HP’s security team went into more detail in the announcement Tuesday:

The study’s conclusion comes as interest in smart homes and the Internet of Things is growing, both among the public and with Washington lawmakers. The number of Internet-connected devices around the world is expected to double from 25 billion to 50 billion over the next five years, according to the Federal Trade Commission. Now, the security questions have grown loud enough for the Senate Commerce, Science and Transportation Committee to schedule a hearing on the matter Wednesday.

“Securing the Internet of Things will be our greatest challenge as an information security community,” wrote HP’s Miessler. “This is true not only because we are starting over from square one again (as we always seem to do) but because the surface area is -- by definition -- much larger…. Buckle in, folks. There is turbulence ahead.”