Makers of IoT Devices Lack Maturity in Security Matters

A security firm tests 9 baby monitors and finds that 8 fail simple security tests, indicating that connected-device makers need to grow up, security-wise.

IoT security

Manufacturers of connected devices still have a lot of growing up to do when it comes to security.

Consumer devices are increasingly designed to be connected to the Internet, but continue to have basic design flaws and security vulnerabilities that leave them open to attack. In a test of nine baby monitors, for example, security firm Rapid7 found 10 serious vulnerabilities, including five cases of vendors leaving in backdoor access to the devices. When the company created a scorecard of the security design of the devices, only a single device passed—earning a "D."

None of the vendors advertised their security measures, or lack thereof, and the price of the devices, which ranged from about $50 to $250, had little relationship to how well they scored, according to Mark Stanislav, senior security consultant of global services at Rapid7.

"It is really difficult, as a consumer, to know whether what you are buying off the shelf is secure," he said. "Unfortunately, the status quo for the Internet of things is not a high enough bar, in terms of security."

Connected devices, also known as the Internet of things, have been increasingly targeted by security researchers and are usually found to have significant security flaws. In February, the security arm of technology firm Hewlett-Packard found that connected security systems had significant vulnerabilities that could leave their users at risk of being hacked. Last year, Symantec and Rapid7 released similar research that found security holes in a number of devices.

In the latest research, Rapid7 analyzed the workings of nine different baby-monitoring devices from eight different vendors. The company found significant vulnerabilities that could allow an attacker to access to the camera or run code on the actual device.

The service supporting one device used predictable URLs that an attacker could easily modify to gain access to other account holders' information. The design of a way to access video in real time led to a second vulnerability because the vendor put real-time video on a hosted service on the public Internet. A third vulnerability occurred in a poorly implemented service for sharing video with relatives and friends, resulting in the video stream being accessible to attackers.

Rapid7 scored the devices on whether they had any of seven security features, including whether the devices' local and Internet communications were encrypted with Secure Sockets Layer (SSL) and whether the device had any potential backdoors, hidden accounts or known vulnerabilities. Of 100 possible points, results ranged from 0 to 50 for the eight devices that failed the tests. The single device that passed scored 64 out of 100 points.

"The score is more an indication of engineering practices, decisions that were made during the design phase or the implementation phase," Stanislav said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...