Cloud: A Storm Over Passwords
A report from Hewlett Packard suggests that many cloud-based security solutions are easily hacked thanks to poor password security and failure to set up mobile devices properly.
IT’S a timely reminder to security installers and monitoring stations that incorporating smart devices and cloud into security systems introduces exposure to a dangerous new ecosystem. The study also shows how important it is for alarm monitoring companies to provide high quality 24-hour protection of client premises. A combination of DIY installation and monitoring combined with poor network security leaves a home or business open to network and physical attacks. At particular risk, according to HP, are video feeds from IP video cameras.
Results of the study strongly suggest security systems integrators need to stress upon customers the importance of creating a strong password for security systems. Further still, they make a case for the implementation of network security policies in system design, including the use of credentials or biometrics as a means of accessing a site and managing a system.
The recently released 2014 HP Internet of Things Research Study undertook analyses of 10 common home security systems. According to the study; “In our ongoing research, we continued to see significant deficiencies in the areas of authentication and authorization along with insecure cloud and mobile interfaces.”
The HP study found that all 10 of the systems were vulnerable to account harvesting via their cloud interfaces. What this means from an IT security perspective, is that attackers were able to used software tools to endlessly guess the 4 or 6-digit login credentials until they guessed right. They could then log into web and mobile interfaces to action the alarm system, know when homeowners are away or home, or watch video feeds from inside the home.
Something else the study uncovered was that all 10 of the systems allowed very simple passwords to be selected. In a world where most people are juggling dozens of passwords or they’ve standardised to just a single password for everything, this is a disastrous failure. For instance, all of the systems allowed 12345 to be selected as a password. Meanwhile, 7 out of 10 systems had serious issues with their software updates and 9 out of 10 systems lacked a 2-factor authentication option.
“The biggest takeaway is the fact that we were able to use brute force against all 10 systems, meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather and watch home video remotely,” said HP.
“We can expect to see more of the same across the IoT space precisely because of the complexity of merging network, application, mobile, and cloud components into one system.”
Internet of actual things
The report from HP comes at the same time researchers reveal that it’s highly likely the Internet of things will not be a gigantic network of everything with electricity running through it. Instead of integrating with microwave ovens and refrigerators, home owners want to integrate with a hub and a specific set of existing functionalities they already value highly.
This finding supports the Lowe Report, which found the home automation functionality at the heart of most people’s idea of a smart home was security and the things people wanted to manage remotely were basic functionalities. These included air conditioning, lighting, and access control. Home owners also want video surveillance of parts of their homes, with caveats relating to privacy.
Interestingly, the researchers pointed out something that home automation sales people have known for a long time. Smart functionalities are governed by a range of variables from privacy laws, to privacy concerns of home owners and citizens, to legal regulations relating to control and integration of electrical products, to the cost of systems and the perceived value such a system has to the end user.
This last is a big one, given most people are happy to manage most electrical items in their homes manually, for instance, by walking up to the washing machine and pressing the on button after filling the machine with laundry and powder. It’s an obvious thing but it represents a confirmation of opportunity for security people. A lot of the smart functionality that people want to remotely access is our functionality or functions security solutions can provide a gateway for.
The IoT is an idea much broader Mark Weiser's 1991 conception of ubiquitous computing, an idea that was extended to a world of devices communicating directly with each other without the need for human intervention. Today, there is the possibility of networking national and international infrastructure for improved transport, weather forecasting, earthquake prediction and response, disease tracking and control, and many other applications.
Aelita Skaržauskiene and Marius Kalinauskas of the Mykolas Romeris University (MRU) in Lithuania point out that The International Telecommunication Union (ITU) predicts that by the end of 2015 there will be more than 6.5 billion devices connected to the internet, including many smart devices that have not previously been considered as network-connected.
Three quarters of the global population will have internet access in some form or another and the team says this offers many new opportunities for public and business sectors to close the gap between end users and service providers to mutual benefit; applications and an improved quality of life for the former and improved efficiency and profits for the latter.
But when looking at various practical cases the MRU team and found that in reality, the applicability of the IoT might be limited by; “technology and its implementation, legal regulations and what users think provides value”.
It’s not a negative finding from a security installer’s or monitoring station’s point of view, more a confirmation of something we already knew. And it suggests that some of the more expansive concepts of cloud-based automation touted by telcos and internet behemoths may represent an overreach of the possibilities. They may run foul not only of government regulations but by the fundamentals of human nature.♦