The next time you sell a security system, especially one with mobile access, it’s vitally important to impress upon your customers to create a strong password that cannot be easily hacked.
Unfortunately, according to a new study by Hewlett Packard (HP), that is usually not the case.
The 2014 HP Internet of Things Research Study did an analysis of 10 common home security systems (which it does not name). The study notes, “In our ongoing research, we continued to see significant deficiencies in the areas of authentication and authorization along with insecure cloud and mobile interfaces.”
RELATED: Suit Alleges ADT’s Wireless Systems Are ‘Easily Hacked’
The study revealed:
- All 10 of the systems were vulnerable to account harvesting via the cloud interface. That means attackers are allowed to just continue to guess the login credentials until they get it right, and then log in to the web and mobile interfaces to know when homeowners are away or home, or even watch video of the home.
- All 10 of the systems allowed weak passwords, noting that “12345” was allowed to be use.
- All 10 systems failed to implement account lockout defense.
- 7 out of 10 systems had serious issues with their software updates.
- 9 out of 10 systems lacked a two-factor authentication option.
“The biggest takeaway is the fact that we were able to brute force against all 10 systems, meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather and watch home video remotely,” says the report.
RELATED: How Intruders Can Disable Home Security Systems
The report concludes, “We can expect to see more of the same across the IoT space precisely because of the complexity of merging network, application, mobile, and cloud components into one system.”
Click here to view the infographic.
