Smart home kit proves easy to hack, says HP study

Mock-up home remote control HP questioned whether smart home devices needed to gather so much private information

Related Stories

A study of some of the most popular app-controlled devices for the home suggests the majority of the products tested were vulnerable to hackers.

HP's Fortify security division reviewed 10 pieces of internet-connected kit.

It said the majority did not require a password of sufficient complexity and length and that most did not encrypt the data they transmitted.

One independent security expert said the findings were "shocking".

HP has not named the manufacturers involved, but has identified the 10 types of net-connected products studied:

Smartphone All the devices tested could be controlled by apps
  • A smart TV
  • A webcam
  • A smart thermostat
  • A remote power outlet
  • A garden sprinkler control
  • A door lock
  • A home alarm
  • Bathroom scales
  • A garage door opener
  • A hub for controlling multiple devices
Privacy worries

One of the report author's biggest concerns was that eight of the devices surveyed did not require consumers to use hard-to-hack log-ins.

It said that most allowed passwords as simple as "1234" or "123456", which could then be used to access both the app and a website providing access to the owner's records.

In addition, the team said, the interfaces used by six of the devices' websites had other security flaws that could cause them to be compromised. For example, it said, in some cases hackers could exploit the password reset facility to determine which accounts were valid, allowing them to focus follow-up attacks.

A lack of encryption - the digital scrambling of data to make it unreadable without a special key - was also flagged as a worry.

HP said that seven of the devices failed to encrypt communications sent to the internet and/or a local network.

It added that six of the pieces of kit did not use encryption when downloading software and firmware updates. It said hackers could take advantage of this to intercept, modify and retransmit the code, potentially allowing them to take control of many customers' equipment.

The report also suggested that eight of the devices raised broader privacy concerns.

"With many devices collecting some form of personal information such as name, address, date of birth, health information and even credit card numbers, those concerns are multiplied when you add in cloud services and mobile applications that work alongside the device," it stated.

"And with many devices transmitting this information unencrypted on your home network, users are one network misconfiguration away from exposing this data to the world via wireless networks.

"Do these devices really need to collect this personal information to function properly?"

'Security holes'

HP is not the first firm to highlight problems with smart home devices.

Lifx Lifx issued a fix for its wi-fi light bulbs after a security flaw was exposed

Earlier this month, another security firm revealed that wi-fi-controlled light bulbs sold by an Australian firm, Lifx, could reveal their owner's username and passwords if a hacker used a device that masqueraded as being another bulb.

In January, another report highlighted the case of a smart fridge that had been hacked and used to send out spam emails.

And last year, LG was prompted to issue a fix for its smart TVs after one owner discovered his set was monitoring his watching habits and then transmitting the information over the internet unencrypted.

Ian Brown, professor of information security and privacy at the University of Oxford, said HP's report should act as a wake-up call.

"We're used to hearing about vulnerabilities in computing systems, but those are often legacy products designed before today's greater focus on security," he told the BBC.

"It's slightly shocking to see these brand new internet-of-things devices being created with so many security holes.

"I hope device manufactures realise they have to do much better if they want to avoid damaging consumer trust in the whole sector before it even takes off."

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Thinkstock)

Why autopilots are dangerous

The increased risk of computer control Read more...

Programmes

  • Three men solving a puzzleThe Travel Show Watch

    Why tourists are heading to Budapest for the chance to break out of a room

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.