Hackers can hijack 100% of smart home devices

Consumers who own smart home security systems and monitoring devices are at risk from having them tampered by hackers, according to research.

A study by HP tested smart home devices like video cameras and motion detectors and found that 100% contained critical vulnerabilities.

The flaws included a lack of authorisation and transport encryption, insecure interfaces and privacy concerns.

After testing the authorisation quality, HP said all systems failed to require passwords of sufficient complexity and length with most only requiring a six character alphanumeric password. The systems also lacked the ability to lock out accounts after a certain number of failed attempts.

With regard to privacy, all systems collected some form of personal information such as name, address, date of birth, phone number and credit card numbers.

HP said exposure of this personal information is of great concern given the account harvesting issues across all systems.

The cloud-based interfaces also revealed security concerns. The tests found that an attacker could gain access to a device through account harvesting, which uses three application flaws, including account enumeration, weak password policy and lack of account lockout.

The test also revealed that while all systems had transport encryption such as SSL/TLS, many of the cloud connections remained vulnerable to attacks.

"As we continue to embrace the convenience and availability of connected devices, we must understand how vulnerable they could make our homes and families," said Jason Schmitt, VP and general manager of HP’s Security Products.

"With ten of the top security systems lacking fundamental security features, consumers must be diligent about adopting simple and practical security measures when they’re available, and device manufacturers must take ownership in building security into their products to avoid exposing their customers unknowingly to serious threats."

The research comes as 4.9 billion Internet of Things devices are expected to be in use by 2015, up 30% from 2014, and reaching 25 billion by 2020, according to Gartner.

HP leveraged HP Fortify on Demand to assess 10 home security IoT devices along with their cloud and mobile application components.