Mobile devices, apps open for attacks
'That's like saying because I spoke in French and you don't understand French, it's secure'
In many ways, mobile device security is an oxymoron in its current state. In fact, if you're using an Internet of Things-type device, chances are it has an average of 25 hidden vulnerabilities, according to new research, making it a ripe target for hackers.
That's according to a new HP-led study that sheds light on the alarming number of connected devices with serious security weak spots. As the data reveals, a whopping 70 percent of all commonly used mobile devices and apps have these vulnerabilities.
In the study, HP researchers scanned 10 of the most common IoT devices, identifying 250 total security concerns. And although the devices tested included products from TV, webcam, remote power outlets and home alarm manufacturers, unprotected health data contained on apps was a concern.
[See also: Hacker calls health security 'Wild West'.]
These vulnerabilities essentially render consumer health information unprotected and available for the taking, officials pointed out. The numbers are significant.
Currently, there are more than 100,000 health-related apps just available via smartphones. As consumers use more and more mobile health apps to store certain medical data, they're still, for the most part, unaware that security is lacking. Many of these devices, for instance, are transmitting the unencrypted data over the consumer's network. "Users are one network misconfiguration away from exposing this data to the world via wireless networks," HP officials wrote in the study.
And in the healthcare space -- or anywhere, really -- that's bad news.
Recalling his conversations with one particular medical app developer, Kevin Johnson, chief executive officer of network security consulting firm Secure Ideas, said it proved altogether alarming to hear what they considered security.
Keep in mind, said Johnson, this is an app used by major medical hospitals, with big insurance companies recommending it to doctors.
The developer described the security of the app, Base 64 encryption -- something that doesn't quite actually exist.
"Base 64 is not an encryption mechanism; it's an encoding mechanism," said Johnson. "That's like saying because I spoke in French and you don't understand French, it's secure."
Because of this, and other apps and third-party vendors out there, Johnson recommends healthcare organizations verify vendors' security and make it part of their contract.
Internet of Things devices also were found to have insufficient authorization, HP officials pointed out, with some 80 percent of IoT devices failing to require sufficient passwords.
"While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface," said Mike Armistead, vice president and general manager, Fortify, Enterprise Security Products, HP, in a July 29 press statement. "With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats."
Other report findings included:
- Lack of transport encryption: 70 percent of IoT devices analyzed did not encrypt communications to the internet and local network, while half of the devices’ mobile applications performed unencrypted communications to the cloud, internet or local network. Transport encryption is crucial given that many of the tested devices collected and transmitted sensitive data across channels.
- Insecure Web interface: Six of the 10 devices evaluated raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text. Some 70 percent of devices with cloud and mobile components would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
- Inadequate software protection: 60 percent of devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could even be intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.