I have been harping on the dangers of insecure embedded systems and physical security systems posing a huge security risk for your internal network. Recently I was talking with a Retail Point of Sale (POS) software expert and was told how a POS system was hacked by an attacker that had gained access to the network through a video security system!
It is so simple now, in the name of convenience, to put various devices online by using extremely cheap embedded systems that act as web servers and remote access devices. With the rush to put everything online, called the “Internet of Things”, security is massively taking a back seat.
I particularly find it hard to believe that physical security devices meant to protect your building or premises from a physical attacker are being made with old, outdated or even wide open online services that will allow an electronic attacker full access.
Even heating and air conditioning system could be targeted by hackers. The Target hack from recent memory was made possible by hackers stealing login information from an HVAC system.
HP recently released a study on the Internet of things and found:
- Home thermostats
- Remote power outlets
- Sprinkler controllers
- Hubs for controlling multiple devices
- Door locks
- Home alarms
- Scales and garage door openers
Sadly many of these insecure devices can be found worldwide using Google and Shodan searches.
I personally have seen a video security system that used a short lower case letter password for admin access to it’s Telnet interface! With further research I found that the company had been notified of the issue years ago and never rectified the situation. New devices are still being made by this manufacturer with the weak password that is publicly posted on the internet!
It is time that the Internet of Things is held to the same security standards as the rest of the computer world. But until manufacturers begin to care about YOUR security or regulations are put into place, I don’t see this problem going away anytime soon, in fact it is going to get much, much worse.
In the mean time, business owners need to add physical security and “Internet of Things” type devices to their list of systems that need to be scanned for security issues.