The assessment carried out by Digital Security of almost 100 connected solutions offers unprecedented insights into the way cybersecurity issues are handled by the Internet of Things market.
Transport and logistics, home automation, wellbeing and health, smart cities and safety: Digital Security assessed the overall security of nearly 100 IoT solutions using innovative technologies.
The assessment included both IoT hardware and software security and an audit of the associated applications and services used to create a connected solution.
Results show a considerable discrepancy between security needs and the measures implemented by manufacturers
“We were surprised to see that connected games are much securer than a lot of critical medical equipment,” said Thomas Gayet, Director of Digital Security’s CERT-UBIK, the department in charge of carrying out security assessments in the company’s dedicated laboratory.
“Quite apart from the different industry sectors, awareness of cybersecurity varies enormously from one company to another, which often gives free rein to innovation – to the detriment of essential measures for data and user security,” added Jean-Claude Tapia, Chairman of Digital Security.
The Top #5 most common vulnerabilities found in connected objects
The assessment conducted revealed a list of the most common vulnerabilities found in connected devices:
- #1: Unsecured updates: no encryption or signature for firmware updates;
- #2: Use of default secret questions for passwords: keys and passwords already used in the production environment;
- #3: Unsecured communications: weak or no encryption or integrity check by electronic signature for communications;
- #4: Data stored in plain text: encryption not used for local data storage;
- #5: Presence of debugging interfaces meaning the hardware components of the device can be taken over.
Whilst these vulnerabilities allow hackers to access a connected device and the data on it, compromising the servers can often lead to all the connected solutions deployed by the manufacturer being taken over.
The “IoT Qualified Security” label is more necessary than ever
For Digital Security, these findings confirm the validity of its IQS certification approach (IoT Qualified Security, a security standard for solutions that deploy connected objects and covering all the components used to provide the service).
Launched in December last year, the IQS label, in closed beta version, currently covers a number of Digital Security’s industrial clients. This initiative, the only one of its kind in the market, addresses the needs of hardware and software manufacturers and end clients using commercial IoT solutions.