IoT vendors accused of 'taking security back to 1990s'

Network security outfit Lancope says IoT vendors not learning from rest of industry after security flaws uncovered in wireless thermostat

Fears over the security of the Internet of Things (IoT) have been reiterated after a blogger claimed he had uncovered cyber-threat weaknesses in a WiFi thermostat.

The WiFi thermostat producer Heatmiser announced on Twitter it is contacting customers to warn them of security risks in the wake of the blog by Andrew Tierney on cybergibbons.com.

Tim Keanini, chief technology officer at network security vendor Lancope, said he felt the problem highlighted issues with IoT technology.

Keanini said: "The larger problem is that these IoT vendors are not learning from the rest of the industry. They are taking us back to the 1990s in terms of types of vulnerabilities and this is not good.

"Another pattern in the embedded computing platforms is that a vulnerability found in one system is likely to be found in another because many of the software systems are reused across vendors. Running this type of attack across all the other products in a company's suite as well as other vendors is a good practice and should be done before the bad guys go about doing it," he said.

The wireless thermostats produced by Heatmiser can be controlled from a web browser or mobile app by forwarding two ports within the user's router to the device.

But there are security flaws in the system which leave them vulnerable to cyber attacks, such as easily accessible passwords and usernames, and vulnerabilities to cross-site request forgery, Tierney reported.

Heatmiser took to Twitter to reassure customers.

‏@HeatmiserUK
"A security issue has been identified on our WiFi Thermostat. We are contacting customers to inform them and are working to fix ASAP."