Your 'Smart' Power Outlets Are Now Botnets Thanks To The Internet Of Broken Things

from the I-just-hacked-your-stapler dept

Making fun of the Internet of Things has become a sort of national pastime, made possible by a laundry list of companies jumping into the space without the remotest idea what they’re actually doing. When said companies aren’t busy promoting some of the dumbest ideas imaginable, they’re making it abundantly clear that the security of their “smart,” connected products is absolutely nowhere to be found. And while this mockery is well-deserved, it’s decidedly less funny once you realize these companies are introducing thousands of new attack vectors in every home and business network the world over.

Overshadowed by the lulz is the width and depth of incompetence on display. Thermostats that fail to heat your home. Door locks that don’t protect you. Refrigerators that leak Gmail credentials. Children’s toys that listen to your kids’ prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death. The list goes on and on, and it grows exponentially by the week.

The latest gift of the Internet of Things industry, revealed last week by security researchers at Bitdefender, is smart electrical sockets that can be hacked to hand over e-mail credentials, create a botnet, or (potentially) burn your house down by firing up connected appliances. The devices are sold as an amazing new tool to help create a connected home, allowing users to manage any device plugged into them via a smartphone and/or the internet. The problem, as usual, is an (unspecified) company that treated security as an afterthought. From the full Bitdefender research paper:

“Bitdefender researchers observed that the hotspot is secured with a weak username and password combination. Furthermore, the application does not alert the user to risks associated with leaving default credentials unchanged. Changing them can be done by clicking ?Edit? on the name of the smart plug from the main screen and choosing a new name and a new password.

Secondly, researchers noticed that, during configuration, the mobile app transfers the Wi-Fi username and password in clear text over the network. Also, the device-to-application communication that passes through the manufacturer?s servers is only encoded, not encrypted.

That’s not just bad security, that’s yet another company that’s not even trying. And not even trying, it should be added, despite a constant flood of news reports that have demolished an endless list of different brands for failing to embrace things like fundamental encryption. We’re building a mansion out of flammable toothpicks and empty promises, and as Bruce Schneier recetly noted, it’s really only a matter of time before the check comes due on a fairly massive scale.

And while security is a big part of the problem, equally troubling is the rise of “smart” products that stop working once the company’s manufacturer gets bored or sold. Like, you know, connected light bulbs that no longer really connect to much of anything:

“Earlier this month, our colleague and Consumerist reader Michelle spotted a great deal on some Connected by TCP smart lightbulbs she?d been eyeing for her home. Before buying, she checked to see if they?d be compatible with her Amazon Echo or Wink app, and it?s good that she checked first. As it turns out, those bulbs are no longer compatible with any device, app, or hub, because TCP pulled the plug on their server as of June 1.

Whoops, sorry! Not only is the Internet of Things a total shit show when it comes to security and privacy, you also don’t really own the things you buy, creating a universe of new possibilities when it comes to dysfunction, fraud, and misleading advertising promises. There are plenty of reasons why this incompetence is coming home to roost, though the simplest is that many companies were just too cheap and lazy to invest in quality kits, research and technology, and most IOT “evangelists” were too focused on self-promotion to much care about the fact that they were selling us an industrial-grade disaster.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Your 'Smart' Power Outlets Are Now Botnets Thanks To The Internet Of Broken Things”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

To some extent, that just describes smart decision making. People aren’t rejecting these technologies, just the implementation, support, and security of these technologies.

We need an update to the Magnuson-Moss Warranty Act, to require the same level of liability for anything requiring cloud support for operation. At minimum this should be something like an escrow account held in trust to maintain online services for a period of years after the last device is manufactured.

Security is tricky, because the implementation needs to be easy. It would be nice if someone like Consumer Reports started up an IoT Security section to better educate people about the security exposure of these things.

wiserabbit says:

Re: Re: Re:

…does the whole licensing thing instead of owning impact the coverage of Magnuson–Moss Warranty Act?

(1) The term “consumer product” means any tangible personal property which is distributed in commerce and which is normally used for personal, family, or household purposes (including any such property intended to be attached to or installed in any real property without regard to whether it is so attached or installed).

because there’s this bit in 15 U.S. Code § 2301 – Definitions
(9) The term “reasonable and necessary maintenance” consists of those operations (A) which the consumer reasonably can be expected to perform or have performed and (B) which are necessary to keep any consumer product performing its intended function and operating at a reasonable level of performance.

tlhonmey says:

Re: Re: Re:

Please don’t suggest that. Much better to have the product quit working than to continue functioning for years on a cloud infrastructure that’s no longer receiving security updates. If you think it’s bad when there are security issues, just wait until someone breaks into a no-longer-supervised system and uploads some custom firmware.

Anonymous Coward says:

Re: Re: Re:

Dont forget an open API and possibillity to run your server at home. I want some smart features at home, but my stuff should never “call home”. Open implementation and code availible on GitHub is a must for me. Usually takes care of the security part as well. Can’t have that abysmal security with source code availible

Anonymous Coward says:

Re: Re: Re: they will stop making shit

“superior product”

Dumb technology is the superior product IMO, at least until IoT leaves its beta phase. Buying this stuff now means you have time and effort to expend on what are still novelties. IoT will never create value unless they become easier to use than what they intend to supplant.

Anonymous Coward says:

Re: Re: they will stop making shit

You either fight back, or take what you get.

When you go ask government to do it, you are just asking for a bigger badder bully to help you out. Not sure you are getting how this life thing works.

A great mind once said…

I would rather be exposed to the inconveniences attending too much liberty than those attending too small a degree of it.

~Thomas Jefferson

Anonymous Coward says:

Re: they will stop making shit

I’m sure all the residents of Prince William Sound and the surrounding area are still thanking Exxon for giving them exactly what they wanted.

Similarly, I’m sure all Gulf state residents are still thanking British Petroleum for the wonderful things done with the Deepwater Horizon.

No need for any regulations here because the market is self regulating, these corporations are not bending the rules to make more money, they are simply giving their customers what they want. How was I so wrong about this for so long. Thank you for straightening me out – I’m saved!

Uriel-238 (profile) says:

Re: Shit sells.

People would buy a microwave oven that baked anyone in line of sight if it weren’t for the state regulating microwave oven emissions.

Worse yet, so long as the corporations could suppress news of customers getting cooked by their own oven, they’d continue to sell until there were tens or hundreds of thousands of dead victims. And no-one in the company would be held liable.

So no, we’re thankful for many of the regulations we have. We’re thankful for the government assuring us that our clock radio doesn’t give us cancer. (some models do.)

But because the technical details of IoT appliances are lost both to regulators and customers, we’re not going to see a regulation until there’s a disaster.

Only after the Titanic sinking did we see regulations on the number of lifeboats required on a ship.

Only after an outlet botnet are we going to see reform of IoT security.

Anonymous Coward says:

Re: Re: Shit sells.

I bet there are many millions of people who would have preferred far less powerful government were they not already killed by that government.

What amazes me, is people think corporations are big, bad, evil entities and governments are saints. Yet history is full of governments that kill on a far larger scale than any company could do because governments have all the guns.

Uriel-238 (profile) says:

Re: Re: Re: Big government.

I bet there are many millions of people who would have preferred far less powerful government were they not already killed by that government.

Are you referring to demographics that are not regarded by the government except as outlaws, such as Jews in Nazi Germany?

That is the same end result of when you have too small a government, which is invasion by a larger one.

As for this mythical people who regard corporations as bad but governments as saintly, you’ll have to be more specific. I don’t know a single person, or a single group that insists that is a platform.

Here, we know that government is necessary for infrastructure, but it is also prone to corruption, which is a problem we’ve yet to solve.

But if you choose to have a smaller government, then you choose to have less infrastructure, which means lower standards of living e.g. not only no running water, but no consistent supply of safe drinking water. And if you get the fever, you’re just written off.

Safe meat, safe water, consistent electricity, firewood every winter, sewage processing, waste disposal, disease control…all these things require infrastructure which requires government regulation. Market forces do not make for these things.

If you like them then you like the fruits of big government.

Anonymous Coward says:

Re: Re: Re:2 Big government.

Ah yes, we all know the Dems are really just about safe groceries. Sorry, nobody is buying that, the Dems are about controlling every aspect of our lives and have ZERO tolerance for dissent. That is the very problem with big government, they ultimately will not tolerate dissent and will put you in the ground for it.

Uriel-238 (profile) says:

Re: Re: Re:3 And all you think to do stroke your harp while it burns.

Ah, it seems you and I were having different conversations entirely. I was talking about the virtues — and necessity — of a large powerful government. You seem to be seeing government as not a tool for creating a civilization but a campaigning chip by which to extol your party platform of choice.

Considering the GOP is ready to spend billions on a useless wall and create Neuremburg laws regarding the Nonwhite and Muslem problems, the DNC distaste for dissent starts looking mild, particularly given the previous Repuplican administration burned spies and representatives for less than an imperfectly lined toe.

Even before the current Trump problem, the GOP’s platform had long festered down to who is or isn’t allowed to fuck. And any pretense by the GOP of taste for small governmend disintegrates with military considerations.

But the GOP is the only competition against which the DNC runs, and the more pathetic your caracatures of candidates run, the less the DNC has to do to compete, which is how Hillary can effectively run with total technical incompetence. The GOP failure to compete, gave the DNC a monopoly on rationality, and like Comcast, they provide shitty service at ridiculous cost.

I’m not sure if the historians are going to argue that Reagan was the dolorous stroke from which the US bled out, or George W. Bush, but both of those guys were picked from the post-Southern-Strategy GOP pool, and between them, the shining city is ablaze. The proverbial barbarians are at our gates.

Anonymous Coward says:

Re: Re: Re:4 And all you think to do stroke your harp while it burns.

Wow, so Reagan set the country on fire? That is so far from true it isn’t even funny. You guys are amazing. It was bad enough that for the last 8 years everything was Bush 2s fault, now you have lowered the bar to say it goes back to the 80s.

Now if you want to talk about arsonists, you merely have to look at the current president. He has fomented a race war where none existed before. He has accumulated more debt than all other presidents combined before him. Something Hillary will gleefully add to. We have more people on social programs now than before O started. The labor participation rate is lower than it has been in decades. Check the transportation industry stats and you will see it is down across all sectors (rail, truck, ship) so we are headed into another recession. That of course will be blamed on the next Pres when in fact it rests squarely on the failed policies of the current admin.

Uriel-238 (profile) says:

Re: Re: Re:5 "Wow, so Reagan set the country on fire?"

You don’t get metaphor?

Fair enough. No, he didn’t literally set the nation on fire, but he did bring us a lot closer, by rekindling nuclear escalation with the Soviet Union. Nixon and Carter negotiated with the USSR and stood behind Peaceful Coexistence. But for Reagan (like Wilson) allowing for the godless Soviet Union to continue was intolerable to him, and he he felt that the fall of the USSR was the only acceptable outcome, even if it all had to end in nuclear fire.

But no, the gates Reagan opened was to corporate lobbyists and the allowance of soft money in campaigning, from which we now have the corporate deadlock on politics today.

But yes, it goes back to the eighties, and even further than that, but you might have to history some if you’re going to comprehend anything beyond the party rhetoric.

Good thing you have the internet.

Anonymous Coward says:

Re: Re: Re:6 "Wow, so Reagan set the country on fire?"

You don’t need the internet to see what has happened under O since we are still victims of his failed policies. We will get more of the same under H. By the time those 2 are finished, this country will be so far in debt and in so much civil unrest it won’t matter what the Russians are doing.

Uriel-238 (profile) says:

Re: Re: Re:7 What's more interesting to me is that you're continuing to blame Obama

…As if Romney or McCain would have been better?

The system is irreparably corrupt. Putting Trump into office is only going to make it worse by (as what happened with Bush) providing a puppet for people to hate while people behind him steer public assets into their own coffers. Trump would let it happen, and probably wouldn’t even care how it affects his image in history.

I’m not arguing Clinton is a good choice. As someone who believed Obama’s 2008 campaign promises of reform (Hope and change, remember that?) what he did is not what I voted for. But then again, Bush before him went hard right and full hawk despite his Compassionate Conservative campaign in 2000. Even after he lost the popular vote, and knew the nation was more liberal than he was.

And yes, Clinton may continue to put the US further in debt (a topic worthy of its own discussion) but trump is not going to pull us out of debt, or even put us in less debt. As I said, most likely he’ll subsidize those interests that will motivate him, possibly by having a shill insult him in public.

No president is going to fix the nation. That’s the problem. And blaming presidents for not fixing the nation doesn’t move us any closer to fixing the nation.

So yeah, social unrest if that’s what you want to call it may be what dismantles the United States, but that’s going to happen no matter who goes in the oval office, because the hands in the puppet (whichever puppen) aren’t interested in fixing the nation for the long term, or in the interest of the people.

Which was something I was trying to say in the first place. Please try to look past the party contest.

Anonymous Coward says:

It should be the local net of things, with a secure remote access to you own controller. That way only one interface has to be secured from remote attackers. That leaves the local WiFi network to be secured from local attacks, and it can be made reasonable secure. Being able to limit the things to communicate to a fixed local IP will also help secure things.
Putting lots of devices on the open Internet is a stupid Idea, because of the massive increase in attack surface, but is done in part because in many countries, domestic connections do not have a fixed IP.

The Baker says:

Risk and Sensational Rhetoric

” …(potentially) burn your house down by firing up connected appliances”

Wow … Sensational rhetoric is what we usually rail against here on Techdirt.

The fact is that anything we do digitally can be hacked. Anytime we are connected to a network we are at risk while most of our devices have security holes that put us at risk. Most things we do in life put us at risk and many of these things we are unaware of. It seems that we have two choices, live off grid in a cave with no contact or connectivity with the outside world or manage the risk the best we are able to. Most of us do this every day when we engage in one of the most dangerous activities we have in this modern world … going out in the world and transporting ourselves to work, play, and hunting and gathering for our existence. We make decisions and choices to minimize the risk.
We also can choose to do this in our digital life too. I have a smart thermostat, a Z-Wave hub controlling lights and my garage door. I choose to do these things because I seek the usefulness of these devices and understand the risks the best I can while trying to minimize the risks by utilizing proper security measures where I can and accepting or rejecting the risk where I cant.
Someone can not burn down my house by turning on the outlet to my father-in laws LED lamp or my outside lights even if they manage to hack a Z-Wave network from a mile away. My HVAC has a secondary “dumb” thermostat that will never let my house freeze or heat over 100. My garage is detached and anyone getting into it and stealing what is there is probably saving me a trip to good will.
There are easier ways for someone to steal my digital credentials and the fact is … just like getting into my house, if they really want to, they can get in anyway. The best I can do is minimize my risk and have a plan if they do.

I absolutely agree that the the iot companies need to do a better job at securing their devices, so do the car companies, software companies, hardware companies, banks, our government … on and on..

So, how many houses have been burned down because someone hacked a smart outlet? Wouldn’t there be other failure modes at play? (bad thermostat AND bad protective switch in the heater) Are there greater risks we should spend our worry and collective efforts addressing?

Next thing you know, the behind in the polling Senator from the state of ignorance will be introducing legislation banning these tragically harmful devices.

Andrew D. Todd (user link) says:

Feedback Instead.

Broadly speaking, Internet-of-Things devices do not work very well because the relevant information is local, coming from local sensors. Information from far away is usually irrelevant. The proper approach is to use _feedback_. For example, lights often work with infra-red sensors. If something is moving, the lights come on. Or lights can be connected to photo-cells, so that they switch on when it is dark.

I have a toaster-oven which detects how browned the bread is, and shuts down accordingly. It seems to work with a fairly wide range of bread types without needing to adjust the setting dial. It’s a simple analog mechanism, in a toaster-oven which I bought for about twenty dollars, back in the late 1990’s. There’s also a thermostat, similar to that in a conventional oven.

It might be possible to improve a microwave oven, by enabling it to map the state of its contents, and apply energy accordingly. The microwave oven ought to be able to distinguish ice from water, by the secondary radiation, and aim microwaves at the ice. Ice absorbs microwaves less efficiently than water, and consequently a frozen burrito, cooked in the microwave, can be excessively hot at one end, and still frozen at the other. A smart microwave oven could deliver uniform defrosting and cooking. However, the oven does not need the internet to do this, only local sensors and local controls.

Things like smart internet-connected thermostats tend to be based around ignorance of the science of thermodynamics. I discussed this issue several years ago, in respect of the Nest thermostat:


After about 1950, automobiles essentially ceased to make improvements in usable speed. An automobile is no better than the road it runs on, and there was never the political will to create 100-150 mph freeways. The result was that automobile styling went crazy. Automobiles mostly acquired non-functional tail-fins, and air intakes copied from jet fighters. The Batmobile is a fairly representative specimen of 1950’s automobile body design, though, by the time the Batmobile was produced (1966-68), this had become a matter of subtle caricature. The Batmobile was in fact a Ford “concept car” from 1954, hastily modified for the television series.

Internet development is going through the same process, only in a kind of “follie-a-deux” mode with certain traditional industries, such as the makers of lighting fixtures.

Anonymous Coward says:

Re: Feedback Instead.

I think you are onto something. Many devices are a solution in search of a problem. An old fashioned, programmable thermostat will get you most of the benefit, if there is any, for $20. Personally, when it comes to thermostats, I think setting a reasonable temp and leaving it is far more energy efficient. Let all the thermal mass in your home heat up or cool down and then trying to bring it back to temp seems far more wasteful than getting it to the desired temp and keeping it there.

PT says:

The fundamental problem

The fundamental problem with these IoT devices is – LINUX. They all run Linux, which is a full operating system capable of loading and running applications. I have nothing against Linux as an operating system, but it’s inappropriate for an embedded system whose job is to run one and only one special application for ever. Just why a thermostat needs the ability to change its application program remotely escapes me. I can see the attraction of Linux to people who are too lazy, or too incompetent, to write their own embedded drivers the way we did when things were designed by competent engineers, but they should at least put in some security to detect unauthorized program changes and refuse to load them.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...