Your 'Smart' Power Outlets Are Now Botnets Thanks To The Internet Of Broken Things
from the I-just-hacked-your-stapler dept
Overshadowed by the lulz is the width and depth of incompetence on display. Thermostats that fail to heat your home. Door locks that don't protect you. Refrigerators that leak Gmail credentials. Children's toys that listen to your kids' prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death. The list goes on and on, and it grows exponentially by the week.
The latest gift of the Internet of Things industry, revealed last week by security researchers at Bitdefender, is smart electrical sockets that can be hacked to hand over e-mail credentials, create a botnet, or (potentially) burn your house down by firing up connected appliances. The devices are sold as an amazing new tool to help create a connected home, allowing users to manage any device plugged into them via a smartphone and/or the internet. The problem, as usual, is an (unspecified) company that treated security as an afterthought. From the full Bitdefender research paper:
"Bitdefender researchers observed that the hotspot is secured with a weak username and password combination. Furthermore, the application does not alert the user to risks associated with leaving default credentials unchanged. Changing them can be done by clicking ‘Edit’ on the name of the smart plug from the main screen and choosing a new name and a new password.That's not just bad security, that's yet another company that's not even trying. And not even trying, it should be added, despite a constant flood of news reports that have demolished an endless list of different brands for failing to embrace things like fundamental encryption. We're building a mansion out of flammable toothpicks and empty promises, and as Bruce Schneier recetly noted, it's really only a matter of time before the check comes due on a fairly massive scale.
Secondly, researchers noticed that, during configuration, the mobile app transfers the Wi-Fi username and password in clear text over the network. Also, the device-to-application communication that passes through the manufacturer’s servers is only encoded, not encrypted.
And while security is a big part of the problem, equally troubling is the rise of "smart" products that stop working once the company's manufacturer gets bored or sold. Like, you know, connected light bulbs that no longer really connect to much of anything:
"Earlier this month, our colleague and Consumerist reader Michelle spotted a great deal on some Connected by TCP smart lightbulbs she’d been eyeing for her home. Before buying, she checked to see if they’d be compatible with her Amazon Echo or Wink app, and it’s good that she checked first. As it turns out, those bulbs are no longer compatible with any device, app, or hub, because TCP pulled the plug on their server as of June 1.Whoops, sorry! Not only is the Internet of Things a total shit show when it comes to security and privacy, you also don't really own the things you buy, creating a universe of new possibilities when it comes to dysfunction, fraud, and misleading advertising promises. There are plenty of reasons why this incompetence is coming home to roost, though the simplest is that many companies were just too cheap and lazy to invest in quality kits, research and technology, and most IOT "evangelists" were too focused on self-promotion to much care about the fact that they were selling us an industrial-grade disaster.