Your 'Smart' Power Outlets Are Now Botnets Thanks To The Internet Of Broken Things

from the I-just-hacked-your-stapler dept

Making fun of the Internet of Things has become a sort of national pastime, made possible by a laundry list of companies jumping into the space without the remotest idea what they're actually doing. When said companies aren't busy promoting some of the dumbest ideas imaginable, they're making it abundantly clear that the security of their "smart," connected products is absolutely nowhere to be found. And while this mockery is well-deserved, it's decidedly less funny once you realize these companies are introducing thousands of new attack vectors in every home and business network the world over.

Overshadowed by the lulz is the width and depth of incompetence on display. Thermostats that fail to heat your home. Door locks that don't protect you. Refrigerators that leak Gmail credentials. Children's toys that listen to your kids' prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death. The list goes on and on, and it grows exponentially by the week.

The latest gift of the Internet of Things industry, revealed last week by security researchers at Bitdefender, is smart electrical sockets that can be hacked to hand over e-mail credentials, create a botnet, or (potentially) burn your house down by firing up connected appliances. The devices are sold as an amazing new tool to help create a connected home, allowing users to manage any device plugged into them via a smartphone and/or the internet. The problem, as usual, is an (unspecified) company that treated security as an afterthought. From the full Bitdefender research paper:
"Bitdefender researchers observed that the hotspot is secured with a weak username and password combination. Furthermore, the application does not alert the user to risks associated with leaving default credentials unchanged. Changing them can be done by clicking ‘Edit’ on the name of the smart plug from the main screen and choosing a new name and a new password.

Secondly, researchers noticed that, during configuration, the mobile app transfers the Wi-Fi username and password in clear text over the network. Also, the device-to-application communication that passes through the manufacturer’s servers is only encoded, not encrypted.
That's not just bad security, that's yet another company that's not even trying. And not even trying, it should be added, despite a constant flood of news reports that have demolished an endless list of different brands for failing to embrace things like fundamental encryption. We're building a mansion out of flammable toothpicks and empty promises, and as Bruce Schneier recetly noted, it's really only a matter of time before the check comes due on a fairly massive scale.

And while security is a big part of the problem, equally troubling is the rise of "smart" products that stop working once the company's manufacturer gets bored or sold. Like, you know, connected light bulbs that no longer really connect to much of anything:
"Earlier this month, our colleague and Consumerist reader Michelle spotted a great deal on some Connected by TCP smart lightbulbs she’d been eyeing for her home. Before buying, she checked to see if they’d be compatible with her Amazon Echo or Wink app, and it’s good that she checked first. As it turns out, those bulbs are no longer compatible with any device, app, or hub, because TCP pulled the plug on their server as of June 1.
Whoops, sorry! Not only is the Internet of Things a total shit show when it comes to security and privacy, you also don't really own the things you buy, creating a universe of new possibilities when it comes to dysfunction, fraud, and misleading advertising promises. There are plenty of reasons why this incompetence is coming home to roost, though the simplest is that many companies were just too cheap and lazy to invest in quality kits, research and technology, and most IOT "evangelists" were too focused on self-promotion to much care about the fact that they were selling us an industrial-grade disaster.

Filed Under: internet of things, iot, power outlets, security

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    The Baker, 23 Aug 2016 @ 10:51am

    Risk and Sensational Rhetoric

    " ...(potentially) burn your house down by firing up connected appliances"

    Wow ... Sensational rhetoric is what we usually rail against here on Techdirt.

    The fact is that anything we do digitally can be hacked. Anytime we are connected to a network we are at risk while most of our devices have security holes that put us at risk. Most things we do in life put us at risk and many of these things we are unaware of. It seems that we have two choices, live off grid in a cave with no contact or connectivity with the outside world or manage the risk the best we are able to. Most of us do this every day when we engage in one of the most dangerous activities we have in this modern world ... going out in the world and transporting ourselves to work, play, and hunting and gathering for our existence. We make decisions and choices to minimize the risk.
    We also can choose to do this in our digital life too. I have a smart thermostat, a Z-Wave hub controlling lights and my garage door. I choose to do these things because I seek the usefulness of these devices and understand the risks the best I can while trying to minimize the risks by utilizing proper security measures where I can and accepting or rejecting the risk where I cant.
    Someone can not burn down my house by turning on the outlet to my father-in laws LED lamp or my outside lights even if they manage to hack a Z-Wave network from a mile away. My HVAC has a secondary "dumb" thermostat that will never let my house freeze or heat over 100. My garage is detached and anyone getting into it and stealing what is there is probably saving me a trip to good will.
    There are easier ways for someone to steal my digital credentials and the fact is ... just like getting into my house, if they really want to, they can get in anyway. The best I can do is minimize my risk and have a plan if they do.

    I absolutely agree that the the iot companies need to do a better job at securing their devices, so do the car companies, software companies, hardware companies, banks, our government ... on and on..

    So, how many houses have been burned down because someone hacked a smart outlet? Wouldn't there be other failure modes at play? (bad thermostat AND bad protective switch in the heater) Are there greater risks we should spend our worry and collective efforts addressing?

    Next thing you know, the behind in the polling Senator from the state of ignorance will be introducing legislation banning these tragically harmful devices.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.