Your 'Smart' Power Outlets Are Now Botnets Thanks To The Internet Of Broken Things
from the I-just-hacked-your-stapler dept
Making fun of the Internet of Things has become a sort of national pastime, made possible by a laundry list of companies jumping into the space without the remotest idea what they're actually doing. When said companies aren't busy promoting some of the dumbest ideas imaginable, they're making it abundantly clear that the security of their "smart," connected products is absolutely nowhere to be found. And while this mockery is well-deserved, it's decidedly less funny once you realize these companies are introducing thousands of new attack vectors in every home and business network the world over.Overshadowed by the lulz is the width and depth of incompetence on display. Thermostats that fail to heat your home. Door locks that don't protect you. Refrigerators that leak Gmail credentials. Children's toys that listen to your kids' prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death. The list goes on and on, and it grows exponentially by the week.
The latest gift of the Internet of Things industry, revealed last week by security researchers at Bitdefender, is smart electrical sockets that can be hacked to hand over e-mail credentials, create a botnet, or (potentially) burn your house down by firing up connected appliances. The devices are sold as an amazing new tool to help create a connected home, allowing users to manage any device plugged into them via a smartphone and/or the internet. The problem, as usual, is an (unspecified) company that treated security as an afterthought. From the full Bitdefender research paper:
"Bitdefender researchers observed that the hotspot is secured with a weak username and password combination. Furthermore, the application does not alert the user to risks associated with leaving default credentials unchanged. Changing them can be done by clicking ‘Edit’ on the name of the smart plug from the main screen and choosing a new name and a new password.That's not just bad security, that's yet another company that's not even trying. And not even trying, it should be added, despite a constant flood of news reports that have demolished an endless list of different brands for failing to embrace things like fundamental encryption. We're building a mansion out of flammable toothpicks and empty promises, and as Bruce Schneier recetly noted, it's really only a matter of time before the check comes due on a fairly massive scale.
Secondly, researchers noticed that, during configuration, the mobile app transfers the Wi-Fi username and password in clear text over the network. Also, the device-to-application communication that passes through the manufacturer’s servers is only encoded, not encrypted.
And while security is a big part of the problem, equally troubling is the rise of "smart" products that stop working once the company's manufacturer gets bored or sold. Like, you know, connected light bulbs that no longer really connect to much of anything:
"Earlier this month, our colleague and Consumerist reader Michelle spotted a great deal on some Connected by TCP smart lightbulbs she’d been eyeing for her home. Before buying, she checked to see if they’d be compatible with her Amazon Echo or Wink app, and it’s good that she checked first. As it turns out, those bulbs are no longer compatible with any device, app, or hub, because TCP pulled the plug on their server as of June 1.Whoops, sorry! Not only is the Internet of Things a total shit show when it comes to security and privacy, you also don't really own the things you buy, creating a universe of new possibilities when it comes to dysfunction, fraud, and misleading advertising promises. There are plenty of reasons why this incompetence is coming home to roost, though the simplest is that many companies were just too cheap and lazy to invest in quality kits, research and technology, and most IOT "evangelists" were too focused on self-promotion to much care about the fact that they were selling us an industrial-grade disaster.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: internet of things, iot, power outlets, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
We need an update to the Magnuson-Moss Warranty Act, to require the same level of liability for anything requiring cloud support for operation. At minimum this should be something like an escrow account held in trust to maintain online services for a period of years after the last device is manufactured.
Security is tricky, because the implementation needs to be easy. It would be nice if someone like Consumer Reports started up an IoT Security section to better educate people about the security exposure of these things.
[ link to this | view in chronology ]
Re: Re:
(1) The term “consumer product” means any tangible personal property which is distributed in commerce and which is normally used for personal, family, or household purposes (including any such property intended to be attached to or installed in any real property without regard to whether it is so attached or installed).
because there's this bit in 15 U.S. Code § 2301 - Definitions
(9) The term “reasonable and necessary maintenance” consists of those operations (A) which the consumer reasonably can be expected to perform or have performed and (B) which are necessary to keep any consumer product performing its intended function and operating at a reasonable level of performance.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
its crap
[ link to this | view in chronology ]
Re: its crap
[ link to this | view in chronology ]
Re: its crap
[ link to this | view in chronology ]
Re: Re: its crap
An automatic dick pic machine.
[ link to this | view in chronology ]
Re: Re: its crap
[ link to this | view in chronology ]
Not every home Karl.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
they will stop making shit
instead I see calls for more government to save everyone again from big nasty businesses giving everyone what they are wanting.
[ link to this | view in chronology ]
Re: they will stop making shit
So, like, never.
[ link to this | view in chronology ]
Re: Re: they will stop making shit
[ link to this | view in chronology ]
Re: Re: Re: they will stop making shit
Dumb technology is the superior product IMO, at least until IoT leaves its beta phase. Buying this stuff now means you have time and effort to expend on what are still novelties. IoT will never create value unless they become easier to use than what they intend to supplant.
[ link to this | view in chronology ]
Re: they will stop making shit
[ link to this | view in chronology ]
Re: Re: they will stop making shit
When you go ask government to do it, you are just asking for a bigger badder bully to help you out. Not sure you are getting how this life thing works.
A great mind once said...
I would rather be exposed to the inconveniences attending too much liberty than those attending too small a degree of it.
~Thomas Jefferson
[ link to this | view in chronology ]
Re: Re: Re: they will stop making shit
[ link to this | view in chronology ]
Re: Re: Re: Re: they will stop making shit
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: they will stop making shit
Do you even think about the shit you post?
[ link to this | view in chronology ]
Monopoly on the use of force.
We tried and failed.
But we have learned much the next regime can implement.
[ link to this | view in chronology ]
Re: they will stop making shit
Similarly, I'm sure all Gulf state residents are still thanking British Petroleum for the wonderful things done with the Deepwater Horizon.
No need for any regulations here because the market is self regulating, these corporations are not bending the rules to make more money, they are simply giving their customers what they want. How was I so wrong about this for so long. Thank you for straightening me out - I'm saved!
[ link to this | view in chronology ]
Shit sells.
Worse yet, so long as the corporations could suppress news of customers getting cooked by their own oven, they'd continue to sell until there were tens or hundreds of thousands of dead victims. And no-one in the company would be held liable.
So no, we're thankful for many of the regulations we have. We're thankful for the government assuring us that our clock radio doesn't give us cancer. (some models do.)
But because the technical details of IoT appliances are lost both to regulators and customers, we're not going to see a regulation until there's a disaster.
Only after the Titanic sinking did we see regulations on the number of lifeboats required on a ship.
Only after an outlet botnet are we going to see reform of IoT security.
[ link to this | view in chronology ]
Re: Shit sells.
What amazes me, is people think corporations are big, bad, evil entities and governments are saints. Yet history is full of governments that kill on a far larger scale than any company could do because governments have all the guns.
[ link to this | view in chronology ]
Big government.
Are you referring to demographics that are not regarded by the government except as outlaws, such as Jews in Nazi Germany?
That is the same end result of when you have too small a government, which is invasion by a larger one.
As for this mythical people who regard corporations as bad but governments as saintly, you'll have to be more specific. I don't know a single person, or a single group that insists that is a platform.
Here, we know that government is necessary for infrastructure, but it is also prone to corruption, which is a problem we've yet to solve.
But if you choose to have a smaller government, then you choose to have less infrastructure, which means lower standards of living e.g. not only no running water, but no consistent supply of safe drinking water. And if you get the fever, you're just written off.
Safe meat, safe water, consistent electricity, firewood every winter, sewage processing, waste disposal, disease control...all these things require infrastructure which requires government regulation. Market forces do not make for these things.
If you like them then you like the fruits of big government.
[ link to this | view in chronology ]
Re: Big government.
[ link to this | view in chronology ]
And all you think to do stroke your harp while it burns.
Considering the GOP is ready to spend billions on a useless wall and create Neuremburg laws regarding the Nonwhite and Muslem problems, the DNC distaste for dissent starts looking mild, particularly given the previous Repuplican administration burned spies and representatives for less than an imperfectly lined toe.
Even before the current Trump problem, the GOP's platform had long festered down to who is or isn't allowed to fuck. And any pretense by the GOP of taste for small governmend disintegrates with military considerations.
But the GOP is the only competition against which the DNC runs, and the more pathetic your caracatures of candidates run, the less the DNC has to do to compete, which is how Hillary can effectively run with total technical incompetence. The GOP failure to compete, gave the DNC a monopoly on rationality, and like Comcast, they provide shitty service at ridiculous cost.
I'm not sure if the historians are going to argue that Reagan was the dolorous stroke from which the US bled out, or George W. Bush, but both of those guys were picked from the post-Southern-Strategy GOP pool, and between them, the shining city is ablaze. The proverbial barbarians are at our gates.
[ link to this | view in chronology ]
ugh. Premature posting.
[ link to this | view in chronology ]
Re: And all you think to do stroke your harp while it burns.
Now if you want to talk about arsonists, you merely have to look at the current president. He has fomented a race war where none existed before. He has accumulated more debt than all other presidents combined before him. Something Hillary will gleefully add to. We have more people on social programs now than before O started. The labor participation rate is lower than it has been in decades. Check the transportation industry stats and you will see it is down across all sectors (rail, truck, ship) so we are headed into another recession. That of course will be blamed on the next Pres when in fact it rests squarely on the failed policies of the current admin.
[ link to this | view in chronology ]
"Wow, so Reagan set the country on fire?"
Fair enough. No, he didn't literally set the nation on fire, but he did bring us a lot closer, by rekindling nuclear escalation with the Soviet Union. Nixon and Carter negotiated with the USSR and stood behind Peaceful Coexistence. But for Reagan (like Wilson) allowing for the godless Soviet Union to continue was intolerable to him, and he he felt that the fall of the USSR was the only acceptable outcome, even if it all had to end in nuclear fire.
But no, the gates Reagan opened was to corporate lobbyists and the allowance of soft money in campaigning, from which we now have the corporate deadlock on politics today.
But yes, it goes back to the eighties, and even further than that, but you might have to history some if you're going to comprehend anything beyond the party rhetoric.
Good thing you have the internet.
[ link to this | view in chronology ]
Re: "Wow, so Reagan set the country on fire?"
[ link to this | view in chronology ]
What's more interesting to me is that you're continuing to blame Obama
The system is irreparably corrupt. Putting Trump into office is only going to make it worse by (as what happened with Bush) providing a puppet for people to hate while people behind him steer public assets into their own coffers. Trump would let it happen, and probably wouldn't even care how it affects his image in history.
I'm not arguing Clinton is a good choice. As someone who believed Obama's 2008 campaign promises of reform (Hope and change, remember that?) what he did is not what I voted for. But then again, Bush before him went hard right and full hawk despite his Compassionate Conservative campaign in 2000. Even after he lost the popular vote, and knew the nation was more liberal than he was.
And yes, Clinton may continue to put the US further in debt (a topic worthy of its own discussion) but trump is not going to pull us out of debt, or even put us in less debt. As I said, most likely he'll subsidize those interests that will motivate him, possibly by having a shill insult him in public.
No president is going to fix the nation. That's the problem. And blaming presidents for not fixing the nation doesn't move us any closer to fixing the nation.
So yeah, social unrest if that's what you want to call it may be what dismantles the United States, but that's going to happen no matter who goes in the oval office, because the hands in the puppet (whichever puppen) aren't interested in fixing the nation for the long term, or in the interest of the people.
Which was something I was trying to say in the first place. Please try to look past the party contest.
[ link to this | view in chronology ]
Putting lots of devices on the open Internet is a stupid Idea, because of the massive increase in attack surface, but is done in part because in many countries, domestic connections do not have a fixed IP.
[ link to this | view in chronology ]
Risk and Sensational Rhetoric
Wow ... Sensational rhetoric is what we usually rail against here on Techdirt.
The fact is that anything we do digitally can be hacked. Anytime we are connected to a network we are at risk while most of our devices have security holes that put us at risk. Most things we do in life put us at risk and many of these things we are unaware of. It seems that we have two choices, live off grid in a cave with no contact or connectivity with the outside world or manage the risk the best we are able to. Most of us do this every day when we engage in one of the most dangerous activities we have in this modern world ... going out in the world and transporting ourselves to work, play, and hunting and gathering for our existence. We make decisions and choices to minimize the risk.
We also can choose to do this in our digital life too. I have a smart thermostat, a Z-Wave hub controlling lights and my garage door. I choose to do these things because I seek the usefulness of these devices and understand the risks the best I can while trying to minimize the risks by utilizing proper security measures where I can and accepting or rejecting the risk where I cant.
Someone can not burn down my house by turning on the outlet to my father-in laws LED lamp or my outside lights even if they manage to hack a Z-Wave network from a mile away. My HVAC has a secondary "dumb" thermostat that will never let my house freeze or heat over 100. My garage is detached and anyone getting into it and stealing what is there is probably saving me a trip to good will.
There are easier ways for someone to steal my digital credentials and the fact is ... just like getting into my house, if they really want to, they can get in anyway. The best I can do is minimize my risk and have a plan if they do.
I absolutely agree that the the iot companies need to do a better job at securing their devices, so do the car companies, software companies, hardware companies, banks, our government ... on and on..
So, how many houses have been burned down because someone hacked a smart outlet? Wouldn't there be other failure modes at play? (bad thermostat AND bad protective switch in the heater) Are there greater risks we should spend our worry and collective efforts addressing?
Next thing you know, the behind in the polling Senator from the state of ignorance will be introducing legislation banning these tragically harmful devices.
[ link to this | view in chronology ]
Re: Risk and Sensational Rhetoric
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Repeat after me:
[ link to this | view in chronology ]
Internet connected toaster
[ link to this | view in chronology ]
Feedback Instead.
I have a toaster-oven which detects how browned the bread is, and shuts down accordingly. It seems to work with a fairly wide range of bread types without needing to adjust the setting dial. It's a simple analog mechanism, in a toaster-oven which I bought for about twenty dollars, back in the late 1990's. There's also a thermostat, similar to that in a conventional oven.
It might be possible to improve a microwave oven, by enabling it to map the state of its contents, and apply energy accordingly. The microwave oven ought to be able to distinguish ice from water, by the secondary radiation, and aim microwaves at the ice. Ice absorbs microwaves less efficiently than water, and consequently a frozen burrito, cooked in the microwave, can be excessively hot at one end, and still frozen at the other. A smart microwave oven could deliver uniform defrosting and cooking. However, the oven does not need the internet to do this, only local sensors and local controls.
Things like smart internet-connected thermostats tend to be based around ignorance of the science of thermodynamics. I discussed this issue several years ago, in respect of the Nest thermostat:
https://www.techdirt.com/blog/innovation/articles/20111026/01492716514/applying-apples-de sign-sense-to-other-items-like-thermostat.shtml#c432
------------------------------------------------ ---------------------------------
After about 1950, automobiles essentially ceased to make improvements in usable speed. An automobile is no better than the road it runs on, and there was never the political will to create 100-150 mph freeways. The result was that automobile styling went crazy. Automobiles mostly acquired non-functional tail-fins, and air intakes copied from jet fighters. The Batmobile is a fairly representative specimen of 1950's automobile body design, though, by the time the Batmobile was produced (1966-68), this had become a matter of subtle caricature. The Batmobile was in fact a Ford "concept car" from 1954, hastily modified for the television series.
https://en.wikipedia.org/wiki/Batmobile#Batman_.281965-66_film.2Ftelevision_series.29
Internet development is going through the same process, only in a kind of "follie-a-deux" mode with certain traditional industries, such as the makers of lighting fixtures.
[ link to this | view in chronology ]
Re: Feedback Instead.
[ link to this | view in chronology ]
Not in my home
I do not have any smart devices, besides phones, and will not have any until they are secure. Oh, and when I can be somewhat assured they aren't monitoring me which will probably be never. Google knows everything about me, but nobody else needs that info.
[ link to this | view in chronology ]
The Internet of Licencing Agreements
Stream but don't keep,
Use but don't pay attention....
- Signed Web 2.0
[ link to this | view in chronology ]
The fundamental problem
[ link to this | view in chronology ]