Your 'Smart' Power Outlets Are Now Botnets Thanks To The Internet Of Broken Things
from the I-just-hacked-your-stapler dept
Making fun of the Internet of Things has become a sort of national pastime, made possible by a laundry list of companies jumping into the space without the remotest idea what they’re actually doing. When said companies aren’t busy promoting some of the dumbest ideas imaginable, they’re making it abundantly clear that the security of their “smart,” connected products is absolutely nowhere to be found. And while this mockery is well-deserved, it’s decidedly less funny once you realize these companies are introducing thousands of new attack vectors in every home and business network the world over.
Overshadowed by the lulz is the width and depth of incompetence on display. Thermostats that fail to heat your home. Door locks that don’t protect you. Refrigerators that leak Gmail credentials. Children’s toys that listen to your kids’ prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death. The list goes on and on, and it grows exponentially by the week.
The latest gift of the Internet of Things industry, revealed last week by security researchers at Bitdefender, is smart electrical sockets that can be hacked to hand over e-mail credentials, create a botnet, or (potentially) burn your house down by firing up connected appliances. The devices are sold as an amazing new tool to help create a connected home, allowing users to manage any device plugged into them via a smartphone and/or the internet. The problem, as usual, is an (unspecified) company that treated security as an afterthought. From the full Bitdefender research paper:
“Bitdefender researchers observed that the hotspot is secured with a weak username and password combination. Furthermore, the application does not alert the user to risks associated with leaving default credentials unchanged. Changing them can be done by clicking ?Edit? on the name of the smart plug from the main screen and choosing a new name and a new password.
Secondly, researchers noticed that, during configuration, the mobile app transfers the Wi-Fi username and password in clear text over the network. Also, the device-to-application communication that passes through the manufacturer?s servers is only encoded, not encrypted.
That’s not just bad security, that’s yet another company that’s not even trying. And not even trying, it should be added, despite a constant flood of news reports that have demolished an endless list of different brands for failing to embrace things like fundamental encryption. We’re building a mansion out of flammable toothpicks and empty promises, and as Bruce Schneier recetly noted, it’s really only a matter of time before the check comes due on a fairly massive scale.
And while security is a big part of the problem, equally troubling is the rise of “smart” products that stop working once the company’s manufacturer gets bored or sold. Like, you know, connected light bulbs that no longer really connect to much of anything:
“Earlier this month, our colleague and Consumerist reader Michelle spotted a great deal on some Connected by TCP smart lightbulbs she?d been eyeing for her home. Before buying, she checked to see if they?d be compatible with her Amazon Echo or Wink app, and it?s good that she checked first. As it turns out, those bulbs are no longer compatible with any device, app, or hub, because TCP pulled the plug on their server as of June 1.
Whoops, sorry! Not only is the Internet of Things a total shit show when it comes to security and privacy, you also don’t really own the things you buy, creating a universe of new possibilities when it comes to dysfunction, fraud, and misleading advertising promises. There are plenty of reasons why this incompetence is coming home to roost, though the simplest is that many companies were just too cheap and lazy to invest in quality kits, research and technology, and most IOT “evangelists” were too focused on self-promotion to much care about the fact that they were selling us an industrial-grade disaster.
Filed Under: internet of things, iot, power outlets, security
Comments on “Your 'Smart' Power Outlets Are Now Botnets Thanks To The Internet Of Broken Things”
We need a new word to describe ethical non-adoption of new technologies. Luddite is similar, but not accurate.
Re: Re:
To some extent, that just describes smart decision making. People aren’t rejecting these technologies, just the implementation, support, and security of these technologies.
We need an update to the Magnuson-Moss Warranty Act, to require the same level of liability for anything requiring cloud support for operation. At minimum this should be something like an escrow account held in trust to maintain online services for a period of years after the last device is manufactured.
Security is tricky, because the implementation needs to be easy. It would be nice if someone like Consumer Reports started up an IoT Security section to better educate people about the security exposure of these things.
Re: Re: Re:
…does the whole licensing thing instead of owning impact the coverage of Magnuson–Moss Warranty Act?
(1) The term “consumer product” means any tangible personal property which is distributed in commerce and which is normally used for personal, family, or household purposes (including any such property intended to be attached to or installed in any real property without regard to whether it is so attached or installed).
because there’s this bit in 15 U.S. Code § 2301 – Definitions
(9) The term “reasonable and necessary maintenance” consists of those operations (A) which the consumer reasonably can be expected to perform or have performed and (B) which are necessary to keep any consumer product performing its intended function and operating at a reasonable level of performance.
Re: Re: Re:
Please don’t suggest that. Much better to have the product quit working than to continue functioning for years on a cloud infrastructure that’s no longer receiving security updates. If you think it’s bad when there are security issues, just wait until someone breaks into a no-longer-supervised system and uploads some custom firmware.
its crap
Ill never give up my smart toilet no matter how vulnerable to attack it might be. Being able to quickly tweet an impressive dump jpg is just too much fun!
Re: its crap
Last Thursdays was a doozie. LOL. Oh and it’s time to change your toothbrush. A coat of paint wont hurt either. Lastly, you’ll go blind if you keep doing that.
Re: its crap
You jest but eventually your toilet could have an aimable water sprayer that you control to clean yourself that much easier. Adding a tiny camera would give you better aim, but would also open it up to horribly private images available for nefarious people to steal.
Re: Re: its crap
Actually that sounds like a selling feature:
An automatic dick pic machine.
Re: Re: its crap
Albeit a very gross selling feature.
“these companies are introducing thousands of new attack vectors in every home and business network the world over.”
Not every home Karl.
Re: Re:
Yep, I don’t have a single IoT device in my house with no plans to have anything in the future until security of these things is a #1 priority.
Re: Re: Re:
Dont forget an open API and possibillity to run your server at home. I want some smart features at home, but my stuff should never “call home”. Open implementation and code availible on GitHub is a must for me. Usually takes care of the security part as well. Can’t have that abysmal security with source code availible
Shocking.
they will stop making shit
when people stop buying shit
instead I see calls for more government to save everyone again from big nasty businesses giving everyone what they are wanting.
Re: they will stop making shit
when people stop buying shit
So, like, never.
Re: Re: they will stop making shit
OR until someone comes along with a superior product.
Re: Re: Re: they will stop making shit
“superior product”
Dumb technology is the superior product IMO, at least until IoT leaves its beta phase. Buying this stuff now means you have time and effort to expend on what are still novelties. IoT will never create value unless they become easier to use than what they intend to supplant.
Re: they will stop making shit
Yeah, that little kid was just asking for the bully to steal his lunch money, how dare anyone stop what he deserved.
Re: Re: they will stop making shit
You either fight back, or take what you get.
When you go ask government to do it, you are just asking for a bigger badder bully to help you out. Not sure you are getting how this life thing works.
A great mind once said…
I would rather be exposed to the inconveniences attending too much liberty than those attending too small a degree of it.
~Thomas Jefferson
Re: Re: Re: they will stop making shit
I doubt that Thomas was an anarchist like yourself.
Re: Re: Re:2 they will stop making shit
The problem is that the governments are becoming anarchists who control the use of force, in other words tyrants whose word is law,
Re: Re: Re:3 they will stop making shit
“governments are becoming anarchists”
Do you even think about the shit you post?
Re: Re: Re:3 Monopoly on the use of force.
That was a problem already. In the US, we tried to fix it.
We tried and failed.
But we have learned much the next regime can implement.
Re: they will stop making shit
I’m sure all the residents of Prince William Sound and the surrounding area are still thanking Exxon for giving them exactly what they wanted.
Similarly, I’m sure all Gulf state residents are still thanking British Petroleum for the wonderful things done with the Deepwater Horizon.
No need for any regulations here because the market is self regulating, these corporations are not bending the rules to make more money, they are simply giving their customers what they want. How was I so wrong about this for so long. Thank you for straightening me out – I’m saved!
Re: Shit sells.
People would buy a microwave oven that baked anyone in line of sight if it weren’t for the state regulating microwave oven emissions.
Worse yet, so long as the corporations could suppress news of customers getting cooked by their own oven, they’d continue to sell until there were tens or hundreds of thousands of dead victims. And no-one in the company would be held liable.
So no, we’re thankful for many of the regulations we have. We’re thankful for the government assuring us that our clock radio doesn’t give us cancer. (some models do.)
But because the technical details of IoT appliances are lost both to regulators and customers, we’re not going to see a regulation until there’s a disaster.
Only after the Titanic sinking did we see regulations on the number of lifeboats required on a ship.
Only after an outlet botnet are we going to see reform of IoT security.
Re: Re: Shit sells.
I bet there are many millions of people who would have preferred far less powerful government were they not already killed by that government.
What amazes me, is people think corporations are big, bad, evil entities and governments are saints. Yet history is full of governments that kill on a far larger scale than any company could do because governments have all the guns.
Re: Re: Re: Big government.
I bet there are many millions of people who would have preferred far less powerful government were they not already killed by that government.
Are you referring to demographics that are not regarded by the government except as outlaws, such as Jews in Nazi Germany?
That is the same end result of when you have too small a government, which is invasion by a larger one.
As for this mythical people who regard corporations as bad but governments as saintly, you’ll have to be more specific. I don’t know a single person, or a single group that insists that is a platform.
Here, we know that government is necessary for infrastructure, but it is also prone to corruption, which is a problem we’ve yet to solve.
But if you choose to have a smaller government, then you choose to have less infrastructure, which means lower standards of living e.g. not only no running water, but no consistent supply of safe drinking water. And if you get the fever, you’re just written off.
Safe meat, safe water, consistent electricity, firewood every winter, sewage processing, waste disposal, disease control…all these things require infrastructure which requires government regulation. Market forces do not make for these things.
If you like them then you like the fruits of big government.
Re: Re: Re:2 Big government.
Ah yes, we all know the Dems are really just about safe groceries. Sorry, nobody is buying that, the Dems are about controlling every aspect of our lives and have ZERO tolerance for dissent. That is the very problem with big government, they ultimately will not tolerate dissent and will put you in the ground for it.
Re: Re: Re:3 And all you think to do stroke your harp while it burns.
Ah, it seems you and I were having different conversations entirely. I was talking about the virtues — and necessity — of a large powerful government. You seem to be seeing government as not a tool for creating a civilization but a campaigning chip by which to extol your party platform of choice.
Considering the GOP is ready to spend billions on a useless wall and create Neuremburg laws regarding the Nonwhite and Muslem problems, the DNC distaste for dissent starts looking mild, particularly given the previous Repuplican administration burned spies and representatives for less than an imperfectly lined toe.
Even before the current Trump problem, the GOP’s platform had long festered down to who is or isn’t allowed to fuck. And any pretense by the GOP of taste for small governmend disintegrates with military considerations.
But the GOP is the only competition against which the DNC runs, and the more pathetic your caracatures of candidates run, the less the DNC has to do to compete, which is how Hillary can effectively run with total technical incompetence. The GOP failure to compete, gave the DNC a monopoly on rationality, and like Comcast, they provide shitty service at ridiculous cost.
I’m not sure if the historians are going to argue that Reagan was the dolorous stroke from which the US bled out, or George W. Bush, but both of those guys were picked from the post-Southern-Strategy GOP pool, and between them, the shining city is ablaze. The proverbial barbarians are at our gates.
Re: Re: Re:4 ugh. Premature posting.
An absent verb to be can ruin an entire presentation.
Re: Re: Re:4 And all you think to do stroke your harp while it burns.
Wow, so Reagan set the country on fire? That is so far from true it isn’t even funny. You guys are amazing. It was bad enough that for the last 8 years everything was Bush 2s fault, now you have lowered the bar to say it goes back to the 80s.
Now if you want to talk about arsonists, you merely have to look at the current president. He has fomented a race war where none existed before. He has accumulated more debt than all other presidents combined before him. Something Hillary will gleefully add to. We have more people on social programs now than before O started. The labor participation rate is lower than it has been in decades. Check the transportation industry stats and you will see it is down across all sectors (rail, truck, ship) so we are headed into another recession. That of course will be blamed on the next Pres when in fact it rests squarely on the failed policies of the current admin.
Re: Re: Re:5 "Wow, so Reagan set the country on fire?"
You don’t get metaphor?
Fair enough. No, he didn’t literally set the nation on fire, but he did bring us a lot closer, by rekindling nuclear escalation with the Soviet Union. Nixon and Carter negotiated with the USSR and stood behind Peaceful Coexistence. But for Reagan (like Wilson) allowing for the godless Soviet Union to continue was intolerable to him, and he he felt that the fall of the USSR was the only acceptable outcome, even if it all had to end in nuclear fire.
But no, the gates Reagan opened was to corporate lobbyists and the allowance of soft money in campaigning, from which we now have the corporate deadlock on politics today.
But yes, it goes back to the eighties, and even further than that, but you might have to history some if you’re going to comprehend anything beyond the party rhetoric.
Good thing you have the internet.
Re: Re: Re:6 "Wow, so Reagan set the country on fire?"
You don’t need the internet to see what has happened under O since we are still victims of his failed policies. We will get more of the same under H. By the time those 2 are finished, this country will be so far in debt and in so much civil unrest it won’t matter what the Russians are doing.
Re: Re: Re:7 What's more interesting to me is that you're continuing to blame Obama
…As if Romney or McCain would have been better?
The system is irreparably corrupt. Putting Trump into office is only going to make it worse by (as what happened with Bush) providing a puppet for people to hate while people behind him steer public assets into their own coffers. Trump would let it happen, and probably wouldn’t even care how it affects his image in history.
I’m not arguing Clinton is a good choice. As someone who believed Obama’s 2008 campaign promises of reform (Hope and change, remember that?) what he did is not what I voted for. But then again, Bush before him went hard right and full hawk despite his Compassionate Conservative campaign in 2000. Even after he lost the popular vote, and knew the nation was more liberal than he was.
And yes, Clinton may continue to put the US further in debt (a topic worthy of its own discussion) but trump is not going to pull us out of debt, or even put us in less debt. As I said, most likely he’ll subsidize those interests that will motivate him, possibly by having a shill insult him in public.
No president is going to fix the nation. That’s the problem. And blaming presidents for not fixing the nation doesn’t move us any closer to fixing the nation.
So yeah, social unrest if that’s what you want to call it may be what dismantles the United States, but that’s going to happen no matter who goes in the oval office, because the hands in the puppet (whichever puppen) aren’t interested in fixing the nation for the long term, or in the interest of the people.
Which was something I was trying to say in the first place. Please try to look past the party contest.
It should be the local net of things, with a secure remote access to you own controller. That way only one interface has to be secured from remote attackers. That leaves the local WiFi network to be secured from local attacks, and it can be made reasonable secure. Being able to limit the things to communicate to a fixed local IP will also help secure things.
Putting lots of devices on the open Internet is a stupid Idea, because of the massive increase in attack surface, but is done in part because in many countries, domestic connections do not have a fixed IP.
Risk and Sensational Rhetoric
Wow … Sensational rhetoric is what we usually rail against here on Techdirt.
The fact is that anything we do digitally can be hacked. Anytime we are connected to a network we are at risk while most of our devices have security holes that put us at risk. Most things we do in life put us at risk and many of these things we are unaware of. It seems that we have two choices, live off grid in a cave with no contact or connectivity with the outside world or manage the risk the best we are able to. Most of us do this every day when we engage in one of the most dangerous activities we have in this modern world … going out in the world and transporting ourselves to work, play, and hunting and gathering for our existence. We make decisions and choices to minimize the risk.
We also can choose to do this in our digital life too. I have a smart thermostat, a Z-Wave hub controlling lights and my garage door. I choose to do these things because I seek the usefulness of these devices and understand the risks the best I can while trying to minimize the risks by utilizing proper security measures where I can and accepting or rejecting the risk where I cant.
Someone can not burn down my house by turning on the outlet to my father-in laws LED lamp or my outside lights even if they manage to hack a Z-Wave network from a mile away. My HVAC has a secondary “dumb” thermostat that will never let my house freeze or heat over 100. My garage is detached and anyone getting into it and stealing what is there is probably saving me a trip to good will.
There are easier ways for someone to steal my digital credentials and the fact is … just like getting into my house, if they really want to, they can get in anyway. The best I can do is minimize my risk and have a plan if they do.
I absolutely agree that the the iot companies need to do a better job at securing their devices, so do the car companies, software companies, hardware companies, banks, our government … on and on..
So, how many houses have been burned down because someone hacked a smart outlet? Wouldn’t there be other failure modes at play? (bad thermostat AND bad protective switch in the heater) Are there greater risks we should spend our worry and collective efforts addressing?
Next thing you know, the behind in the polling Senator from the state of ignorance will be introducing legislation banning these tragically harmful devices.
Re: Risk and Sensational Rhetoric
yeah – that would never happen, don’t worry about it.
Does anyone know of a good open source firmware version for IoT devices? Or are there DIY kits?
Repeat after me:
‘You have to be pretty stupid to want a smart device.’
Internet connected toaster
I still want to know when I can get my internet connected toaster…
Feedback Instead.
Broadly speaking, Internet-of-Things devices do not work very well because the relevant information is local, coming from local sensors. Information from far away is usually irrelevant. The proper approach is to use _feedback_. For example, lights often work with infra-red sensors. If something is moving, the lights come on. Or lights can be connected to photo-cells, so that they switch on when it is dark.
I have a toaster-oven which detects how browned the bread is, and shuts down accordingly. It seems to work with a fairly wide range of bread types without needing to adjust the setting dial. It’s a simple analog mechanism, in a toaster-oven which I bought for about twenty dollars, back in the late 1990’s. There’s also a thermostat, similar to that in a conventional oven.
It might be possible to improve a microwave oven, by enabling it to map the state of its contents, and apply energy accordingly. The microwave oven ought to be able to distinguish ice from water, by the secondary radiation, and aim microwaves at the ice. Ice absorbs microwaves less efficiently than water, and consequently a frozen burrito, cooked in the microwave, can be excessively hot at one end, and still frozen at the other. A smart microwave oven could deliver uniform defrosting and cooking. However, the oven does not need the internet to do this, only local sensors and local controls.
Things like smart internet-connected thermostats tend to be based around ignorance of the science of thermodynamics. I discussed this issue several years ago, in respect of the Nest thermostat:
https://www.techdirt.com/blog/innovation/articles/20111026/01492716514/applying-apples-design-sense-to-other-items-like-thermostat.shtml#c432
———————————————————————————
After about 1950, automobiles essentially ceased to make improvements in usable speed. An automobile is no better than the road it runs on, and there was never the political will to create 100-150 mph freeways. The result was that automobile styling went crazy. Automobiles mostly acquired non-functional tail-fins, and air intakes copied from jet fighters. The Batmobile is a fairly representative specimen of 1950’s automobile body design, though, by the time the Batmobile was produced (1966-68), this had become a matter of subtle caricature. The Batmobile was in fact a Ford “concept car” from 1954, hastily modified for the television series.
https://en.wikipedia.org/wiki/Batmobile#Batman_.281965-66_film.2Ftelevision_series.29
Internet development is going through the same process, only in a kind of “follie-a-deux” mode with certain traditional industries, such as the makers of lighting fixtures.
Re: Feedback Instead.
I think you are onto something. Many devices are a solution in search of a problem. An old fashioned, programmable thermostat will get you most of the benefit, if there is any, for $20. Personally, when it comes to thermostats, I think setting a reasonable temp and leaving it is far more energy efficient. Let all the thermal mass in your home heat up or cool down and then trying to bring it back to temp seems far more wasteful than getting it to the desired temp and keeping it there.
Not in my home
in every home and business network the world over.
I do not have any smart devices, besides phones, and will not have any until they are secure. Oh, and when I can be somewhat assured they aren’t monitoring me which will probably be never. Google knows everything about me, but nobody else needs that info.
The Internet of Licencing Agreements
Purchase but don’t own,
Stream but don’t keep,
Use but don’t pay attention….
– Signed Web 2.0
The fundamental problem
The fundamental problem with these IoT devices is – LINUX. They all run Linux, which is a full operating system capable of loading and running applications. I have nothing against Linux as an operating system, but it’s inappropriate for an embedded system whose job is to run one and only one special application for ever. Just why a thermostat needs the ability to change its application program remotely escapes me. I can see the attraction of Linux to people who are too lazy, or too incompetent, to write their own embedded drivers the way we did when things were designed by competent engineers, but they should at least put in some security to detect unauthorized program changes and refuse to load them.