Techdirt has published an alarming article on the ongoing march to wirelessly connect everything and the resulting security problems and the Wall Street Journal just reported on a massive Chinese hack. Here’s Techdirt first – “Making fun of the Internet of Things has become a sort of national pastime, made possible by a laundry list of companies jumping into the space without the remotest idea what they’re actually doing. When said companies aren’t busy promoting some of the dumbest ideas imaginable, they’re making it abundantly clear that the security of their “smart,” connected products is absolutely nowhere to be found.
And while this mockery is well-deserved, it’s decidedly less funny once you realize these companies are introducing thousands of new attack vectors in every home and business network the world over.
Overshadowed by the lulz is the width and depth of incompetence on display. Thermostats that fail to heat your home. Door locks that don’t protect you. Refrigerators that leak Gmail credentials. Children’s toys that listen to your kids’ prattle, then (poorly) secure said prattle in the cloud. Cars that could, potentially, result in your death. The list goes on and on, and it grows exponentially by the week.
The latest gift of the Internet of Things industry, revealed last week by security researchers at Bitdefender, is smart electrical sockets that can be hacked to hand over e-mail credentials, create a botnet, or (potentially) burn your house down by firing up connected appliances. The devices are sold as an amazing new tool to help create a connected home, allowing users to manage any device plugged into them via a smartphone and/or the internet. The problem, as usual, is an (unspecified) company that treated security as an afterthought. From the full Bitdefender research paper:
“Bitdefender researchers observed that the hotspot is secured with a weak username and password combination. Furthermore, the application does not alert the user to risks associated with leaving default credentials unchanged. Changing them can be done by clicking ‘Edit’ on the name of the smart plug from the main screen and choosing a new name and a new password.
Secondly, researchers noticed that, during configuration, the mobile app transfers the Wi-Fi username and password in clear text over the network. Also, the device-to-application communication that passes through the manufacturer’s servers is only encoded, not encrypted.
The dumb “smart” ideas include – a kickstarter campaign for the Toasteroid smart toaster, which can print the day’s weather forecast, messages, or doodles onto a piece of toast. Just what every home needs.
And in other hacking news, the Wall Street Journal reported that Chinese “Attackers used an army of hijacked security cameras and video recorders to launch several massive internet attacks last week, prompting fresh concern about the vulnerability of millions of “smart” devicesin homes and businesses connected to the internet.
The assaults raised eyebrows among security experts both for their size and for the machines that made them happen. The attackers used as many as one million Chinese-made security cameras, digital video recorders and other infected devices to generate webpage requests and data that knocked their targets offline, security experts said. It is unclear whether the attackers had access to video feeds from the devices.
“We’re thinking this is the tip of the iceberg,” said Dale Drew, head of security at Level 3 Communications Inc., which runs one of the world’s largest internet backbones, giving it a window into many of the attacks that cross the net.
The proliferation of internet-connected devices from televisions to thermostats provide attackers a bigger arsenal of weapons to infiltrate. Many are intended to be plugged in and forgotten. These devices are “designed to be remote controlled over the internet,” said Andy Ellis, security chief at network operator Akamai Technologies Inc., some of whose clients were affected. “They’re also never going to be updated.
Experts have long warned that machines without their own screens are less likely to receive fixes designed to protect them. Researchers have found flaws in gadgets ranging from “smart” lightbulbs to internet-connected cars. Wi-Fi routers are a growing source of concern as many manufacturers put the onus on consumers to do the updating.
“It’s going to be very difficult to convince consumers to patch their refrigerator,” said Matthew Prince, CEO of security provider CloudFlare Inc. “Where the security is more likely to be placed is in the network.”