Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Botnet Encryption Security Communications Network Privacy Software The Internet Wireless Networking News Hardware Technology

'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks (softpedia.com) 82

An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."
This discussion has been archived. No new comments can be posted.

'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks

Comments Filter:
  • by Anonymous Coward

    This is exactly what happens when you lay off all the real programmers and replace them with coders. Enjoy your cost savings at the price of lawsuits for security breaches.

    • by epyT-R ( 613989 )

      Yes because 'programmers' never make mistakes, right?

      • Yes because 'programmers' never make mistakes, right?

        These aren't mistakes, they are encoding the messages rather than encrypting them using a public encoding scheme (anyway, a private encoding scheme wouldn't be better). So, they did actually think about the security, but due to incompetence in the field, they pick an encoding scheme to secure the communication. That's not the first time I have seen such a thing. Some coders believe because they cannot read the message it is encrypted.

    • Enjoy your cost savings at the price of lawsuits for security breaches.

      All that is already figured in [engineering.com]. I still don't know why nobody demands names. Lapdog press.

      • There is at least a chance of a lawsuit there. Now try for some cheap Chinese crap where you could already consider yourself lucky the thing doesn't simply burn your apartment to the ground due to faulty wiring.

  • dumbasses (Score:4, Insightful)

    by YrWrstNtmr ( 564987 ) on Thursday August 18, 2016 @06:46PM (#52729509)
    I'm getting ready to replace all the switches and outlets in my 1982 era house.
    IoT will not be present. I want an outlet to do 2 things. Connect to the circuit breaker box, and provide electricity to my stuff without blowing up.

    Can't leak what doesn't exist.
    • Yeah...I don't get this. I built an internet output plug around 1997 to learn how to do some interfacing. Other than showing off the a few classmates who were like meh, I couldn't think of anything useful to do with it so threw it in a box. A few years ago I found it and interfaced it to a thermometer when I was playing around with arduino, but after the initial enthusiasm and still lack of anything to do with it, I put it back in the box when a wire broke and couldn't be bothered to find the electrical tap
      • I couldn't think of anything useful to do with it so threw it in a box.

        Control fans, or turn lights and radios on and off to simulate the presence of a resident. Unless you walk up and ring my doorbell you don't know if I'm home or not. (Or am I sitting behind the door with a 45 waiting for you?) That's what I use my X10 controls for. I also have a few lights that I always control with X10 just for convenience. One runs my lava lamp, which for some reason needs a slight bit of dimming to reduce the heat or all the lava floats on the top.

        What is confusing about this article i

        • by Anonymous Coward

          Put a lesser wattage globe in your lava lamp, sit back, trip out the the full globulous glory of said lava.

        • I suppose it must be actually configured to be accessible behind a NAT using port-forwarding and DDNS. That is how the most IoT stuff is meant to be accessed these days. Controlling them on your local subnet doesn't make much sense in most cases; people would want to view and control their devices from their smartphones etc from remote networks.
          • If I get any IoT devices they will go on a separate subnet that has no internet access. I will only purchase devices that will talk to a server I control. The firewall will only allow traffic to the device subnet from my trusted subnet and VPN. It's not perfect but it's a lot more secure than handing over control to a company that "cares" about security only after they've been compromised.
        • It's a vulnerability created by the intense desire to have an app control the switch via a remote server. For whatever brain-damaged reason, the app can't talk straight to the device, it has to go via the manufacturer's servers, and they do it via unencrypted channels that can be sniffed.

          That's what is going to kill us all, IoT devices that in order to switch on something, or change a pretty colour or anything, have to go to the bloody cloud to do it.

  • Full article (Score:1, Informative)

    by Anonymous Coward

    Full article with vendors here [bitdefender.com]

  • by JustAnotherOldGuy ( 4145623 ) on Thursday August 18, 2016 @07:14PM (#52729657) Journal

    That's what the IoT is, the Internet of Terrors.

    Mark my words- this is only going to get worse and worse and worse, and eventually somebody will die from some shoddy piece-of-shit consumer crap that's been weaponized by some asshole hacker.

    • The IoT is a Dank Meme and Full of Terrors

    • I work on IoT, and I want to slap CEOs of companies like this for giving everything a bad name. We're working our ass off to have good security and yet the market is grabbing up toys that are completely useless except for being new and then fail to include even the most basic security. Most hardware good for this is low on security features, but they're slowly starting to come around due to demand from product makers.

      But, this is the same crap you see on web pages, etc. Everyone's getting hacked left and

      • Startup mentality means get your product or app out as fast as possible so there's no time to waste on quality.

        Time to market, and cost. If your switch costs twice as much as someone else's, guess which most consumers will buy? Development costs money. Security development is an almost invisible benefit in a device that hasn't gotten to market yet. It's only a liability afterwards.

        • Time to market, and cost. If your switch costs twice as much as someone else's, guess which most consumers will buy?

          Also, the well has already been poisoned. Even if you pay twice as much, it isn't likely that you will get something that is significantly more secure.

          Even if you could, how do you know that you are getting more security for your additional dollars?

          • No one really needs either new gadget. They're being sold to gadget lovers who always must have the latest consumer item, to hipsters because nothing says unsufferable like a guy showing you how he can see if he left the stove on or not while kayaking, and so forth. Those are consumers though. If you're a city or utility though you don't buy your devices from engadget or kickstarter.

            • No one really needs either new gadget.

              Define "need". At the most basic human needs level (Maslow?) of course you are right.

              But at a practical level, I disagree, with an example. I have remote data systems that run 24/7. One is a four hour drive away, another just one hour. Unfortunately, the computers doing the collection are not perfect devices and thus sometimes they crash. Or lock up.

              In both locations I have network controllable power switches. (At the four hour away site, I actually have FOUR of them, at four different failure points.) I

    • by antdude ( 79039 )

      I am surprised it hasn't happened yet.

      • Not enough IdIoTs yet. It needs to be a bit more widely used before it's a worthwhile attack vector.

      • I am surprised it hasn't happened yet.

        Same here, but I think the advent of self-driving cars will bring it about sooner than we think.

        I'd bet that there are hackers rubbing their hands right now in gleeful anticipation of causing a car to veer into oncoming traffic or a light pole or a pedestrian.

        Self-driving cars are my guess as to where we'll see the first IoT fatality. And it's likely that we won't even know it was a malicious actor that caused the fatality.

    • by Stinky Cheese Man ( 548499 ) on Thursday August 18, 2016 @11:22PM (#52730503)
      I am sick of "smart" products. From the smart text selection in MS Word, which always selects more or less text than I actually want, to the climate control in my car, which insists on turning on the A/C when I just want some cool fresh air, they invariably get it wrong. I know what I want and I am smart enough to make my own choices.
      • I am sick of "smart" products. From the smart text selection in MS Word, which always selects more or less text than I actually want, to the climate control in my car, which insists on turning on the A/C when I just want some cool fresh air, they invariably get it wrong. I know what I want and I am smart enough to make my own choices.

        I love the automatic climate control in my car. If I don't want the AC on, just fresh air, I hit the AC button and it does its best to match the selected climate using fresh air + heater. I set the dial and forget about it 90% of the time. The 10% of the time is when I want to just roll the windows down instead of using the climate system. It even automatically defrosts the windshield if I turn on the rear window defroster. That is, of course, unless I tell it not to.

        • It even automatically defrosts the windshield if I turn on the rear window defroster. That is, of course, unless I tell it not to.

          Yes, but why should you have to tell it not to? Because it's making a decision for you- the wrong decision.

          • It even automatically defrosts the windshield if I turn on the rear window defroster. That is, of course, unless I tell it not to.

            Yes, but why should you have to tell it not to? Because it's making a decision for you- the wrong decision.

            The general assumption is that if your back window needs defrosting, the front window probably does too. I never think about my automatic climate control. Like ever. And then I was traveling for work last week and was in a rental car and was constantly turning the knob to adjust the temperature because it would never turn off once it got to a comfortable temperature and the damn thing kept blowing until I got cold. Not that it's the end of the world, but I'd rather pay attention to the road than my clima

      • The hidden meaning of "smart" in "smart phone" and "smart light switch" actually implies something different, taken from the hard drive industry:

        Self-Monitoring, Analysis and Reporting Technology (SMART)

        The purpose of these devices seems to be total monitoring of its users. A "smart" home usually means the vendor knows the state of every light switch, every door sensor, every movement down to the millisecond. I'm just waiting for a group of burglars to break into such a database to determine when and where

  • If you want to keep up with a very smart person who does some really interesting analysis on the security of "smart" devices, try Matthew Garret. He posts most of his finding in conversational format on twitter at

    @mjg59 [twitter.com].

    You can see more of his "reported" results on his website at
    http://mjg59.dreamwidth.org/ [dreamwidth.org].

    Enjoy!

  • This is advanced stupid. It takes a whole lot of bad decisions and a high-grade lack of skill to manage a remote exploit via a password field.

    I'm gonna go out on a limb and say that, in lieu of hashing and salting the password, and/or using one of the many freely available tools to sanitize inputs, it drops the password field directly into a database query of SELECT * FROM PWNED WHERE PASSWORD = x. Because IoT means cheap crap developed by the cheapest programmers. Hell, even doing a plain text compari
  • I've tried doing some research on this, and didn't come up with anything substantial. What is the practical purpose of a smart electrical socket?
  • by Anonymous Coward

    Ho hum. Seems like every other day we get news of yet another crapulent, badly designed, "Internet of Things" device with piss poor security.

    Seriously, anyone putting *any* of these shitty things in their house must have a hole in the head.

    You'd be at less risk of something bad happening by putting scorpions in your underwear than you would bringing *ANY* IOT device into your home. They're being designed by clowns for clowns.

  • Edimax is the manufacturer of these devices.

If all else fails, lower your standards.

Working...