'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks (softpedia.com) 82
An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."
Re: (Score:1)
How many more stories will there be like this as more IOT stuff comes to market?
People just buy the lowest priced garbage they can find on Amazon... Most of which are unreliable Chinese garbage dumped on the market, completely unsecured, loaded with or vulnerable to malware, broadcasting information back to who-know-who, or rely on a fly-by-night company whose dodgy server in China might go offline tomorrow.
Sounds like a really great thing, truly.
Re: (Score:3)
For some reason many people seem to question internet related technology less and less, when they obviously they should be questioning it more and more. Most things do not need to be hooked to the internet. The dubious benefits do not even come close to compensating for the potential downsides.
Re: (Score:2)
That's because they don't know the first thing about it. The internet, that's that nebulous thing they plug into their computer (seriously, there are people who absolutely believe "the internet", that's the router they got from their ISP) where the porn and Facebook lives.
And somehow this can in some way also do stuff with your toaster now. That this could be a security issue does not occur to them for a simple reason: Nothing else does. Everything else in their life has been foolproofed. Cars, appliances,
Re:You keep using that word... (Score:4, Informative)
Smart, as in, smartER than the idiot dumb enough to use it.
coders are not programmers (Score:1)
This is exactly what happens when you lay off all the real programmers and replace them with coders. Enjoy your cost savings at the price of lawsuits for security breaches.
Re: (Score:1)
Yes because 'programmers' never make mistakes, right?
Re: (Score:2)
Yes because 'programmers' never make mistakes, right?
These aren't mistakes, they are encoding the messages rather than encrypting them using a public encoding scheme (anyway, a private encoding scheme wouldn't be better). So, they did actually think about the security, but due to incompetence in the field, they pick an encoding scheme to secure the communication. That's not the first time I have seen such a thing. Some coders believe because they cannot read the message it is encrypted.
Re: (Score:1)
Enjoy your cost savings at the price of lawsuits for security breaches.
All that is already figured in [engineering.com]. I still don't know why nobody demands names. Lapdog press.
Re: (Score:3)
There is at least a chance of a lawsuit there. Now try for some cheap Chinese crap where you could already consider yourself lucky the thing doesn't simply burn your apartment to the ground due to faulty wiring.
dumbasses (Score:4, Insightful)
IoT will not be present. I want an outlet to do 2 things. Connect to the circuit breaker box, and provide electricity to my stuff without blowing up.
Can't leak what doesn't exist.
Re: dumbasses (Score:4, Interesting)
At least they're only gaining control over an on-off switch. If this was something with a dimmer that they could alter the firmware on, that'd be a lot more concerning. Because the firmware could be the only thing preventing the varistor from doing untoward behavior - short circuiting and throwing circuit breakers in a given location (to enable other nefarious actions while the power is out), oscillating loads in many locations at once in tune with the grid to mess up phase balancing, oscillating loads very quickly (if rapidly responsive devices are connected and if the varistor can shift that fast) in many locations to send out radio signals, etc
The only nefarious thing I can picture doing with a bunch of hacked on-off switches would be trying to overload the grid and cause brownouts. Although I guess if someone had a coffeepot on one of those things and you ran it dry of water you might be able to start a fire...
Re: dumbasses (Score:5, Informative)
At least they're only gaining control over an on-off switch.
Only. They're also gaining control over what you've plugged into that switch. (The whole purpose of having a network controlled switch is so you can control something that is plugged into it.) Plug in a coffee pot, heater, or anything else that can cause problem when turned on inappropriately, you've got a problem.
The fine summary also commented that the firmware could be hacked to become part of a botnet. That's a problem even if you don't have anything plugged in.
the varistor
Dimming is not done using a varistor. Or a rheostat (variable resistor.) That's so horribly inefficient and would create enourmous heat problems. It's done using a triac. The dimming is accomplished by turning the triac on later and later in the cycle of the AC current. The less of the full cycle you let through, the "dimmer" the output. This requires only an on-off device which can be very efficient and create extremely little heat. (No heat when off, very low on resistance and thus very little dissipation when on.)
short circuiting
When an AC line switch "short circuits", the worst that happens is the device that is plugged in is "on" always. There is no pathway for a true short circuit in the controlled switch. (Yes, the dimming or switching circuit can fail and create a short, but unlikely, and not as part of improper control.)
oscillating loads in many locations at once in tune with the grid to mess up phase balancing
The latency in the network would make this hard.
oscillating loads very quickly
The fastest switching will be 16 (or 20) ms -- once the dimmer circuit fires the triac, it doesn't shut off until the next zero crossing. That can damage power supplies in connected devices, but unlikely to damage the grid.
Re: (Score:2)
Having never wired a dimmer switch, that makes good sense, and would indeed impose those limitations, and I bow to your knowledge. Except:
No. If you short the live to the neutral, you throw a breaker.
Now, if you had a triac in an always-open configuration, then that wouldn't happen, but that would no longer be a short circuit. My perception of there being a short configuration was based on a mis
Re: (Score:2)
But in short, I do thank you for the correction. It was late and my thoughts extended no further than, "these are the things you could do when you have an AC circuit flowing through a variable resistance". There are obviously a lot of problems with that.
Re: (Score:2)
No. If you short the live to the neutral, you throw a breaker.
Yes, you would. But the switching circuit does not have a path from live to neutral. Here [learnabout...ronics.org] is a site that shows a simple dimmer circuit. Note that the load is in series with the triac, so there is no input to the triac that will cause it short hot to neutral, and if the triac shorts it will at worst leave the controlled device (load) powered all the time.
Now, the entire control circuitry does, of course, have a connection from hot to neutral, but this connection is not switched and cannot be forced to creat
Re: (Score:2)
Re: (Score:2)
I couldn't think of anything useful to do with it so threw it in a box.
Control fans, or turn lights and radios on and off to simulate the presence of a resident. Unless you walk up and ring my doorbell you don't know if I'm home or not. (Or am I sitting behind the door with a 45 waiting for you?) That's what I use my X10 controls for. I also have a few lights that I always control with X10 just for convenience. One runs my lava lamp, which for some reason needs a slight bit of dimming to reduce the heat or all the lava floats on the top.
What is confusing about this article i
Re: (Score:1)
Put a lesser wattage globe in your lava lamp, sit back, trip out the the full globulous glory of said lava.
Re: (Score:2)
Re: dumbasses (Score:2)
Re: (Score:2)
It's a vulnerability created by the intense desire to have an app control the switch via a remote server. For whatever brain-damaged reason, the app can't talk straight to the device, it has to go via the manufacturer's servers, and they do it via unencrypted channels that can be sniffed.
That's what is going to kill us all, IoT devices that in order to switch on something, or change a pretty colour or anything, have to go to the bloody cloud to do it.
Re: (Score:2)
You may soon have trouble buying a monitor or a refrigerator. I don't want it either, but I'm not sure how long it will be reasonably avoidable.
Full article (Score:1, Informative)
Full article with vendors here [bitdefender.com]
Re: (Score:2)
Well, I would certainly also hide the name if I did nothing but rehash an old security problem found by someone else and tried to sell it as my own...
Re: (Score:2)
They can't tell you the details until they come up with a snappy name for the vulnerability.
Re: (Score:2, Insightful)
They can't tell you the details until they come up with a snappy name for the vulnerability.
They already have, it's "IoT".
If it's some piece of consumer-shiny-bling-bullshit and it's internet-enabled, there's your vulnerability.
Re: (Score:2)
Backronym for "I do Internet of Things"?
Re: (Score:2)
Internet of Terrors (Score:5, Insightful)
That's what the IoT is, the Internet of Terrors.
Mark my words- this is only going to get worse and worse and worse, and eventually somebody will die from some shoddy piece-of-shit consumer crap that's been weaponized by some asshole hacker.
Re: (Score:1)
What is this school you speak of?
I learned it from your moms va-jayjay.
Re: (Score:1)
The IoT is a Dank Meme and Full of Terrors
Re: (Score:3)
I work on IoT, and I want to slap CEOs of companies like this for giving everything a bad name. We're working our ass off to have good security and yet the market is grabbing up toys that are completely useless except for being new and then fail to include even the most basic security. Most hardware good for this is low on security features, but they're slowly starting to come around due to demand from product makers.
But, this is the same crap you see on web pages, etc. Everyone's getting hacked left and
Re: (Score:3)
Startup mentality means get your product or app out as fast as possible so there's no time to waste on quality.
Time to market, and cost. If your switch costs twice as much as someone else's, guess which most consumers will buy? Development costs money. Security development is an almost invisible benefit in a device that hasn't gotten to market yet. It's only a liability afterwards.
Re: (Score:2)
Also, the well has already been poisoned. Even if you pay twice as much, it isn't likely that you will get something that is significantly more secure.
Even if you could, how do you know that you are getting more security for your additional dollars?
Re: (Score:2)
No one really needs either new gadget. They're being sold to gadget lovers who always must have the latest consumer item, to hipsters because nothing says unsufferable like a guy showing you how he can see if he left the stove on or not while kayaking, and so forth. Those are consumers though. If you're a city or utility though you don't buy your devices from engadget or kickstarter.
Re: (Score:2)
No one really needs either new gadget.
Define "need". At the most basic human needs level (Maslow?) of course you are right.
But at a practical level, I disagree, with an example. I have remote data systems that run 24/7. One is a four hour drive away, another just one hour. Unfortunately, the computers doing the collection are not perfect devices and thus sometimes they crash. Or lock up.
In both locations I have network controllable power switches. (At the four hour away site, I actually have FOUR of them, at four different failure points.) I
Re: (Score:2)
I am surprised it hasn't happened yet.
Re: (Score:2)
Not enough IdIoTs yet. It needs to be a bit more widely used before it's a worthwhile attack vector.
Re: (Score:2)
Not enough IdIoTs yet. It needs to be a bit more widely used before it's a worthwhile attack vector.
Three words: Self-driving cars.
Re: (Score:2)
Critical mass not reached yet.
Re: (Score:2)
I am surprised it hasn't happened yet.
Same here, but I think the advent of self-driving cars will bring it about sooner than we think.
I'd bet that there are hackers rubbing their hands right now in gleeful anticipation of causing a car to veer into oncoming traffic or a light pole or a pedestrian.
Self-driving cars are my guess as to where we'll see the first IoT fatality. And it's likely that we won't even know it was a malicious actor that caused the fatality.
Re:Internet of Terrors (Score:5, Insightful)
Re: (Score:2)
I am sick of "smart" products. From the smart text selection in MS Word, which always selects more or less text than I actually want, to the climate control in my car, which insists on turning on the A/C when I just want some cool fresh air, they invariably get it wrong. I know what I want and I am smart enough to make my own choices.
I love the automatic climate control in my car. If I don't want the AC on, just fresh air, I hit the AC button and it does its best to match the selected climate using fresh air + heater. I set the dial and forget about it 90% of the time. The 10% of the time is when I want to just roll the windows down instead of using the climate system. It even automatically defrosts the windshield if I turn on the rear window defroster. That is, of course, unless I tell it not to.
Re: (Score:2)
It even automatically defrosts the windshield if I turn on the rear window defroster. That is, of course, unless I tell it not to.
Yes, but why should you have to tell it not to? Because it's making a decision for you- the wrong decision.
Re: (Score:2)
It even automatically defrosts the windshield if I turn on the rear window defroster. That is, of course, unless I tell it not to.
Yes, but why should you have to tell it not to? Because it's making a decision for you- the wrong decision.
The general assumption is that if your back window needs defrosting, the front window probably does too. I never think about my automatic climate control. Like ever. And then I was traveling for work last week and was in a rental car and was constantly turning the knob to adjust the temperature because it would never turn off once it got to a comfortable temperature and the damn thing kept blowing until I got cold. Not that it's the end of the world, but I'd rather pay attention to the road than my clima
Real meaning of SMART (Score:2)
The hidden meaning of "smart" in "smart phone" and "smart light switch" actually implies something different, taken from the hard drive industry:
Self-Monitoring, Analysis and Reporting Technology (SMART)
The purpose of these devices seems to be total monitoring of its users. A "smart" home usually means the vendor knows the state of every light switch, every door sensor, every movement down to the millisecond. I'm just waiting for a group of burglars to break into such a database to determine when and where
Matthew Garret (Score:2)
If you want to keep up with a very smart person who does some really interesting analysis on the security of "smart" devices, try Matthew Garret. He posts most of his finding in conversational format on twitter at
@mjg59 [twitter.com].
You can see more of his "reported" results on his website at
http://mjg59.dreamwidth.org/ [dreamwidth.org].
Enjoy!
Re: (Score:2)
Of course I stupidly misspelled his name. It's Garrett. Sorry Matthew!
This isn't just regular stupid (Score:2)
I'm gonna go out on a limb and say that, in lieu of hashing and salting the password, and/or using one of the many freely available tools to sanitize inputs, it drops the password field directly into a database query of SELECT * FROM PWNED WHERE PASSWORD = x. Because IoT means cheap crap developed by the cheapest programmers. Hell, even doing a plain text compari
Re: (Score:2)
https://www.youtube.com/watch?v=inR02pEesCQ
Help me out here (Score:2)
IOT = Pile of shit (Score:1)
Ho hum. Seems like every other day we get news of yet another crapulent, badly designed, "Internet of Things" device with piss poor security.
Seriously, anyone putting *any* of these shitty things in their house must have a hole in the head.
You'd be at less risk of something bad happening by putting scorpions in your underwear than you would bringing *ANY* IOT device into your home. They're being designed by clowns for clowns.
Re: (Score:2)
Manufacturer is Edimax [n/t] (Score:1)
Edimax is the manufacturer of these devices.