How some connected things are putting you in danger, down to the smart bulbs and plugs.
Wouldn’t it be nice to have a dimmer on that lamp? Matthew Garrett thought so. He bought some connected light bulbs that offer dimming from your phone, and control from anywhere in the world.
You can make it look like you are home when you are vacationing in Mexico. Turn the light on right before you pull up to the house at night. Turn off the light the cat sitter left on by mistake.
So convenient. And, as Garrett found, highly unsafe.
“Absolutely the worst lightbulbs I’ve ever bought,” he wrote in his Amazon review about the iSuper iRainbow001 Wi-Fi A19 Zigbee Smart LED Bulb. “Don’t buy these bulbs.”
They produced only dim rainbow light at his home, but more importantly, he said, they are a digital safety hazard. Garrett is a security developer at CoreOS and decided to put the bulbs to the test.
“They had the semblance of security,” he told Archer News. “But in reality there was no security at all.”
“No security”
The kid next door could remotely change your settings to “disco” and make a constant strobe while you try to sleep. Your estranged brother-in-law could enact a plan of remote lighting harassment. A thief could turn off the motion detector lamp signaling his or her presence, according to Garrett’s research.
“Anyone in the world could control the lights, including setting them to a mode where they’d rapidly flicker and potentially cause damage,” he said.
Even worse, a bad guy could sit outside in a car with a laptop and access your internal network through your light bulb, according to Garrett.
“Once someone’s on your internal network they’re able to do various things, including forcing all your traffic to go through the compromised device instead of just to your router,” he said. Then, they could trick you into giving up your password and account numbers—all from your light bulb.
More than one bulb
It’s not just one bulb from one manufacturer. Garrett said he has tested at least 10 connected devices and found that most of the ones he reviewed have bad security.
The AuYou Wifi Smart Outlet Socket, which lets you turn on and off the power to your appliances and lights with your phone from anywhere, flunked his test.
“By default this is stupendously insecure, there’s no reasonable way to make it secure, and if you do make it secure then it’s much less useful than it’s supposed to be,” Garrett concluded.
The Morjava MJ-SmallK Intelligent Smart Wifi Plug also got a thumbs down from Garrett.
“The security on this device is a joke,” he wrote in his review. “By default, anyone in the world can send a command to the plug and it’ll just perform it. That means anyone can just turn your plugs on and off, and also set the timer.”
Some devices went a step further in their insecurity.
“I found a baby monitor that allowed anyone to take it over and record anything that was going on nearby,” he said. It also allowed bad guys to access your e-mail and Facebook, among other things, according to Garrett.
Connected things explosion
Garrett is not the only tester finding major flaws in “connected things” security. Other researchers have uncovered ways attackers can get into and control things like medical devices and cars.
This month, the Federal Trade Commission warned the Department of Commerce that, though there are benefits to the Internet of Things [IoT], there are also security risks that could threaten people’s money, identities and even their lives.
Last year, the FTC told companies developing IoT devices to make sure their devices are secure and test them before selling. The number of IoT connections in homes could double in the next four years, according to Cisco.
“If that home automation system isn’t secure, a criminal could override the settings to unlock the doors. And just think of the consequences if a hacker were able to remotely recalibrate a medical device – say, an insulin pump or a heart monitor,” the FTC said in its guidance for businesses. “Is your company taking reasonable steps to protect consumers’ devices from hackers, snoops, and thieves?”
The answer is ‘no’ for a number of companies, according to FTC commissioner Terrell McSweeney in Recode.
“We are on the cusp of a rapid expansion of the IoT,” McSweeney said. “Now is the time to insure there is a clear set of ground rules for the security of these products — before the marketplace and our homes fill with exploitable devices.”
Two companies––Underwriters Laboratories and ICSA Labs—announced certification programs for connected devices in the past two months. Device makers would then know if their products are secure, and customers might be able to make a better choice at the register, online or in the store. But these programs are not yet widespread.
What can you do?
Garrett said he reports his findings to the device makers—and the big companies usually pay attention.
“The larger brands, yes,” he explained. “I’ve had some great feedback and prompt fixes.”
“For smaller ones, it’s often almost impossible to speak to the actual manufacturers,” he added. “They’re being rebranded and resold by companies who don’t know anything about the software they’re selling.”
It is a better choice to buy from a bigger manufacturer, he said.
“There are some products from reputable manufacturers that have been thoroughly examined and appear to be safe,” he said. “Buying unbranded devices from Amazon is much more likely to be insecure.”
Toaster password
Like your phone and your computer, your connected toaster and refrigerator need a passcode.
“The best advice for anyone who has any kind of IoT device that has password support is to set a good password,” Garrett recommended. “That doesn’t guarantee safety, but there are some I’ve looked at that are reasonably safe with a password and very unsafe without one.”
And make it a tough password, not Toaster123. Some devices he tested allowed would-be attackers unlimited guesses, so it might not take long to use a password cracker and get in.
“The biggest problem is with the ones that have remote control so you can operate them from outside your house,” said Garrett. “Things that use short-range communication technology like Bluetooth aren’t necessarily safer in absolute terms, but an attacker would need to be in your home to be able to do anything with them.”
With some smart products, you can set up extra security, like one of the smart plugs he reviewed.
“You need to explicitly firewall off the server (it’s 115.28.45.50) in order to protect yourself,” he wrote. “Again, this is completely unrealistic to expect for a home user, and if you do this then you’ll also entirely lose the ability to control the device from outside your home.”
And if worse comes to worst, you can always unscrew that smart bulb from the light socket.
“You’d need to unplug the base station as well, but yes, they’re all harmless when unplugged,” said Garrett.
Of course, at that point, it’s no longer connected. The lights are out. And you’re probably wishing you had made a smarter move with your money.