Skip to main content

Cheap Internet of Things gadgets betray you even after you toss them in the trash

You may think that the worst you’ll risk by buying a bargain-bin smart bulb or security camera will be a bit of extra trouble setting it up or a lack of settings. But it’s not just while they’re plugged in that these slapdash gadgets are a security risk — even from the garbage can, they can still compromise your network.

Although these so-called Internet of Things gadgets are small and rather dumb, they’re still full-fledged networked computers for all intents and purposes. You may not need to do much, but you still need to take many of the same basic precautions to prevent them from, say, broadcasting your private information unencrypted to the world, or granting root access to anyone walking by.

In the case of these low-cost “smart” bulbs investigated by Limited Results (via Hack a Day), the issue isn’t what they do while connected but what they keep onboard their tiny brains, and how.

All the bulbs they tested proved to have no real security at all protecting the information kept on the chips inside. After exposing the PCBs, they attached a few leads and in a moment each device would spit out its boot data and be ready to take commands.

The data was without exception totally unencrypted, including the wireless password to the network to which the device had been connected. One device also exposed its private RSA key, used to create secure connections to whatever servers it connects to (for example to check for updates, upload user data to the cloud and so on). This information would be available to anyone who grabbed this bulb out of the trash, or stole it from an outdoor fixture or bought it secondhand.

“Seriously, 90 percent of IoT devices are developed without security in mind. It is just a disaster,” wrote Limited Results in an email. “In my research, I have targeted four different devices : LIFX, XIAOMI, TUYA and WIZ (not published yet, very unkind people). Same devices, same vulnerabilities, and even sometimes exactly same code inside.”

Now, these particular bits of information exposed on these devices aren’t that harmful in and of themselves, although if someone wanted to, they could take advantage of it in several ways. What’s important to note is the utter lack of care that went into these devices — not just their code, but their construction. They really are just basic enclosures around an off-the-shelf wireless board, with no consideration given to safety, security or longevity. And this type of thing is not by any means limited to smart bulbs.

These devices all proudly assert that they support Alexa, Google Home or other standards. This may give users a false sense that they are in some way accredited, inspected or otherwise held to basic standards.

In fact, in addition to all of them having essentially no security at all, one had its (conductive) metal shell insulated from the PCB only by a loose piece of adhesive paper. This kind of thing is an electrical fire, or at least a short, waiting to happen.

As with any other class of electronics, there’s always a pretty good reason why one is a whole lot cheaper than another. But in the case of a cheap CD player, the worst you’re going to get is skipping or a scratched disc. That’s not the case with a cheap baby monitor, a cheap smart outlet, a cheap internet-connected door lock.

I’m not saying you need to buy the premium version of every smart gadget out there — consumers need to be aware of the risks they are exposing themselves to with the installation of any such device, let alone a poorly made one.

If you want to limit your own risk, a simple step you can take is to have your smart home devices and such isolated on a subnet or guest network. Make sure that the devices, and of course your router, are password protected, and take common sense measures like changing that password regularly.



from Gadgets – TechCrunch https://tcrn.ch/2Ggunii

Comments

Popular posts from this blog

This week in Android: It’s weird phone week

We got to play with a lot of cool tech at CES 2019 , but little was cooler than the Qualcomm Snapdragon 855 . Qualcomm had a reference device  sporting the new SoC and we were able to put it through its paces , including our very own Speed Test G . The results are impressive. In other big news this week, we found out  Motorola is planning on bringing back the Razr phone , made famous in the mid 2000s. We don’t know a lot about the phone itself, but we can make some guesses  based on a patent  from August of last year. Plus, we look ahead at the future of LG and OnePlus , including a new peculiar accessory for LG . Also, we have good news and bad news about Huawei’s security. Here are your top stories for the week 4:20 – Snapdragon 855 performance and benchmarking: Speed Test G, AnTuTu & Geekbench At CES, Gary Sims previewed the  Snapdragon 855 processor in reference hardware. He had some fun with it. 21:45 – You’ll flip for the foldable Motorol...

My product launch wishlist for Instagram, Twitter, Uber and more

‘Twas the night before Xmas, and all through the house, not a feature was stirring from the designer’s mouse . . . Not Twitter! Not Uber, Not Apple or Pinterest! On Facebook! On Snapchat! On Lyft or on Insta! . . . From the sidelines I ask you to flex your code’s might. Happy Xmas to all if you make these apps right. Instagram See More Like This – A button on feed posts that when tapped inserts a burst of similar posts before the timeline continues. Want to see more fashion, sunsets, selfies, food porn, pets, or Boomerangs? Instagram’s machine vision technology and metadata would gather them from people you follow and give you a dose. You shouldn’t have to work through search, hashtags, or the Explore page, nor permanently change your feed by following new accounts. Pinterest briefly had this feature (and should bring it back) but it’d work better on Insta. Web DMs  – Instagram’s messaging feature has become the defacto place for sharing memes and trash talk about peopl...

First ever drone-delivered kidney is no worse for wear

Drone delivery really only seems practical for two things: take-out and organ transplants. Both are relatively light and also extremely time sensitive. Well, experiments in flying a kidney around Baltimore in a refrigerated box have yielded positive results — which also seems promising for getting your pad thai to you in good kit. The test flights were conducted by researchers at the University of Maryland there, led by surgeon Joseph Scalea. He has been frustrated in the past with the inflexibility of air delivery systems, and felt that drones represent an obvious solution to the last-mile problem. Scalea and his colleagues modified a DJI M600 drone to carry a refrigerated box payload, and also designed a wireless biosensor for monitoring the organ while in flight. After months of waiting, their study was assigned a kidney that was healthy enough for testing but not good enough for transplant. Once it landed in Baltimore, the team loaded it into the container and had it travel 14 ...