Security Vulnerability in Smart Electric Outlets A security vulnerability in Belkin's Wemo Insight "smartplugs" allows hackers to not only take over the plug, but use it as a jumping-off point to attack everything else on the network.
From the Register:
The bug underscores the primary risk posed by IoT devices and connected appliances. Because they are commonly built by bolting on network connectivity to existing appliances, many IoT devices have little in the way of built-in network security.
Even when security measures are added to the devices, the third-party hardware used to make the appliances "smart" can itself contain security flaws or bad configurations that leave the device vulnerable.
"IoT devices are frequently overlooked from a security perspective; this may be because many are used for seemingly innocuous purposes such as simple home automation," the McAfee researchers wrote.
"However, these devices run operating systems and require just as much protection as desktop computers."
I'll bet you anything that the plug cannot be patched, and that the vulnerability will remain until people throw them away.
Boing Boing post. McAfee's original security bulletin.
schneier.com
Comments
mrmcd • September 12, 2018 6:51 AM
Embarrassed to say I actually have one of these plugs, and they do get firmware patches on a fairly regular basis (now I know why). It's not an obvious process though: You have to open the app, accept a pop-up dialog that only appears once a day, and then wait ~5 minutes while the plug power cycles several times. Anything connected to the plug effectively can't be used while it's patching.
Mace Moneta • September 12, 2018 7:04 AM
I've only been buying devices supported by the open source firmware, Tasmota. I flash each device, which can subsequently be updated over the air. I restrict the devices to LAN-only operation (remote access is via ssh or VPN). This is the LoT (LAN of Things), a much better implementation. But it does require more knowledge than IoT.
Sam Lord • September 12, 2018 7:40 AM
I'd be interested to see whether the future of IoT ends up being a consumer friendly version of what Mace has described above.
A bunch of "dumb" smart devices which have a simple, discoverable API, and talk to a consumer friendly firewall / web server. Focus on the security of that one element, and make it so nothing else is accessible to the internet. Maybe there are some flaws to doing things that way, but its surely better than having a tonne of public-facing servers running low-security operating systems with propriertary operating systems.
Peter Galbavy • September 12, 2018 7:40 AM
I had an "Efergy" smart plug for a while for a specific purpose, but after it was done and I was installing a new home router I noticed lots of fun and interesting DNS look-ups in the local cache for a wide range of Chinese destinations. None of which were either associated with the company supplying the device or the authors of the app. This was continuous and not while the device was in use or the app on my phone open.
I didn't have much time or motivation at the time to look at the traffic but the device was recycled and the app very much deleted.
Ewan Marshall • September 12, 2018 8:17 AM
So keep following my policy of avoiding smart devices where possible, and if not possible, use only on a segregated network
...
schneier.com |
