Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

Cheap internet of things gadgets betray you even after you toss them in the trash

You may think that the worst you’ll risk by buying a bargain-bin smart bulb or security camera will be a bit of extra trouble setting it up or a lack of settings. But it’s not just while they’re plugged in that these slapdash gadgets are a security risk — even from the garbage can, they can still compromise your network.

Although these so-called internet of things gadgets are small and rather dumb, they’re still full-fledged networked computers for all intents and purposes. They may not need to do much, but they still need to take many of the same basic precautions to prevent them from, say, broadcasting your private information unencrypted to the world, or granting root access to anyone walking by.

In the case of these low-cost “smart” bulbs investigated by Limited Results (via Hack a Day), the issue isn’t what they do while connected but what they keep onboard their tiny brains, and how.

All the bulbs they tested proved to have no real security at all protecting the information kept on the chips inside. After exposing the PCBs, they attached a few leads and in a moment each device would spit out its boot data and be ready to take commands.

The data was without exception totally unencrypted, including the wireless password to the network to which the device had been connected. One device also exposed its private RSA key, used to create secure connections to whatever servers it connects to (for example to check for updates, upload user data to the cloud, and so on). This information would be available to anyone who grabbed this bulb out of the trash, or stole it from an outdoor fixture, or bought it secondhand.

“Seriously, 90 percent of IoT devices are developed without security in mind. It is just a disaster,” wrote Limited Results in an email. “In my research, I have targeted four different devices : LIFX, XIAOMI, TUYA and WIZ (not published yet, very unkind people). Same devices, same vulnerabilities, and even sometimes exactly same code inside.”

Now, these particular bits of information exposed on these devices aren’t that harmful in and of themselves, although if someone wanted to, they could take advantage of it in several ways. What’s important to note is the utter lack of care that went into these devices — not just their code, but their construction. They really are just basic enclosures around an off-the-shelf wireless board, with no consideration given to safety, security, or longevity. And this type of thing is not by any means limited to smart bulbs.

These devices all proudly assert that they support Alexa, Google Home, or other standards. This may give users a false sense that they are in some way accredited, inspected, or otherwise held to basic standards.

In fact, in addition to all of them having essentially no security at all, one had its (conductive) metal shell insulated from the PCB only by a loose piece of adhesive paper. This kind of thing is an electrical fire or at least a short waiting to happen.

As with any other class of electronics, there’s always a pretty good reason why one is a whole lot cheaper than another. But in the case of a cheap CD player, the worst you’re going to get is skipping or a scratched disc. That’s not the case with a cheap baby monitor, a cheap smart outlet, a cheap internet-connected door lock.

I’m not saying you need to buy the premium version of every smart gadget out there — consumers need to be aware of the risks they are exposing themselves to with the installation of any such device, let alone a poorly made one.

If you want to limit your own risk, a simple step you can take is to have your smart home devices and such isolated on a subnet or guest network. Making sure that the devices and of course your router are password protected, and take common sense measures like changing that password regularly.

Comments

Post a Comment

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio
Post a Comment
Read more

Drone crash near kids leads Swiss Post and Matternet to suspend autonomous deliveries

A serious crash by a delivery drone in Switzerland have grounded the fleet and put a partnership on ice. Within a stone’s throw of a school, the incident raised grim possibilities for the possibilities of catastrophic failure of payload-bearing autonomous aerial vehicles. The drones were operated by Matternet as part of a partnership with the Swiss Post (i.e. the postal service), which was using the craft to dispatch lab samples from one medical center for priority cases. As far as potential applications of drone delivery, it’s a home run — but twice now the craft have crashed, first with a soft landing and the second time a very hard one. The first incident, in January, was the result of a GPS hardware error; the drone entered a planned failback state and deployed its emergency parachute, falling slowly to the ground. Measures were taken to improve the GPS systems. The second failure in May, however, led to the drone attempting to deploy its parachute again, only to sever the line
Post a Comment
Read more

ProtonMail logged IP address of French activist after order by Swiss authorities

ProtonMail , a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service. The company has communicated widely about the incident, stating that it doesn’t log IP addresses by default and it only complies with local regulation — in that case Swiss law. While ProtonMail didn’t cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users. For the past year, a group of people have taken over a handful of commercial premises and apartments near Place Sainte Marthe in Paris. They want to fight against gentrification, real estate speculation, Airbnb and high-end restaurants. While it started as a local conflict, it quickly became a symbolic campaign. They attracted newspaper headlines when they started occupying prem
Post a Comment
Read more