Eight Internet of Things Security Fails

Change the passwords on your routers when you set them up, for goodness sake

A masked Lebanese secret service officer shows to the media at the Lebanese security services headquarters in Beirut on May 11, 2009 a wireless internet router found with arrested Lebanese nationals accused of spying for Israel. Lebanese authorities have arrested at least 17 suspected spies working for Israel since January. Lebanon and Israel are technically at war and if found guilty the suspected spies could be sentenced to death on charges of high treason. AFP PHOTO/JOSEPH BARRAK

Change your router password, okay? (Photo: Joseph Barrak/Getty Images)

Are you looking forward to a wired up, smarter world? One where you can turn your air conditioning on by speaking into the dash of your car or take advantage of ubiquitous sensors to catch that ideal weekend lull at Trader Joe’s? A more connected future will be much more productive and convenient, but there’s going to be a lot of creep factor on the way there.

In fact, the Internet of Things has been a mess so far. Never mind all we’ve been revealing just by using these things, the sloppy security practices of companies that make connected devices, have permitted a damning list of disconcerting hacks.

We have assembled a list of eight of the most notorious failures caused by connected devices. Again and again, these vulnerabilities didn’t require Mission: Impossible quality hacking skills. In most cases, these virtual doors were opened with digital keys left sticking out from under the metaphorical doormat.

U.S. Navy Launches ‘Task Force Cyber Awakening’ to Protect Us From the Internet of Things

Consumers, for their part, could try a bit harder, too, even taking basic steps to protect themselves, such as changing the default passwords on their connected devices.

Weak security on sensors or controls in the home can harm consumers in all kinds of ways, letting criminals know when you are out, violating privacy and even letting their tiny electronic brains get hijacked by third parties.

When big companies get security on connected devices, their failures can reach directly into consumers’ pocket books.

Here are the most notorious failures born of Internet-enabled devices since the sector started taking off:

NEW YORK, NY - NOVEMBER 28:  Bullseye, an English Bull Terrier and a mascot for Target, visits the floor of the New York Stock Exchange on the morning of November 28, 2014 in New York City. The Friday after Thanksgiving, also known as Black Friday, traditionally marks the beginning of the Holiday season.  (Photo by Andrew Burton/Getty Images)

Bullseye, Target’s mascot, at the New York Stock Exchange. (Photo: Andrew Burton/Getty Images)

Target’s Heating and Cooling System

The pile of credit card data stolen from Target has been one of the worst security breaches in recent memory. The hackers got the data by compromising the store through an account used by an HVAC contractor, granted trusted access to install a heating and cooling system. Using those credentials, they were able to install credit card skimming software on the point of sale devices, as Krebs on Security first reported.

Wink Hub. (Courtesy photo)

Wink Hub. (Courtesy photo)

Wink

Earlier this year, a hub that connects IoT devices went south en masse due to a simple oversight. Winks were built with security installed, but their security certificate had an expiration date and the company let the expiration lapse. When that happened, many of the devices were bricked due to the security breach. Dell’s Jackson Shaw offered some lessons following the failure on EE Times.

The latest Insteon hub. (Courtesy photo)

The latest Insteon hub. (Courtesy photo)

Insteon

In 2013, a Forbes reporter found several homes made remotely controllable using a now discontinued connected home system from Insteon. Many of the homes had made the information about their houses searchable on the Internet. The reporter didn’t even have to target anyone specifically. She just went looking for homes on the system and tried taking them over.

For the people she was able to glean enough information about, she called them up and turned their lights on and off while chatting with them on the phone.

One of TrendNet's cloud enabled security cameras. (Courtesy photo)

One of TrendNet’s cloud enabled security cameras. (Courtesy photo)

SecurView Cameras

This fail occurred with TrendNet’s nanny cams, which proved to be easy tt watch through remotely, in 2013. All an attacker (or creep) needed was the camera’s IP address. In fact, it sounds like security practices at the company were a bit of a disaster from end-to-end, according to a post-mortem in TechNewsWorld.

Models pose with Samsung Electronics' new 75 inch F8000 Smart LED TV during a media conference in Seoul on February 19, 2013. South Korea's Samsung Electronics on February 19 launched a set of giant, Internet-enabled televisions aimed at boosting profit margins and cementing its lead on the world's TV markets hit by slowing global demand. AFP PHOTO / JUNG YEON-JE        (Photo credit should read JUNG YEON-JE/AFP/Getty Images)

2013’s 75-inch F8000 Smart LED connected television. (Photo: Jung Yeon-Je/Getty Images)

Samsung Televisions

Cameras built into Samsung’s smart televisions were easy to commandeer, in 2013. The vulnerability has been patched, according to CNN Money. At least, the breach the company knew about. There’s a reason some people put tape over the cameras on their cell phones and computers. It’s the only way you can really know they aren’t on.

A Nest thermostat. (Photo: George Frey/Getty Images)

Nest

Shown to be easy to hack if you have physical access, by putting the device in developer mode, as demonstrated at 2014’s Black Hat security conference. It just takes a thumb drive and about 15 seconds with the device to compromise it. VentureBeat has more details, including a comment from Google that Nest has not discovered many compromised devices.

One attack vector: buy a bunch of Nests. Put your code on them. Repackage them and sell them (perhaps at a discount) either one by one or to a reseller, as this security consultant suggested. Then, an attacker wouldn’t even need access to the home.

Google did not return a request for comment on whether the company has further addressed this vulnerability.

HANOVER, GERMANY - FEBRUARY 28:  A hostess presents the new Vodafone LTE high-speed router (L) and modem at the Vodafone stand at the CeBIT technology trade fair on February 28, 2011 in Hanover, Germany. LTE is a new mobile broadband standard that promises speeds many times that of current UMTS and HSDPA systems and is being introduced foremost in rural areas in Germany that have thus far been cut off from broadband Internet connectivity. CeBIT 2011 will be open to the public from March 1-5.  (Photo by Sean Gallup/Getty Images)

Vodafone high speed routers. (Photo: Sean Gallup/Getty Images)

Home routers

Team Cymru identified thousands of small office and home routers in Europe and Asia that fell victim to a man-in-the-middle attack in which home routers were remotely reprogrammed to deliver fake search results that would either promote certain products or show ads that would trick users into revealing personal information.

Once again, loads of the attacks were made possible by people using default or easy to guess passwords.

Team Cymru didn’t specify the kinds of devices that were vulnerable, saying that the nefarious DNS addresses had been found loaded on many makes and models of routers. Again, largely thanks to user failure to create credentials for their routers.

South Korean models pose with an LG Electronics refrigerator connected to a home Wi-Fi network and can be controlled by a smartphone, during a launching event in Seoul on April 19, 2011. South Korea's LG Electronics unveiled a refrigerator which suggests recipes as it forecast a bright future in the potentially lucrative market for "smart" household appliances.   AFP PHOTO/JUNG YEON-JE

An LG wi-fi connected refrigerator. (Photo: Jung Yeon-Je/Getty Images)

Spammy refrigerators

Proofpoint allegedly discovered a load of devices that were sending out thousands of spam emails (including at least one connected fridge), starting in late 2013. It wasn’t just refrigerators. It was all kinds of devices. In a very clever attack, software went out looking for connected devices using default passwords. Once it had found thousands, it connected them into a bot network spewing out spam such that no single device sent out messages more than a few times. Spam came from thousands of IP addresses, all over the place. This made it much harder to block.

If, that is, the events described actually happened. Unfortunately, Proofpoint doesn’t show its work in the post, so there’s no way to follow up on it or corroborate. The company did not immediately return a request for comment on this story. We found a very similar report from HP, by the way. In 2014, it said connected devices, in general, aren’t sercure, but didn’t make a list of any of the devices it checked. In both of these cases, the findings are impossible to corroborate and fail to warn consumers about the shortcomings of their purchases.

Name the hardware in reports on the vulnerabilities of hardware. We’re all grown-ups here.

It may be time for connected device makers, at a minimum, to agree to no longer manufacture devices with one default password across a product or line. At a bare minimum, these devices should come loaded with a unique password that the user can change upon purchase.

Seriously, though: when you buy a new router, give it its own administrative password, for goodness sake.