Are you looking forward to a wired up, smarter world? One where you can turn your air conditioning on by speaking into the dash of your car or take advantage of ubiquitous sensors to catch that ideal weekend lull at Trader Joe’s? A more connected future will be much more productive and convenient, but there’s going to be a lot of creep factor on the way there.
In fact, the Internet of Things has been a mess so far. Never mind all we’ve been revealing just by using these things, the sloppy security practices of companies that make connected devices, have permitted a damning list of disconcerting hacks.
We have assembled a list of eight of the most notorious failures caused by connected devices. Again and again, these vulnerabilities didn’t require Mission: Impossible quality hacking skills. In most cases, these virtual doors were opened with digital keys left sticking out from under the metaphorical doormat.
Consumers, for their part, could try a bit harder, too, even taking basic steps to protect themselves, such as changing the default passwords on their connected devices.
Weak security on sensors or controls in the home can harm consumers in all kinds of ways, letting criminals know when you are out, violating privacy and even letting their tiny electronic brains get hijacked by third parties.
When big companies get security on connected devices, their failures can reach directly into consumers’ pocket books.
Here are the most notorious failures born of Internet-enabled devices since the sector started taking off:
The pile of credit card data stolen from Target has been one of the worst security breaches in recent memory. The hackers got the data by compromising the store through an account used by an HVAC contractor, granted trusted access to install a heating and cooling system. Using those credentials, they were able to install credit card skimming software on the point of sale devices, as Krebs on Security first reported.
Earlier this year, a hub that connects IoT devices went south en masse due to a simple oversight. Winks were built with security installed, but their security certificate had an expiration date and the company let the expiration lapse. When that happened, many of the devices were bricked due to the security breach. Dell’s Jackson Shaw offered some lessons following the failure on EE Times.
In 2013, a Forbes reporter found several homes made remotely controllable using a now discontinued connected home system from Insteon. Many of the homes had made the information about their houses searchable on the Internet. The reporter didn’t even have to target anyone specifically. She just went looking for homes on the system and tried taking them over.
For the people she was able to glean enough information about, she called them up and turned their lights on and off while chatting with them on the phone.
This fail occurred with TrendNet’s nanny cams, which proved to be easy tt watch through remotely, in 2013. All an attacker (or creep) needed was the camera’s IP address. In fact, it sounds like security practices at the company were a bit of a disaster from end-to-end, according to a post-mortem in TechNewsWorld.
Cameras built into Samsung (SSNLF)’s smart televisions were easy to commandeer, in 2013. The vulnerability has been patched, according to CNN Money. At least, the breach the company knew about. There’s a reason some people put tape over the cameras on their cell phones and computers. It’s the only way you can really know they aren’t on.
Shown to be easy to hack if you have physical access, by putting the device in developer mode, as demonstrated at 2014’s Black Hat security conference. It just takes a thumb drive and about 15 seconds with the device to compromise it. VentureBeat has more details, including a comment from Google (GOOGL) that Nest has not discovered many compromised devices.
One attack vector: buy a bunch of Nests. Put your code on them. Repackage them and sell them (perhaps at a discount) either one by one or to a reseller, as this security consultant suggested. Then, an attacker wouldn’t even need access to the home.
Google did not return a request for comment on whether the company has further addressed this vulnerability.
Team Cymru identified thousands of small office and home routers in Europe and Asia that fell victim to a man-in-the-middle attack in which home routers were remotely reprogrammed to deliver fake search results that would either promote certain products or show ads that would trick users into revealing personal information.
Once again, loads of the attacks were made possible by people using default or easy to guess passwords.
Team Cymru didn’t specify the kinds of devices that were vulnerable, saying that the nefarious DNS addresses had been found loaded on many makes and models of routers. Again, largely thanks to user failure to create credentials for their routers.
Proofpoint allegedly discovered a load of devices that were sending out thousands of spam emails (including at least one connected fridge), starting in late 2013. It wasn’t just refrigerators. It was all kinds of devices. In a very clever attack, software went out looking for connected devices using default passwords. Once it had found thousands, it connected them into a bot network spewing out spam such that no single device sent out messages more than a few times. Spam came from thousands of IP addresses, all over the place. This made it much harder to block.
If, that is, the events described actually happened. Unfortunately, Proofpoint doesn’t show its work in the post, so there’s no way to follow up on it or corroborate. The company did not immediately return a request for comment on this story. We found a very similar report from HP, by the way. In 2014, it said connected devices, in general, aren’t sercure, but didn’t make a list of any of the devices it checked. In both of these cases, the findings are impossible to corroborate and fail to warn consumers about the shortcomings of their purchases.
Name the hardware in reports on the vulnerabilities of hardware. We’re all grown-ups here.
It may be time for connected device makers, at a minimum, to agree to no longer manufacture devices with one default password across a product or line. At a bare minimum, these devices should come loaded with a unique password that the user can change upon purchase.
Seriously, though: when you buy a new router, give it its own administrative password, for goodness sake.