Insecure Things

OK, enough cheerful peanut-based posts. Back to the usual cynical doom and gloom.

Multiple sources are reporting depressing news about baby monitors. A company called Rapid7, Inc. tested nine devices from eight different companies. They found that every single one had serious security flaws that would allow an attacker to view the video stream from the camera, change its configuration, or launch attacks on other devices on the owner’s Wi-Fi network.

If you’ve been paying any attention to security matters in the last few years, you probably aren’t surprised about Rapid7’s findings. Just as there’s no such thing as a bug-free program, there’s no such thing as a secure Internet-connected device.

What is surprising to me is just how bad the manufacturers’ responses were when they were informed of the vulnerabilities. Philips–or rather, Gibson Innovations, who hold the license to sell baby monitors under the Philips brand name–is working on a fix, although no timeline has been set for its release. None of the other seven manufacturers is planning to fix the flaws in their products. According to the article on Ars Technica, Rapid7 couldn’t locate one manufacturer, several didn’t even acknowledge receipt of Rapid7’s notification, and some stated flat-out that they saw no reason to look at the report.

If it were just baby monitors, it might not be a big deal, but let’s not forget that consumer electronics manufacturers are pushing more and more Internet-connected devices into the market. It’s not just TVs and video players (many of which have had their own security failings) anymore. Refrigerators that monitor their contents and nag you to go shopping–or simply place orders for grocery delivery themselves. Clothes washers and driers, dishwashers, ovens, furnaces, lights, smoke and carbon monoxide detectors, and door locks all have network connections.

Keep in mind that the baby monitors weren’t cheap models from fly-by-night companies. They included well-known brand names and some of the most popular models. Yet only one manufacturer is apparently willing to stand behind their product and resolve the problem. If that attitude carries over into other appliances, well, you might give some thought to buying up a stock of locks and light bulbs now while you can still get ones that don’t require a network connection.

“But wait,” I hear you say. “What if I just don’t set up the network connection? Won’t I be safe then?”

Probably not.

First, many “Internet of Things” devices are designed to set themselves up–scan for a network and join it automatically, or in some cases, they establish their own network parallel to your regular Wi-Fi.

Second, some devices won’t work until they’ve been set up. I recall a review of a Bluetooth-controlled door lock, which unfortunately I can’t find at the moment, which will not lock until you pair it with a smartphone and run an app to set the combination for the manual push-button mechanism. (At that, it’s arguably safer than a lock that comes with a default combination printed in its manual.)

Third, if the device doesn’t self-configure and you don’t set it up, it will remain in its default configuration. Most likely, it will have a default password–or not password at all–allowing anybody who scans for Wi-Fi signals to find it and configure it for their own purposes. Do you really want your next-door neighbor to control your thermostat? How about your dishwasher? Better go apologize for that loud party last month before you install your new app-controlled garbage disposal.

2 thoughts on “Insecure Things

  1. Baby monitors? I thought this was going to be about the Mariners being out of contention this year. My heartfelt sympathies, by the way. As a Giants fan, I am nearly there, with only enough hope left to make me a little crazy. I’d almost rather they were eliminated- No, I don’t mean that.

    Like

    • No, you really, really don’t.

      I’m saving that post until they’re mathematically eliminated, ’cause I’d hate to get all dark and emo right before they pull off a major miracle and sneak into the playoffs. And it would be major. Their elimination number is 22, with 28 games to go.

      As for the Giants, it’s still too soon to give up hope. 6 1/2 games back (both in the division and the wild card) is still doable given what their schedule looks like for the next couple of weeks.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s