Oh, goody! A whole ‘nother way the Internet of Things is getting security wrong.
Last month, security researcher Charles Henderson wrote about his experience trading in his car.
Briefly, both he and the dealer wiped all of his personal information out of the car–phone book, garage door opener, list of authorized devices. And yet, months later, the car still showed up in the app on his phone.
It’s not that the dealer and the manufacturer were unaware of security. Henderson makes it clear that they took the correct steps. But the focus of the team that designed and built the app and integrated it with the car’s systems was obviously on the “first owner” scenario, and not enough attention was paid to the possibility that someone might want to sell their car.
And it’s not just auto makers who have that problem. Henderson mentions another researcher who purchased a used home automation hub and found that doing a factory reset only wiped the configuration on the device itself; it didn’t touch the cloud-based configuration which included, among other things, the list of devices authorized to control the hub.
Right: even after wiping the device, the original owner would still have had access to every light bulb, every thermostat, and every door lock connected to the hub.
Still feeling cheerful about your Amazon Echo or Google Home giving you voice control over your house? After all, you’re not planning to sell that device, are you? No? Well, what if something goes wrong and you have to send it in for service? Are you certain you’re going to get the same device back? How confident are you that your original device won’t wind up being refurbished and resold?
Let’s face it: this isn’t a new problem, and we should have seen it coming. How many stories have you seen in the newspaper about someone buying a used computer and finding porn on the hard drive? Henderson notes that early smartphones lacked a way to wipe them for resale, and it was only after many well-publicized tales of people buying used phones for nefarious purposes that a wipe command was added.
Nor is there a good solution. Even if every new IoT device was designed with security as the first consideration, there are still millions of gadgets out there that have no security and no way to upgrade them to add it. In many cases, the company that made them isn’t even in business any more.