Another Failure Mode

Oh, goody! A whole ‘nother way the Internet of Things is getting security wrong.

Last month, security researcher Charles Henderson wrote about his experience trading in his car.

Briefly, both he and the dealer wiped all of his personal information out of the car–phone book, garage door opener, list of authorized devices. And yet, months later, the car still showed up in the app on his phone.

It’s not that the dealer and the manufacturer were unaware of security. Henderson makes it clear that they took the correct steps. But the focus of the team that designed and built the app and integrated it with the car’s systems was obviously on the “first owner” scenario, and not enough attention was paid to the possibility that someone might want to sell their car.

And it’s not just auto makers who have that problem. Henderson mentions another researcher who purchased a used home automation hub and found that doing a factory reset only wiped the configuration on the device itself; it didn’t touch the cloud-based configuration which included, among other things, the list of devices authorized to control the hub.

Right: even after wiping the device, the original owner would still have had access to every light bulb, every thermostat, and every door lock connected to the hub.

Still feeling cheerful about your Amazon Echo or Google Home giving you voice control over your house? After all, you’re not planning to sell that device, are you? No? Well, what if something goes wrong and you have to send it in for service? Are you certain you’re going to get the same device back? How confident are you that your original device won’t wind up being refurbished and resold?

Let’s face it: this isn’t a new problem, and we should have seen it coming. How many stories have you seen in the newspaper about someone buying a used computer and finding porn on the hard drive? Henderson notes that early smartphones lacked a way to wipe them for resale, and it was only after many well-publicized tales of people buying used phones for nefarious purposes that a wipe command was added.

Nor is there a good solution. Even if every new IoT device was designed with security as the first consideration, there are still millions of gadgets out there that have no security and no way to upgrade them to add it. In many cases, the company that made them isn’t even in business any more.

Insecure Things

OK, enough cheerful peanut-based posts. Back to the usual cynical doom and gloom.

Multiple sources are reporting depressing news about baby monitors. A company called Rapid7, Inc. tested nine devices from eight different companies. They found that every single one had serious security flaws that would allow an attacker to view the video stream from the camera, change its configuration, or launch attacks on other devices on the owner’s Wi-Fi network.

If you’ve been paying any attention to security matters in the last few years, you probably aren’t surprised about Rapid7’s findings. Just as there’s no such thing as a bug-free program, there’s no such thing as a secure Internet-connected device.

What is surprising to me is just how bad the manufacturers’ responses were when they were informed of the vulnerabilities. Philips–or rather, Gibson Innovations, who hold the license to sell baby monitors under the Philips brand name–is working on a fix, although no timeline has been set for its release. None of the other seven manufacturers is planning to fix the flaws in their products. According to the article on Ars Technica, Rapid7 couldn’t locate one manufacturer, several didn’t even acknowledge receipt of Rapid7’s notification, and some stated flat-out that they saw no reason to look at the report.

If it were just baby monitors, it might not be a big deal, but let’s not forget that consumer electronics manufacturers are pushing more and more Internet-connected devices into the market. It’s not just TVs and video players (many of which have had their own security failings) anymore. Refrigerators that monitor their contents and nag you to go shopping–or simply place orders for grocery delivery themselves. Clothes washers and driers, dishwashers, ovens, furnaces, lights, smoke and carbon monoxide detectors, and door locks all have network connections.

Keep in mind that the baby monitors weren’t cheap models from fly-by-night companies. They included well-known brand names and some of the most popular models. Yet only one manufacturer is apparently willing to stand behind their product and resolve the problem. If that attitude carries over into other appliances, well, you might give some thought to buying up a stock of locks and light bulbs now while you can still get ones that don’t require a network connection.

“But wait,” I hear you say. “What if I just don’t set up the network connection? Won’t I be safe then?”

Probably not.

First, many “Internet of Things” devices are designed to set themselves up–scan for a network and join it automatically, or in some cases, they establish their own network parallel to your regular Wi-Fi.

Second, some devices won’t work until they’ve been set up. I recall a review of a Bluetooth-controlled door lock, which unfortunately I can’t find at the moment, which will not lock until you pair it with a smartphone and run an app to set the combination for the manual push-button mechanism. (At that, it’s arguably safer than a lock that comes with a default combination printed in its manual.)

Third, if the device doesn’t self-configure and you don’t set it up, it will remain in its default configuration. Most likely, it will have a default password–or not password at all–allowing anybody who scans for Wi-Fi signals to find it and configure it for their own purposes. Do you really want your next-door neighbor to control your thermostat? How about your dishwasher? Better go apologize for that loud party last month before you install your new app-controlled garbage disposal.