Slashdot Mirror
Turning the Belkin WeMo Into a Deathtrap
Okian Warrior writes "As a followup to yesterday's article detailing 50 Million Potentially Vulnerable To UPnP Flaws, this video shows getting root access on a Belkin WeMo remote controlled wifi outlet. As the discussion notes, remotely turning someone's lamp on or off is not a big deal, but controlling a [dry] coffeepot or space heater might be dangerous. The attached discussion also points out that rapidly cycling something with a large inrush current (such as a motor) could damage the unit and possibly cause a fire." In the style of Bruce Schneier's movie-plot threat scenarios, what's the most nefarious use you can anticipate such remote outlet control being used for?
Where you bang the read head against the case until it falls off...
Please, please, learn some common sense.
Never have a heater like that unattended, it's just not safe.
One of the worst tech support nightmares I experienced was remotely diagnosing why the Point of Sale servers kept shutting off at the same time every week. It turned out that the outlet the battery backup was plugged into was connected to a light switch that the weekly cleaning people turned off - weekly. When support came into the room, what was the first thing they did? Turn on the lights!
Imagine power cycling all the outlets in a server room - over and over and over!
Yes, there's probably someone out there who won't realize their appliances are online, and then these devices start doing things on their own all of a sudden. It will be ghosts, goblins, shenanigans, and lulz for all.
Charlie Luther's just getting started...
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Flashing lights, hoping to chance upon an epileptic? :3
How about turning off the lights of a house before the burglar or attacker invades? It could cause a lot more confusion and danger for the home owners.
This space for rent, inquire within.
Say no more. Say no more...
Please do not read this sig. Thank you.
Forcing someone's DVR to record and play Jersey Shore.
You could cause a poor person's electricity bill to increase so much that they cannot afford medical care, or the utility company cuts off their heat and they freeze to death.
"Hello, 911? I am trapped in my house at 123 Main St. by a gang of armed robbers. I'll blink a lamp to let you know a good time to break down the front door. I'm hiding under a bed, so shoot anyone else."
Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
In the style of Bruce Schneier's movie-plot threat scenarios, what's the most nefarious use you can anticipate such remote outlet control being used for?
Turn off the fridge after the victim goes to work for the day, and turn it back on about an hour before they get home.
Repeat until they die... of Botulism! <Cue evil laugh>
space heater have temp and tip over switches that can trun it off.
I just visited the WeMo web pages and couldn't find any technical information about what watt or amperage limits on it are.
I have a hard time believing that it can handle a 1500 watt heater.
A suicidal performance artist using it to have himself anonymously murdered.
Turn off a co-worker's alarm before a big event. Nasty.
mu
...is that homes often house stupid people.
I haven't thought of anything clever to put here, but then again most of you haven't either.
Asimo killing his human master by dropping a toaster into his bathwater.
Rapidly cycling a lamp on and off (incandescents and flourescents have lag, but an LED lamp doesn't), and rapid flickering can result in those with photosensitive epilepsy to have a seizure (they give warnings on some films and video games). Remotely controlling an air conditioner or furnace can cause damage to a house (furnace in summer, air conditioner in winter). The furnace running in a hot house could cause heat damage and possibly a fire in summer. In winter, and air conditioner (or even just the lack of a furnace) can result in water pipes freezing and bursting (Ice occupies more space that liquid water, and the pressure is easily enough to rupture a steel pipe, not to mention asphault roads, rock faces, etc). Frozen/burst pipes followed by a thaw would cause flooding damage (Ice will also rupture pumps and valves). Remotely controlling a garage door is a theft problem/stray animal problem. Remotely starting and running a car can lead to carbon monoxide poisoning. Usually remote car starters can't control engine speed, (so no chance of over-revving and destroying the engine), but you could run a vehicle out of fuel (and since most vehicles have fuel pumps in the gas tank and these pumps are partially lubricated by the fuel, running a tank dry means running a pump dry, and so you have to replace the tank and pump if you run the vehicle out of fuel). Industrial equipment is an entirely different cat.
or they can just clap to trun them back off
An early episode of "Perry Mason" (ca 1959) turned on the use of an R/C device to manipulate an antiquated gas space heater, establishing an alibi for the killing.
When the inventor of the gadget became a plausible suspect, Mason had the gas line inspected for undocumented repairs. In the end, that made it obvious the real killer had to be the first one to discover the body --- giving himself enough time to remove the device and cover his tracks.
Belkins actually advertising it for the very purpose they're worried about:
http://belkinwemo.tumblr.com/post/32629402162/did-i-turn-it-off-i-must-have-turned-it-off-did
Plug in dangerous things so you can be sure their turned off by checking your phone.
This strikes me as the sort of thing someone would post and flood to every content aggregator if they wanted to gain themselves a lot of exposure for finding a flaw in an embedded wireless device.
The fact that it has a cute little relay on it doesn't really make the "attack" much more remarkable. $10 says that the web UI for the thing is vulnerable to XSS, completely negating the need to root the device itself. Hacking embedded web servers isn't a real feat by any measure.
Toggling a relay on and off will just result in the contacts wearing out, I could see it causing a problem if you get it to repeatedly arc, but these things won't be rated for enough current for that to be a problem - the fuse in the should blow if the device somehow draws a dangerous amount of current.
Cycling an air conditioner quickly can do bad things quickly if the air conditioner itself doesn't have modern controls to limit power cycling. That can get very expensive, though I don't necessarily think it is dangerous.
Most nefarious use? Turning off the coffee pot in the morning.
The television will not be revolutionized.
I think things like this are the tip of an emerging ice berg relating to the ip-ification of everything:
etc; etc;
To me, all Home Automation does is increase complexity and security risks for some specious conveniences.
Maybe it's just me, but I would rather have to remember that I'm out of Mayo, than have an ip'd fridge send a message to my Android that I need to pick it up at the store.
We play the game with the bravery of being out of range
Please limit your suggestions to appliances that one wold expect to be plugged into a web socket. Lights yes. Space heaters maybe. Coffee pots? Well, why not just buy a coffee pot with a timer? Refrigerator? no except for a special case some mention from his peace core days. Something that could burn down the house? not likely. The only 2 scenarios I can think of do not reach the movie plot threat level.
1) strobe the lights in a house of the person with epilepsy. Could cause a epilepsy fit but I think the victim could leave the house once the fit was over (even if he had to craw out with his eyes shut).
2) Turn on the all the web outlets at the same time and hope it's enough to pop a circuit breaker. 16 of the old 100 watt light bulbs or 2 space heaters should pop a 15 amp fuse. Do it during the super bowl to a circuit with the TV and you may have an upset niner or raven fan.
turning their computer off before they save a document, then turning it back on, so they blame Windoze.
There was an unknown error in the submission.
This is a bit far-fetched, but power-cycling a space heater at some certain rate might end up over-heading the wiring in the walls. When the coils in the space heater are cold they have a much lower resistance than when they are hot, so the current through them is much higher at turn-on. It's not clear to me which would happen first: the fuse heats up and blows, the house wiring heats up to the point where it causes a fire, the contacts in the wall-socket overheat, or the space heater becomes warm enough that the current is limited to a safe value.
...in the movies, these aren't redundant and would likely be controlled by such a device (by an overzealous electronics geek of some sort).
1. Root these devices, and synchronize their clocks
2. Turn them all off
3. Monitor the power network for a temporary increase in voltage (since load was suddenly shed)
4. Just as the voltage gets back to normal, turn all the devices on.
5. Watch the power network for a temporary decrease in voltage (since load was suddenly added)
6. Just as the voltage gets back to normal, turn all the devices off.
7. Once you have found the resonant frequency of corrections to the electrical grid, tell all the devices to cycle at that frequency.
8. If there is enough load handled by these devices, the system may oscillate so heavily that voltage is far outside of normal, causing overheating or fires (either too high voltage for resistive loads or too low voltage for inductive loads), excessive vibration, design parameter excursions, etc.
Relays have voltage and current limits as well.
Indeed, in line voltage applications, you also need to consider the type of load. A purely resistive load, like a space heater, is the easiest on the relays since all they'll see is whatever voltage and current the heater runs on. Other items, like compact fluorescent bulbs, contain capacitors which will charge instantly when power is applied, which creates a brief spike in current flow at a time when the relay contacts are most susceptible to damage (when they're not fully engaged). Even worse are inductive loads as they are capable of creating much higher voltages when power is disconnected.
To make things worse, relays are often marked for loads they can't handle. For example, when building a bank of switched outlets, I first used some cheap relays marked "6A 300VAC" which one might expect to be just fine for switching less than half an amp of compact fluorescent bulbs. However, it took only ten minutes for relays to begin failing. One might say it was because of the inrush of current when the bulbs are first connected to power, but I suspect the problem was simply that the relays weren't actually good for such a load even if it were purely resistive. You have to consider the effects that high voltages will have on the relay contacts when they open and close. Anyway, I replaced the relays with some of these, though I believe they were closer to $5 a piece when I bought them, and I never had a problem after that.
Anyway, I wouldn't assume a switched outlet is good for any sort of load that it isn't specified to handle, and even for those it is, I'd still be suspicious.
How about turning on the lights in the USPTO so they can see what they are doing.
How about turning on the lights in the USPTO so they can see what they are doing.
I kind of fail to see how that would change anything.
How about turning on the lights in the USPTO so they can see what they are doing.
I kind of fail to see how that would change anything.
And maybe I should read the post properly before replying. True indeed.
I've been using home automation since the 80's (damn, that's a long time ago) in the dark ages of X10.
As with many systems, there are some important questions to keep in mind:
Does this system or particular controlled device have benign failure modes? The answer better be "Yes!"
How do I secure access to the system? (Hint: don't connect it directly to the Internet!)
Does this system have a master OFF switch and easily useable manual controls? (Think COLOSSUS Forbin Project - again, the answer better be "Yes!")
Is automating this going to piss off someone I don't want to piss off? (E.g. I like motion-controlled lighting in some rooms; my wife hates motion controlled lighting.)
How can this whole thing go sideways at 3AM and give me a cheap thrill?
Dr. Evil can use the WeMo to remotely detonate an explosive charge on 2012 DA14 so it DOES hit the Earth..
There I was, deep in dreamland one night when, from my server room I heard a faint beeping noise at regular intervals... Groggy, I wake up, totter over to the 'server room' door (spare bedroom) and have a gander. In a groggy state it took me a moment in the dark to perceive what was going on, the APC UPS was power cycling the server and other ancillary items at a regular interval, turns out, when the battery goes south, the UPC just crowbars the AC and reboots (repeat...). Now, HD's were connected to the server and each one was cycling up for a few seconds, then spun down only momentarily etc. Terrible on spinning media. Luckily all was well in the end but its important to understand the failure modes on UPCs for your application esp if spinning media is connected.
H.
The problem with that story is most mainframes are hardwired into the mains.
I'm assuming one room with at least 2 WeMos for simplicity's sake... As preparation, I'd have to place wireless cameras at the windows and make sure I can see every angle from my Base Of Evil Operations.
I'd let the lights behave normally for about the first 10 minutes they're turned on with somebody in the room, then make one "flicker" (like an electrical issue might cause) and shut off. Wait for the person to approach the light, turn that WeMo back on, wait for them to head back to wherever they were at, flicker off again when they pass a certain point.
After a couple of times doing that, I'd then start affecting that light plus a second one when they pass close enough to it, and so on with all of the lights in the room. When they get frustrated/upset, turn all the lights back on right after they leave the room, keep them on when they return and sit down... ...well, that is, keep them on just long enough for them to relax, then repeat with some variation, always making sure it always appears to happen in response to something they do or somewhere they go, so it doesn't look random enough to tip them off.
Another version of this for somebody that has a partner currently doing something in another room would be to either just flicker the lamp for short bursts (maybe "WeMo Rocks" in Morse code) *or* do the earlier lamp flicker-die/on/off trick. When the person leaves to tell their partner, wait for the two of them to come, then have it act completely normal, like the original victim was imagining things or something. Wait for the partner to leave, then perhaps make one light at a time flicker and die, or do it to all of them except one -- whatever gets the best reaction.
Damn, if I had enough free time I'd go look through the BOFH website for ideas...
Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)
Remotely turn off the fence so the raptors can get out.
Why, without your clothes, you're naked, Miss Dudley!
Let's rush and get more equipment wired in....
Do it as fast as you can!
Pace-makers, traffic lights, hospital life-support.
I want to control my pace maker through twitter.... honestly.
Can we get the locks to my doors hooked up too? I want to use an HTTP POST to unlock my door. Then provide a front web page where the whole neighborhood can see the lock-status of my doo- wait.
Maybe after my smart meter gets hooked up I can watch a pretty online graph of my usage, after ignoring the paper print outs for years! Who cares if the local hackers can control it too.... I *really* hated that 2 seconds to read my power consumption on the paper bill. It's worth it!
Maybe we can use wifi signals to remotely flush toilets.... you know how those ones at work splash water everywhere when flushing? Yeah I want those to be flushed against my will while I'm sitting down taking a dump. Sort of like a poor mans Bidet with water all over my cheeks.
If we can one-up that and move beyond the timer controlled bathroom lights that shut off if I take more than 20 minutes to crap leaving me in the dark.... I'd rather have someone just remotely shut them off permanently so I can't even get up and wave my arms around to get the lights back on.... Now i'm really screwed...
You can already shut off my hot water heater during "times of stress on the grid"...... force me to take cold showers damnit! I *love* all this new integration which so far has really helped me significantly in life.....
(HUGE sarcasm tag if you really need it by now... I'm as bitter as they come.... and a software developer at that. (I use a basic cheapo prepaid flip phone, ignore all that hoo ha about Iphone this or Ipad that... I live in the linux world and prefer to stay there)
How about not hooking potenial fire hazards up to a network connection in the first place. Common sense is so outdated anymore.
I was thinking of making a system that would allow an aged family member to call for help to the other family members by simply shouting, for example if he had a bad fall and couldn't get up. The system would also tell him the time also vocally, could initiate a skype call, etc.
I have actually seen a product by a European startup that is designed to do something similar (I believe you knock on a wall..)
Such home systems to care for the aged would be hosed.
Yes, I did mean the the lower oesophageal one. Do you know of any other WiFi Controlled Sphincter Implant/Transplant Wards? ;)
a large inrush current (such as a motor)
LED Lighting and the divers that run them have a significantly larger inrush current than incandescent lighting ( http://ledsmagazine.com/features/9/3/7/EcosystemFig3 ). I'd be more concerned about that than a motor.
This "feature" of LED lighting was not something that was initially taken into account.
Turn 1000 fridges on and off at the same time. The inductive load would be devastating.
X10 is the most popular home automation technology on the market and its even less secure. If you use the wireless remote, anyone with another X10 remote can go through all the house and device codes until they find the ones that control the lights in your house. Even if you use the wired protocol only, a thief could easily plug in a controller to an exterior electrical outlet and control the devices through that.
Despite all this, I have had zero problems over the past 10 years with someone else controlling my devices.
Love that movie
The guy who said the election was rigged won the presidency with the second-most votes.
Wait until normal peak usage, turn everything off for a bit and keep it off, then turn everything on at the same time. Collapse the grid.
Ah, takes me back to High School.
I went to a special (no jokes, please!) city-wide high school (Cass Tech, in Detroit) in the 70's, way before the trend toward this sort of thing. (Cass Tech was actually established in the 1920's, in coopertion with the auto industry.) I had 8 sememters of Electronics in high school.
One of my classes was taught by Walter Downs, also known for some reason by his students as "Wally Gator". (A popular TV cartoon character at the time.) Wally ... er, Walter... was from Baltimore, and he had an odd accent that we would make fun of. He also had a laugh or grunt that we interpreted as "Woo hoo hoo!"
His class was conducted in an electronics lab. We didn't have desks, but sat at test benches, several stations to each long bench. There are sets of test equipment, and, of course, an electrical strip running down the middle of the bench.
The electrical strips were normally turned off at the circuit breaker. The instructor would go into a closet and turn on the circuit breaker at the start of a lab session, and then turn it off again at the end.
So, a common trick was to insert a wire into an electrical outlet, briding the AC line, while the circuit breaker was off. He would go to turn on the breaker, and, of course it would pop. If we were lucky there would be some mild pyrotechnics accompanying this. This is how we learned the relationship between wire size and current-carrying capacity.
We did this because it would always elicit exactly the same respnse:
"WOO HOO HOO! You fellas be stickin conductors in the outlets! WOO HOO HOO!"
(He seemed pretty good-natured about it. Much more so than when he said "WOO HOO HOO! You fellas be keepin' noise!"
So, today, you can do this with WiFi, huh?
Well I can't think of the MOST nefarious, but I can imagine a system that...
Remotely monitors a covert, "lights out" drug manufacturing facility. Attach a security system with boobie traps (for example, explosives) aimed at deterring pesky intruders into accessing the facility and reverse-engineering the process.
The sourcing and logistics for such an operation are beyond my capabilities of thought
I rest my case.
Defining Statistics and Social Research