'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks (softpedia.com)

← Back to Stories (view on slashdot.org)

'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks (softpedia.com)

Posted by BeauHD on Thursday August 18, 2016 @11:40AM from the remote-control dept.

An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."

82 comments

Min score:

Reason:

Sort:

coders are not programmers by Anonymous Coward · 2016-08-18 11:46 · Score: 1

This is exactly what happens when you lay off all the real programmers and replace them with coders. Enjoy your cost savings at the price of lawsuits for security breaches.
1. Re:coders are not programmers by epyT-R · 2016-08-18 12:06 · Score: 0
  
  Yes because 'programmers' never make mistakes, right?
2. Re:coders are not programmers by WillAffleckUW · 2016-08-18 12:27 · Score: 0
  
  Yes because 'programmers' never make mistakes, right?
  Those aren't mistakes, they're designed to create multi-part pseudoviruses if you hackers mess with our code
  
  --
  -- Tigger warning: This post may contain tiggers! --
3. Re:coders are not programmers by fustakrakich · 2016-08-18 15:33 · Score: 1
  
  Enjoy your cost savings at the price of lawsuits for security breaches.
  All that is already figured in. I still don't know why nobody demands names. Lapdog press.
  
  --
  “He’s not deformed, he’s just drunk!”
4. Re:coders are not programmers by Opportunist · 2016-08-18 21:28 · Score: 2
  
  There is at least a chance of a lawsuit there. Now try for some cheap Chinese crap where you could already consider yourself lucky the thing doesn't simply burn your apartment to the ground due to faulty wiring.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
5. Re:coders are not programmers by AchilleTalon · 2016-08-19 01:32 · Score: 1
  
  Yes because 'programmers' never make mistakes, right?
  These aren't mistakes, they are encoding the messages rather than encrypting them using a public encoding scheme (anyway, a private encoding scheme wouldn't be better). So, they did actually think about the security, but due to incompetence in the field, they pick an encoding scheme to secure the communication. That's not the first time I have seen such a thing. Some coders believe because they cannot read the message it is encrypted.
  
  --
  Achille Talon
  Hop!
6. Re:coders are not programmers by Anonymous Coward · 2016-08-19 19:18 · Score: 0
  
  Schneier's law in action.
dumbasses by YrWrstNtmr · 2016-08-18 11:46 · Score: 3, Insightful

I'm getting ready to replace all the switches and outlets in my 1982 era house.
IoT will not be present. I want an outlet to do 2 things. Connect to the circuit breaker box, and provide electricity to my stuff without blowing up.

Can't leak what doesn't exist.
1. Re: dumbasses by Anonymous Coward · 2016-08-18 11:51 · Score: 0
  
  But your house won't be futuristic without Trek-style explosive electronics.
2. Re:dumbasses by thinkwaitfast · 2016-08-18 12:07 · Score: 1
  
  Yeah...I don't get this. I built an internet output plug around 1997 to learn how to do some interfacing. Other than showing off the a few classmates who were like meh, I couldn't think of anything useful to do with it so threw it in a box. A few years ago I found it and interfaced it to a thermometer when I was playing around with arduino, but after the initial enthusiasm and still lack of anything to do with it, I put it back in the box when a wire broke and couldn't be bothered to find the electrical tape.
3. Re: dumbasses by Rei · 2016-08-18 12:15 · Score: 3, Interesting
  
  At least they're only gaining control over an on-off switch. If this was something with a dimmer that they could alter the firmware on, that'd be a lot more concerning. Because the firmware could be the only thing preventing the varistor from doing untoward behavior - short circuiting and throwing circuit breakers in a given location (to enable other nefarious actions while the power is out), oscillating loads in many locations at once in tune with the grid to mess up phase balancing, oscillating loads very quickly (if rapidly responsive devices are connected and if the varistor can shift that fast) in many locations to send out radio signals, etc
  The only nefarious thing I can picture doing with a bunch of hacked on-off switches would be trying to overload the grid and cause brownouts. Although I guess if someone had a coffeepot on one of those things and you ran it dry of water you might be able to start a fire...
  
  --
  "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
4. Re:dumbasses by Obfuscant · 2016-08-18 13:01 · Score: 1
  
  I couldn't think of anything useful to do with it so threw it in a box.
  
  Control fans, or turn lights and radios on and off to simulate the presence of a resident. Unless you walk up and ring my doorbell you don't know if I'm home or not. (Or am I sitting behind the door with a 45 waiting for you?) That's what I use my X10 controls for. I also have a few lights that I always control with X10 just for convenience. One runs my lava lamp, which for some reason needs a slight bit of dimming to reduce the heat or all the lava floats on the top.
  What is confusing about this article is that it somehow bypasses the NAT protections. How does an outside hacker connect to a device that doesn't have a routable address and no external appearance on the Internet? Is it the device's fault if the owner puts a port forwarding tunnel into the router so outsiders can connect to something inside?
5. Re: dumbasses by Obfuscant · 2016-08-18 13:15 · Score: 5, Informative
  
  At least they're only gaining control over an on-off switch.
  Only. They're also gaining control over what you've plugged into that switch. (The whole purpose of having a network controlled switch is so you can control something that is plugged into it.) Plug in a coffee pot, heater, or anything else that can cause problem when turned on inappropriately, you've got a problem.
  The fine summary also commented that the firmware could be hacked to become part of a botnet. That's a problem even if you don't have anything plugged in.
  
  the varistor
  Dimming is not done using a varistor. Or a rheostat (variable resistor.) That's so horribly inefficient and would create enourmous heat problems. It's done using a triac. The dimming is accomplished by turning the triac on later and later in the cycle of the AC current. The less of the full cycle you let through, the "dimmer" the output. This requires only an on-off device which can be very efficient and create extremely little heat. (No heat when off, very low on resistance and thus very little dissipation when on.)
  
  short circuiting
  When an AC line switch "short circuits", the worst that happens is the device that is plugged in is "on" always. There is no pathway for a true short circuit in the controlled switch. (Yes, the dimming or switching circuit can fail and create a short, but unlikely, and not as part of improper control.)
  
  oscillating loads in many locations at once in tune with the grid to mess up phase balancing
  The latency in the network would make this hard.
  
  oscillating loads very quickly
  The fastest switching will be 16 (or 20) ms -- once the dimmer circuit fires the triac, it doesn't shut off until the next zero crossing. That can damage power supplies in connected devices, but unlikely to damage the grid.
6. Re:dumbasses by Anonymous Coward · 2016-08-18 14:13 · Score: 1
  
  Put a lesser wattage globe in your lava lamp, sit back, trip out the the full globulous glory of said lava.
7. Re:dumbasses by red+crab · 2016-08-18 19:25 · Score: 1
  
  I suppose it must be actually configured to be accessible behind a NAT using port-forwarding and DDNS. That is how the most IoT stuff is meant to be accessed these days. Controlling them on your local subnet doesn't make much sense in most cases; people would want to view and control their devices from their smartphones etc from remote networks.
8. Re:dumbasses by bruce_the_loon · 2016-08-18 19:25 · Score: 1
  
  It's a vulnerability created by the intense desire to have an app control the switch via a remote server. For whatever brain-damaged reason, the app can't talk straight to the device, it has to go via the manufacturer's servers, and they do it via unencrypted channels that can be sniffed.
  That's what is going to kill us all, IoT devices that in order to switch on something, or change a pretty colour or anything, have to go to the bloody cloud to do it.
  
  --
  Trying to become famous by taking photos. Visit my homepage please.
9. Re: dumbasses by Rei · 2016-08-18 19:36 · Score: 1
  
  Having never wired a dimmer switch, that makes good sense, and would indeed impose those limitations, and I bow to your knowledge. Except:
  
  When an AC line switch "short circuits", the worst that happens is the device that is plugged in is "on" always
  No. If you short the live to the neutral, you throw a breaker.
  Now, if you had a triac in an always-open configuration, then that wouldn't happen, but that would no longer be a short circuit. My perception of there being a short configuration was based on a misperception of the wiring configuration. But a short absolutely will not just leave a light in an always-on configuration.
  
  The latency in the network would make this hard.
  The reduction of power quality is a real (but unintentional) problem with lights that use magnetic ballasts, from what I've read, as the switching in the transformer throws it off-phase. But you probably know more on the topic than I.
  
  --
  "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
10. Re: dumbasses by Rei · 2016-08-18 20:10 · Score: 1
  
  But in short, I do thank you for the correction. It was late and my thoughts extended no further than, "these are the things you could do when you have an AC circuit flowing through a variable resistance". There are obviously a lot of problems with that.
  
  --
  "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
11. Re: dumbasses by davidshewitt · 2016-08-19 02:22 · Score: 1
  
  If I get any IoT devices they will go on a separate subnet that has no internet access. I will only purchase devices that will talk to a server I control. The firewall will only allow traffic to the device subnet from my trusted subnet and VPN. It's not perfect but it's a lot more secure than handing over control to a company that "cares" about security only after they've been compromised.
12. Re:dumbasses by Anonymous Coward · 2016-08-19 06:12 · Score: 0
  
  "IoT will not be present" That covers my entire home! NO IoT crap will ever be present in my home! IoT is just a bad idea all around. Especially since this IoT crap can't seem to be designed with any meaningful security built in...because the real purpose of these devices is to spy on people and send info to corporations who definitely do not have the consumers best interest in mind!
13. Re:dumbasses by HiThere · 2016-08-19 06:39 · Score: 1
  
  You may soon have trouble buying a monitor or a refrigerator. I don't want it either, but I'm not sure how long it will be reasonably avoidable.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
14. Re: dumbasses by Obfuscant · 2016-08-19 07:00 · Score: 1
  
  No. If you short the live to the neutral, you throw a breaker.
  Yes, you would. But the switching circuit does not have a path from live to neutral. Here is a site that shows a simple dimmer circuit. Note that the load is in series with the triac, so there is no input to the triac that will cause it short hot to neutral, and if the triac shorts it will at worst leave the controlled device (load) powered all the time.
  Now, the entire control circuitry does, of course, have a connection from hot to neutral, but this connection is not switched and cannot be forced to create a short circuit. It has fixed components that draw enough current to control the triac, but nothing that a remote attacker can break. It can physically fail and create a short, which is why you have breakers. In the example I linked to, if the capacitor shorts you would have the resistors across the 230 mains, which would probably cause them to burn out and create an open circuit. It would also connect the diac input to the neutral, putting it in a non-conducting state. If the resistors shorted out (a very unlikely failure mode for resistors) you'd put full line voltage across the cap (probably making it explode -- an open circuit) and turn the diac on, turning on the triac. The final result would be the load is powered all the time.
  But failure cannot be caused by invalid control inputs from a hacker.
Full article by Anonymous Coward · 2016-08-18 11:55 · Score: 1, Informative

Full article with vendors here
1. Re:Full article by Anonymous Coward · 2016-08-18 12:01 · Score: 0
  
  It's not the same product. The vulnerabilities detailed in that report don't fit their latest report. PS: That report is from February btw. This report was released today. Plus, they named the product in February. Why hide its name now.... unless it's another product.
2. Re:Full article by Opportunist · 2016-08-18 21:30 · Score: 1
  
  Well, I would certainly also hide the name if I did nothing but rehash an old security problem found by someone else and tried to sell it as my own...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Fuck This Softpedia Bullshit! by Anonymous Coward · 2016-08-18 12:01 · Score: 0

What kind of bullshit click bait story is this. 'Be afraid of the scary vulnerability! But, we won;t tell you which device has it.'
Name names or GTFO!
If it says Softpedia GTFO!
1. Re:Fuck This Softpedia Bullshit! by Anonymous Coward · 2016-08-18 12:07 · Score: 0
  
  but what if it's softpedia.gov/hansen ?
2. Re:Fuck This Softpedia Bullshit! by sexconker · 2016-08-18 12:09 · Score: 1
  
  They can't tell you the details until they come up with a snappy name for the vulnerability.
3. Re:Fuck This Softpedia Bullshit! by JustAnotherOldGuy · 2016-08-18 12:16 · Score: 1, Insightful
  
  They can't tell you the details until they come up with a snappy name for the vulnerability.
  They already have, it's "IoT".
  If it's some piece of consumer-shiny-bling-bullshit and it's internet-enabled, there's your vulnerability.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
4. Re:Fuck This Softpedia Bullshit! by Anonymous Coward · 2016-08-18 13:04 · Score: 0
  
  but what if it's softpedia.gov/hansen ?
  Wouldn't that be softpedo.gov? Why don't you have a seat over there?
5. Re:Fuck This Softpedia Bullshit! by Anonymous Coward · 2016-08-18 14:44 · Score: 0
  
  Bitdefender refrained from publishing the product's name. Softpedia is just a news agency.
6. Re:Fuck This Softpedia Bullshit! by campuscodi · 2016-08-18 14:49 · Score: 1
  
  It's Edimax SP-1101W... are you happy now?
7. Re: Fuck This Softpedia Bullshit! by Anonymous Coward · 2016-08-18 15:20 · Score: 0
  
  Or even a better celebrity vulnerability name: IdIoT
8. Re: Fuck This Softpedia Bullshit! by Opportunist · 2016-08-18 21:31 · Score: 1
  
  Backronym for "I do Internet of Things"?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
FUD by Anonymous Coward · 2016-08-18 12:05 · Score: 0

You can not be hacked by everything electrical on Earth. This is all lies.
You can however be spied on by anything Microsoft distributes.
Internet of Terrors by JustAnotherOldGuy · 2016-08-18 12:14 · Score: 5, Insightful

That's what the IoT is, the Internet of Terrors.
Mark my words- this is only going to get worse and worse and worse, and eventually somebody will die from some shoddy piece-of-shit consumer crap that's been weaponized by some asshole hacker.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Internet of Terrors by Anonymous Coward · 2016-08-18 12:17 · Score: 0
  
  Army of mice? That is essentially what the spies are.
  Ever seen the movie Argo? That is what they learned first before they false flagged the whole globe with 9/11 WTC.
  They pretended it was a movie. From there, the lies just progressed.
2. Re:Internet of Terrors by WillAffleckUW · 2016-08-18 12:28 · Score: 1
  
  The IoT is a Dank Meme and Full of Terrors
  
  --
  -- Tigger warning: This post may contain tiggers! --
3. Re:Internet of Terrors by Anonymous Coward · 2016-08-18 12:36 · Score: 0
  
  I see you missed the day they taught critical thinking in school, didn't you?
4. Re:Internet of Terrors by Anonymous Coward · 2016-08-18 12:45 · Score: 1
  
  What is this school you speak of?
  I learned it from your moms va-jayjay.
5. Re:Internet of Terrors by Darinbob · 2016-08-18 13:13 · Score: 2
  
  I work on IoT, and I want to slap CEOs of companies like this for giving everything a bad name. We're working our ass off to have good security and yet the market is grabbing up toys that are completely useless except for being new and then fail to include even the most basic security. Most hardware good for this is low on security features, but they're slowly starting to come around due to demand from product makers.
  But, this is the same crap you see on web pages, etc. Everyone's getting hacked left and right because no one bothers to take security seriously, and because security is hard and you need experts instead of some buddies who need a job, and at best it's an afterthought slapped on at the end. Startup mentality means get your product or app out as fast as possible so there's no time to waste on quality.
6. Re:Internet of Terrors by Obfuscant · 2016-08-18 13:29 · Score: 2
  
  Startup mentality means get your product or app out as fast as possible so there's no time to waste on quality.
  Time to market, and cost. If your switch costs twice as much as someone else's, guess which most consumers will buy? Development costs money. Security development is an almost invisible benefit in a device that hasn't gotten to market yet. It's only a liability afterwards.
7. Re:Internet of Terrors by whoever57 · 2016-08-18 14:20 · Score: 1
  
  Time to market, and cost. If your switch costs twice as much as someone else's, guess which most consumers will buy?
  Also, the well has already been poisoned. Even if you pay twice as much, it isn't likely that you will get something that is significantly more secure.
  Even if you could, how do you know that you are getting more security for your additional dollars?
  
  --
  The real "Libtards" are the Libertarians!
8. Re:Internet of Terrors by antdude · 2016-08-18 15:29 · Score: 1
  
  I am surprised it hasn't happened yet.
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
9. Re:Internet of Terrors by Anonymous Coward · 2016-08-18 15:41 · Score: 0
  
  I'd like to reply to this but I'm to busy writing another reply about the glories of self-driving cars cruising along at 80 mph on busy interstates.
10. Re:Internet of Terrors by Stinky+Cheese+Man · 2016-08-18 16:22 · Score: 4, Insightful
  
  I am sick of "smart" products. From the smart text selection in MS Word, which always selects more or less text than I actually want, to the climate control in my car, which insists on turning on the A/C when I just want some cool fresh air, they invariably get it wrong. I know what I want and I am smart enough to make my own choices.
11. Re:Internet of Terrors by Darinbob · 2016-08-18 16:43 · Score: 1
  
  No one really needs either new gadget. They're being sold to gadget lovers who always must have the latest consumer item, to hipsters because nothing says unsufferable like a guy showing you how he can see if he left the stove on or not while kayaking, and so forth. Those are consumers though. If you're a city or utility though you don't buy your devices from engadget or kickstarter.
12. Re:Internet of Terrors by Opportunist · 2016-08-18 21:33 · Score: 1
  
  Not enough IdIoTs yet. It needs to be a bit more widely used before it's a worthwhile attack vector.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
13. Re:Internet of Terrors by jittles · 2016-08-19 01:13 · Score: 1
  
  I am sick of "smart" products. From the smart text selection in MS Word, which always selects more or less text than I actually want, to the climate control in my car, which insists on turning on the A/C when I just want some cool fresh air, they invariably get it wrong. I know what I want and I am smart enough to make my own choices.
  I love the automatic climate control in my car. If I don't want the AC on, just fresh air, I hit the AC button and it does its best to match the selected climate using fresh air + heater. I set the dial and forget about it 90% of the time. The 10% of the time is when I want to just roll the windows down instead of using the climate system. It even automatically defrosts the windshield if I turn on the rear window defroster. That is, of course, unless I tell it not to.
14. Re:Internet of Terrors by JustAnotherOldGuy · 2016-08-19 04:17 · Score: 1
  
  It even automatically defrosts the windshield if I turn on the rear window defroster. That is, of course, unless I tell it not to.
  Yes, but why should you have to tell it not to? Because it's making a decision for you- the wrong decision.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
15. Re:Internet of Terrors by JustAnotherOldGuy · 2016-08-19 04:21 · Score: 1
  
  I am surprised it hasn't happened yet.
  Same here, but I think the advent of self-driving cars will bring it about sooner than we think.
  I'd bet that there are hackers rubbing their hands right now in gleeful anticipation of causing a car to veer into oncoming traffic or a light pole or a pedestrian.
  Self-driving cars are my guess as to where we'll see the first IoT fatality. And it's likely that we won't even know it was a malicious actor that caused the fatality.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
16. Re:Internet of Terrors by JustAnotherOldGuy · 2016-08-19 04:22 · Score: 1
  
  Not enough IdIoTs yet. It needs to be a bit more widely used before it's a worthwhile attack vector.
  Three words: Self-driving cars.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
17. Re:Internet of Terrors by Anonymous Coward · 2016-08-19 04:29 · Score: 0
  
  >I know what I want and I am smart enough to make my own choices.
  Yes, but they want our grandchildren not to. And by introducing all these devices & protocols that take care of us, a new generation of people are missing out on how stuff works. Not that we are expected to be repair-techs mind you, but I mean future folks will just miss out on basic adjustments, start/stopping, and general understanding & control of anything except their personal interests, (also thanks to focused marketing).
  Our benevolent corporate nannies will take care of us, for a price. And when we're all in our virtual-stalls, eating, consuming, and spending money on the farm err I mean societal landscape that's been created for us, we will remain fairly happy until our dying day. This is a huge price for humans to pay.
18. Re:Internet of Terrors by Obfuscant · 2016-08-19 08:41 · Score: 1
  
  No one really needs either new gadget.
  
  Define "need". At the most basic human needs level (Maslow?) of course you are right.
  But at a practical level, I disagree, with an example. I have remote data systems that run 24/7. One is a four hour drive away, another just one hour. Unfortunately, the computers doing the collection are not perfect devices and thus sometimes they crash. Or lock up.
  In both locations I have network controllable power switches. (At the four hour away site, I actually have FOUR of them, at four different failure points.) I have lost count of the number of times I've been able to restart the data collection within a few minutes of getting notified that it has stopped, by telling the power switch controlling that computer to reset.
  These are all Chinese made "phone home" models that are blocked at the router that I've posted about before.
  They are $100 each, but they have so far saved me many times their price in convenience. Do I "need" them? Well, I could drive an hour each way to reset one of the systems, and there are people who I could ask a favor of at the other site, but the former is expensive and means a lot of lost data, and the latter is annoying to people who aren't involved in the data collection and have other things they're paid to do. (Although, when the UNinterruptable power supply proves it isn't I do have to ask -- rare but can't be fixed remotely.)
19. Re:Internet of Terrors by Anonymous Coward · 2016-08-19 17:58 · Score: 0
  
  Isn't it better if rather than always making no decision, it usually makes the correct decision? It reduces your need to intervene with its operation.
20. Re:Internet of Terrors by jittles · 2016-08-20 05:21 · Score: 1
  
  It even automatically defrosts the windshield if I turn on the rear window defroster. That is, of course, unless I tell it not to.
  Yes, but why should you have to tell it not to? Because it's making a decision for you- the wrong decision.
  The general assumption is that if your back window needs defrosting, the front window probably does too. I never think about my automatic climate control. Like ever. And then I was traveling for work last week and was in a rental car and was constantly turning the knob to adjust the temperature because it would never turn off once it got to a comfortable temperature and the damn thing kept blowing until I got cold. Not that it's the end of the world, but I'd rather pay attention to the road than my climate control.
21. Re:Internet of Terrors by Opportunist · 2016-08-22 03:29 · Score: 1
  
  Critical mass not reached yet.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:You keep using that word... by Anonymous Coward · 2016-08-18 12:20 · Score: 1

How many more stories will there be like this as more IOT stuff comes to market?
People just buy the lowest priced garbage they can find on Amazon... Most of which are unreliable Chinese garbage dumped on the market, completely unsecured, loaded with or vulnerable to malware, broadcasting information back to who-know-who, or rely on a fly-by-night company whose dodgy server in China might go offline tomorrow.
Sounds like a really great thing, truly.
Reveal the Companie's Name by Anonymous Coward · 2016-08-18 12:36 · Score: 0

Any company fielding products that dangerously amateurish deserves to be ridiculed and forced out of business.
Re:You keep using that word... by The+Real+Dr+John · 2016-08-18 13:11 · Score: 2

For some reason many people seem to question internet related technology less and less, when they obviously they should be questioning it more and more. Most things do not need to be hooked to the internet. The dubious benefits do not even come close to compensating for the potential downsides.

--
A brain is a terrible thing to waste... Mind? That's debatable.
Security through obscurity isn't security by Anonymous Coward · 2016-08-18 13:38 · Score: 0

Didn't take too long to figure out it was Edimax...
Matthew Garret by whh3 · 2016-08-18 14:50 · Score: 1

If you want to keep up with a very smart person who does some really interesting analysis on the security of "smart" devices, try Matthew Garret. He posts most of his finding in conversational format on twitter at
@mjg59.
You can see more of his "reported" results on his website at
http://mjg59.dreamwidth.org/.
Enjoy!

--
remove nospam. to email!
1. Re:Matthew Garret by whh3 · 2016-08-18 14:50 · Score: 1
  
  Of course I stupidly misspelled his name. It's Garrett. Sorry Matthew!
  
  --
  remove nospam. to email!
IoT by Anonymous Coward · 2016-08-18 15:03 · Score: 0

I never got this concept, why should ANYTHING in my home be on the WWW? What the fuck for? For Google to sell more advertising?
Please put the brakes on this shit.
This isn't just regular stupid by maugle · 2016-08-18 15:16 · Score: 1

This is advanced stupid. It takes a whole lot of bad decisions and a high-grade lack of skill to manage a remote exploit via a password field.

I'm gonna go out on a limb and say that, in lieu of hashing and salting the password, and/or using one of the many freely available tools to sanitize inputs, it drops the password field directly into a database query of SELECT * FROM PWNED WHERE PASSWORD = x. Because IoT means cheap crap developed by the cheapest programmers. Hell, even doing a plain text comparison of if (passwordInput == passwordStoredInPlainText) would have been more secure!

In related news, I will never install an IoT device into my house that I didn't design and program myself.
1. Re:This isn't just regular stupid by freeze128 · 2016-08-18 17:06 · Score: 1
  
  Obligitory:
  
  https://www.youtube.com/watch?v=inR02pEesCQ
Re:You keep using that word... by Anonymous Coward · 2016-08-18 15:36 · Score: 0

http://www.atlanticforest.com/wp-content/uploads/2013/04/SmartLog.jpg
Help me out here by rebelwarlock · 2016-08-18 19:23 · Score: 1

I've tried doing some research on this, and didn't come up with anything substantial. What is the practical purpose of a smart electrical socket?
1. Re:Help me out here by Anonymous Coward · 2016-08-19 01:25 · Score: 0
  
  For turning things on and off that don't have traditional remote controllers. I use mine for turning a fan on/off. The other benefit is the ability to program the device to turn on/off with other devices like smart lightbulbs. With a GPS enabled smartphone this can happen automatically based on proximity so that things turn on/off when you arrive or leave home. It's the future of convenience.
Re:You keep using that word... by Opportunist · 2016-08-18 21:20 · Score: 3, Informative

Smart, as in, smartER than the idiot dumb enough to use it.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:You keep using that word... by Opportunist · 2016-08-18 21:25 · Score: 1

That's because they don't know the first thing about it. The internet, that's that nebulous thing they plug into their computer (seriously, there are people who absolutely believe "the internet", that's the router they got from their ISP) where the porn and Facebook lives.
And somehow this can in some way also do stuff with your toaster now. That this could be a security issue does not occur to them for a simple reason: Nothing else does. Everything else in their life has been foolproofed. Cars, appliances, even whatever they do at their job has so many safeguards and protections that they really would have to go out of their way to be in harm's way.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Newsworthy? by Anonymous Coward · 2016-08-18 22:12 · Score: 0

These articles about insecure IoT devices are published so frequently as to no longer be newsworthy.
I'd like to read an article about an IoT device following security best practices. Now THAT would be newsworthy.
IOT = Pile of shit by Anonymous Coward · 2016-08-18 22:58 · Score: 1

Ho hum. Seems like every other day we get news of yet another crapulent, badly designed, "Internet of Things" device with piss poor security.
Seriously, anyone putting *any* of these shitty things in their house must have a hole in the head.
You'd be at less risk of something bad happening by putting scorpions in your underwear than you would bringing *ANY* IOT device into your home. They're being designed by clowns for clowns.
Re:You keep using that word... by Anonymous Coward · 2016-08-18 23:32 · Score: 0

That's offending! Other Americans are just as smart as that swimmer bloke and his friends.
At this point by Anonymous Coward · 2016-08-19 00:37 · Score: 0

It's becoming disturbingly obvious that all that stupid crap like murdering people through their internet connections like we see in old cyberpunk is being deliberately worked towards, no matter how inefficient and idiotic it may be.
People are actively making design decisions in hopes that we *will* get hacked to death.
Now let's all pay twice as much for an IoT lawnmower and its patented "bad timing blows it up" wifi fuelcells!
It's this one. by Anonymous Coward · 2016-08-19 01:19 · Score: 0

It's the Edimax: http://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/au/home_automation_smart_plug/sp-1101w/
Nothing to see, move along... by Anonymous Coward · 2016-08-19 01:20 · Score: 0

I read the report, all of the vulnerabilities require the attacker to be in physical range of your wi-fi router to carry out a direct connection to your smart device when the device creates a hotspot for initial configuration. Nothing in the report indicates something that could be infiltrated by someone over the Internet from anywhere in the world. So, unless you have shitty neighbors or see a white van parked outside, you have nothing to worry about.
1. Re:Nothing to see, move along... by oh_my_080980980 · 2016-08-19 02:04 · Score: 1
  
  Really Potsy...unlike a smart meter that's wired to the internet....
Manufacturer is Edimax [n/t] by Jizzbug · 2016-08-19 05:01 · Score: 1

Edimax is the manufacturer of these devices.

--

-=/\- Jizzbug -/\=-
Real meaning of SMART by xororand · 2016-08-19 19:27 · Score: 1

The hidden meaning of "smart" in "smart phone" and "smart light switch" actually implies something different, taken from the hard drive industry:
Self-Monitoring, Analysis and Reporting Technology (SMART)
The purpose of these devices seems to be total monitoring of its users. A "smart" home usually means the vendor knows the state of every light switch, every door sensor, every movement down to the millisecond. I'm just waiting for a group of burglars to break into such a database to determine when and where to break into houses.