Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks (softpedia.com)

Posted by BeauHD on from the remote-control dept.

An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."

3 of 82 comments (clear)

  1. Full article by Anonymous Coward · · Score: 1, Informative

    Full article with vendors here

  2. Re: dumbasses by Obfuscant · · Score: 5, Informative

    At least they're only gaining control over an on-off switch.

    Only. They're also gaining control over what you've plugged into that switch. (The whole purpose of having a network controlled switch is so you can control something that is plugged into it.) Plug in a coffee pot, heater, or anything else that can cause problem when turned on inappropriately, you've got a problem.

    The fine summary also commented that the firmware could be hacked to become part of a botnet. That's a problem even if you don't have anything plugged in.

    the varistor

    Dimming is not done using a varistor. Or a rheostat (variable resistor.) That's so horribly inefficient and would create enourmous heat problems. It's done using a triac. The dimming is accomplished by turning the triac on later and later in the cycle of the AC current. The less of the full cycle you let through, the "dimmer" the output. This requires only an on-off device which can be very efficient and create extremely little heat. (No heat when off, very low on resistance and thus very little dissipation when on.)

    short circuiting

    When an AC line switch "short circuits", the worst that happens is the device that is plugged in is "on" always. There is no pathway for a true short circuit in the controlled switch. (Yes, the dimming or switching circuit can fail and create a short, but unlikely, and not as part of improper control.)

    oscillating loads in many locations at once in tune with the grid to mess up phase balancing

    The latency in the network would make this hard.

    oscillating loads very quickly

    The fastest switching will be 16 (or 20) ms -- once the dimmer circuit fires the triac, it doesn't shut off until the next zero crossing. That can damage power supplies in connected devices, but unlikely to damage the grid.

  3. Re:You keep using that word... by Opportunist · · Score: 3, Informative

    Smart, as in, smartER than the idiot dumb enough to use it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.