Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks (softpedia.com)

Posted by BeauHD on from the remote-control dept.

An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."

10 of 82 comments (clear)

  1. dumbasses by YrWrstNtmr · · Score: 3, Insightful

    I'm getting ready to replace all the switches and outlets in my 1982 era house.
    IoT will not be present. I want an outlet to do 2 things. Connect to the circuit breaker box, and provide electricity to my stuff without blowing up.

    Can't leak what doesn't exist.

    1. Re: dumbasses by Rei · · Score: 3, Interesting

      At least they're only gaining control over an on-off switch. If this was something with a dimmer that they could alter the firmware on, that'd be a lot more concerning. Because the firmware could be the only thing preventing the varistor from doing untoward behavior - short circuiting and throwing circuit breakers in a given location (to enable other nefarious actions while the power is out), oscillating loads in many locations at once in tune with the grid to mess up phase balancing, oscillating loads very quickly (if rapidly responsive devices are connected and if the varistor can shift that fast) in many locations to send out radio signals, etc

      The only nefarious thing I can picture doing with a bunch of hacked on-off switches would be trying to overload the grid and cause brownouts. Although I guess if someone had a coffeepot on one of those things and you ran it dry of water you might be able to start a fire...

      --
      "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
    2. Re: dumbasses by Obfuscant · · Score: 5, Informative

      At least they're only gaining control over an on-off switch.

      Only. They're also gaining control over what you've plugged into that switch. (The whole purpose of having a network controlled switch is so you can control something that is plugged into it.) Plug in a coffee pot, heater, or anything else that can cause problem when turned on inappropriately, you've got a problem.

      The fine summary also commented that the firmware could be hacked to become part of a botnet. That's a problem even if you don't have anything plugged in.

      the varistor

      Dimming is not done using a varistor. Or a rheostat (variable resistor.) That's so horribly inefficient and would create enourmous heat problems. It's done using a triac. The dimming is accomplished by turning the triac on later and later in the cycle of the AC current. The less of the full cycle you let through, the "dimmer" the output. This requires only an on-off device which can be very efficient and create extremely little heat. (No heat when off, very low on resistance and thus very little dissipation when on.)

      short circuiting

      When an AC line switch "short circuits", the worst that happens is the device that is plugged in is "on" always. There is no pathway for a true short circuit in the controlled switch. (Yes, the dimming or switching circuit can fail and create a short, but unlikely, and not as part of improper control.)

      oscillating loads in many locations at once in tune with the grid to mess up phase balancing

      The latency in the network would make this hard.

      oscillating loads very quickly

      The fastest switching will be 16 (or 20) ms -- once the dimmer circuit fires the triac, it doesn't shut off until the next zero crossing. That can damage power supplies in connected devices, but unlikely to damage the grid.

  2. Internet of Terrors by JustAnotherOldGuy · · Score: 5, Insightful

    That's what the IoT is, the Internet of Terrors.

    Mark my words- this is only going to get worse and worse and worse, and eventually somebody will die from some shoddy piece-of-shit consumer crap that's been weaponized by some asshole hacker.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Internet of Terrors by Darinbob · · Score: 2

      I work on IoT, and I want to slap CEOs of companies like this for giving everything a bad name. We're working our ass off to have good security and yet the market is grabbing up toys that are completely useless except for being new and then fail to include even the most basic security. Most hardware good for this is low on security features, but they're slowly starting to come around due to demand from product makers.

      But, this is the same crap you see on web pages, etc. Everyone's getting hacked left and right because no one bothers to take security seriously, and because security is hard and you need experts instead of some buddies who need a job, and at best it's an afterthought slapped on at the end. Startup mentality means get your product or app out as fast as possible so there's no time to waste on quality.

    2. Re:Internet of Terrors by Obfuscant · · Score: 2

      Startup mentality means get your product or app out as fast as possible so there's no time to waste on quality.

      Time to market, and cost. If your switch costs twice as much as someone else's, guess which most consumers will buy? Development costs money. Security development is an almost invisible benefit in a device that hasn't gotten to market yet. It's only a liability afterwards.

    3. Re:Internet of Terrors by Stinky+Cheese+Man · · Score: 4, Insightful

      I am sick of "smart" products. From the smart text selection in MS Word, which always selects more or less text than I actually want, to the climate control in my car, which insists on turning on the A/C when I just want some cool fresh air, they invariably get it wrong. I know what I want and I am smart enough to make my own choices.

  3. Re:You keep using that word... by The+Real+Dr+John · · Score: 2

    For some reason many people seem to question internet related technology less and less, when they obviously they should be questioning it more and more. Most things do not need to be hooked to the internet. The dubious benefits do not even come close to compensating for the potential downsides.

    --
    A brain is a terrible thing to waste... Mind? That's debatable.
  4. Re:You keep using that word... by Opportunist · · Score: 3, Informative

    Smart, as in, smartER than the idiot dumb enough to use it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Re:coders are not programmers by Opportunist · · Score: 2

    There is at least a chance of a lawsuit there. Now try for some cheap Chinese crap where you could already consider yourself lucky the thing doesn't simply burn your apartment to the ground due to faulty wiring.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.