Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks (softpedia.com)

Posted by BeauHD on from the remote-control dept.

An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."

6 of 82 comments (clear)

  1. dumbasses by YrWrstNtmr · · Score: 3, Insightful

    I'm getting ready to replace all the switches and outlets in my 1982 era house.
    IoT will not be present. I want an outlet to do 2 things. Connect to the circuit breaker box, and provide electricity to my stuff without blowing up.

    Can't leak what doesn't exist.

    1. Re: dumbasses by Rei · · Score: 3, Interesting

      At least they're only gaining control over an on-off switch. If this was something with a dimmer that they could alter the firmware on, that'd be a lot more concerning. Because the firmware could be the only thing preventing the varistor from doing untoward behavior - short circuiting and throwing circuit breakers in a given location (to enable other nefarious actions while the power is out), oscillating loads in many locations at once in tune with the grid to mess up phase balancing, oscillating loads very quickly (if rapidly responsive devices are connected and if the varistor can shift that fast) in many locations to send out radio signals, etc

      The only nefarious thing I can picture doing with a bunch of hacked on-off switches would be trying to overload the grid and cause brownouts. Although I guess if someone had a coffeepot on one of those things and you ran it dry of water you might be able to start a fire...

      --
      "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
    2. Re: dumbasses by Obfuscant · · Score: 5, Informative

      At least they're only gaining control over an on-off switch.

      Only. They're also gaining control over what you've plugged into that switch. (The whole purpose of having a network controlled switch is so you can control something that is plugged into it.) Plug in a coffee pot, heater, or anything else that can cause problem when turned on inappropriately, you've got a problem.

      The fine summary also commented that the firmware could be hacked to become part of a botnet. That's a problem even if you don't have anything plugged in.

      the varistor

      Dimming is not done using a varistor. Or a rheostat (variable resistor.) That's so horribly inefficient and would create enourmous heat problems. It's done using a triac. The dimming is accomplished by turning the triac on later and later in the cycle of the AC current. The less of the full cycle you let through, the "dimmer" the output. This requires only an on-off device which can be very efficient and create extremely little heat. (No heat when off, very low on resistance and thus very little dissipation when on.)

      short circuiting

      When an AC line switch "short circuits", the worst that happens is the device that is plugged in is "on" always. There is no pathway for a true short circuit in the controlled switch. (Yes, the dimming or switching circuit can fail and create a short, but unlikely, and not as part of improper control.)

      oscillating loads in many locations at once in tune with the grid to mess up phase balancing

      The latency in the network would make this hard.

      oscillating loads very quickly

      The fastest switching will be 16 (or 20) ms -- once the dimmer circuit fires the triac, it doesn't shut off until the next zero crossing. That can damage power supplies in connected devices, but unlikely to damage the grid.

  2. Internet of Terrors by JustAnotherOldGuy · · Score: 5, Insightful

    That's what the IoT is, the Internet of Terrors.

    Mark my words- this is only going to get worse and worse and worse, and eventually somebody will die from some shoddy piece-of-shit consumer crap that's been weaponized by some asshole hacker.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Internet of Terrors by Stinky+Cheese+Man · · Score: 4, Insightful

      I am sick of "smart" products. From the smart text selection in MS Word, which always selects more or less text than I actually want, to the climate control in my car, which insists on turning on the A/C when I just want some cool fresh air, they invariably get it wrong. I know what I want and I am smart enough to make my own choices.

  3. Re:You keep using that word... by Opportunist · · Score: 3, Informative

    Smart, as in, smartER than the idiot dumb enough to use it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.