Smart Products/Dumb Security: The Steep Costs of Convenience

While manufacturers of smart things rush products to consumers with little concern about security, researchers keep exposing their inherent weaknesses that could allow intruders into home networks.

At the annual IoT Security Foundation Conference in December, Ken Munro of Pen Test Partners demonstrated the low security standards of connected devices like home appliances and toys.

The presentation revealed not only manufacturers’ lack of concern for making IoT more difficult to break into, but also a lack of quality assurance and adherence to industry standards to prevent unauthorized changes to the product.

One example offered was the now-infamous iKettle, the smart container for heating water to precise temperatures. The product made the news in 2015 when Munro showed that it could give the password of its WiFi network to an attacker.

Munro has since discovered that the iKettle also stores the WiFi password even if the device is reset to factory defaults. This is dangerous for those who sell their iKettle because ill-intended buyers could get their WiFi key to compromise their home network.

The newer version of the appliance, iKettle 2.0, though more secure than its predecessor, is still not free of bugs and can be bricked. “What you can do is you can drive past it and send a raw HEX 0C and the kettle goes into a firmware update loop and dies,” the researcher explains.

Further cases of lax security in IoT referred to the Jura E8 smart coffee machine, which had no restriction on Bluetooth pairing, allowing anyone with an open Bluetooth connection to control the device.

Munro also tackled the IoT ransomware threat and took it from theory to practice by demonstrating how a thermostat can be taken hostage. This was possible because the device firmware failed to validate user input in some cases and was vulnerable to command injection.

During the ransomware experiment, Munro managed to control the device remotely and upload a backdrop image that informed owners they were locked out and had to pay a specific amount in ransom to regain access. Even more, remote control of the device persisted after reboot, so an attacker could extort a victim more than once.

Although IoT has a huge potential to make our lives more comfortable, manufacturers need to maintain adequate levels of security or face consequences like profit drops, either as customers abandon them or they suffer sanctions from state-level bodies, as was the case of the spying Cayla doll in Germany.