A new breed of dog1
When it comes to the Internet of Things (IoT), the news are full of nightmarish headlines and intimidating stories. The Twitter channel Internet of Shit that boasts more than 250k followers and the famous IoT Hall of Shame are only two pages dedicated entirely to listing and bashing IoT fails. Articles range from relatively harmless glitches for which customers and companies pay “only” with their money to highly dangerous security issues that make private data easily accessible for hackers. Out of the most recent IoT fails, I picked only three to give you an overview of what we are dealing with.
Foscam Camera – Make Life More Convenient for Hackers All Around the World
When we install cameras, it is usually to protect ourselves, our loved ones, and our belongings – and sometimes to spy on our not so well-behaved pets. And yet, since the uprising of the Internet of Things, undersecured smart cameras have been dominating the news. Foscam, a Chinese video products manufacturer, had already made headlines in 2016. Back then, the Foscam baby monitor a family in Washington had placed in their toddler’s bedroom got hacked. As a result, the stranger was able to control the monitor, speak to and watch the 3-year-old – a disturbing experience no family should ever have to endure.
Foscam C2 IP camera2
But certainly, Foscam have learned from their mistake, right? Ah… nope. While I haven’t heard of any stories as creepy as the baby monitor scandal, Foscam did expand their track record of vulnerable IoT devices. In June 2017, security company F-Secure reported 18 vulnerabilities in cameras manufactured by Foscam that made them easy prey for remote hacking. And previously this month, the cyber threat intelligence team at Cisco Talos discovered a whole new range of vulnerabilities with Foscam’s indoor cameras. Instead of “mak[ing] life more secure for people all around the world”, as is Foscam’s mission statement, their IP cameras pave the way for hackers, allowing them to watch video feeds, download stored files, and in some cases also attack other smart devices in the home their customers had meant to secure.
Siemens Smart Meters - IoT Fails for Life
Now, Chinese products tend to get sort of a bad rep. “Surely” – you may think – “if I buy my things from a renowned German company, nothing can happen to them.” Sadly, that’s not necessarily the case. The century-old market leader Siemens cannot boast a clean slate either. In fact, as many as five Siemens products have made it into the IoT Hall of Shame so far. What’s probably the most troubling here is that all their bad headlines are relatively young, starting in November last year with their CCTV webcams (yes, it’s cameras again). Let’s hope we’re not witnessing a downwards spiral!
Siemens’ most recent IoT fail, however, are its 7KT PAC1200 smart meters. A researcher has detected a vulnerability that allows hackers to access the web interface connected to the smart meters without authentication. I know, someone accessing your smart meter account is not nearly as creepy as someone spying on your baby. But once the hackers have gained access to the interface, they can also perform administrative operations. So while it may be less scary, it’s definitely more costly. And don’t underestimate the information a person can gain about you by hacking into your smart meter account! Aside from your power consumption, those attackers will likely also learn personal and financial details about you. To be fair, however, I should mention here that Siemens has released a firmware update to address that flaw.
Wink and Insteon Smart Home Hubs - The Unencrypted Start to a Hacked Home
In our previous post, I addressed smart home systems and mentioned how the Wink Hub 2 got relatively positive, but never quite perfect reviews. As it turns out, the hub is not only imperfect, but highly vulnerable. Last September, researchers have found that both Insteon, a US smart home system company, and Wink have launched hubs with severe encryption problems. In the case of the Insteon Hub, neither the login credentials to the Insteon services and hardware nor the transmissions between the hub and the devices it manages are encrypted. This allows hackers to control all devices connected to the hub remotely.
Wink Hub 23
Meanwhile, the Wink Hub 2 shows two critical vulnerabilities when handling users’ authentication tokens to access the Wink Android app. The authentication tokens are stored in an unencrypted way, which is pretty much like rolling out the red carpet for hackers. What is more, once users log out of the app, their authentication tokens are not revoked. This means I don’t even need any superior tech knowledge to hack your account – I just need to find/steal your phone!
What Shall We Do with the IoT?
So what should we do? On the one hand, we hear and read all these terrifying stories about strangers getting our personal data. But on the other hand, signs are pointing to a smart future. Smart things can definitely improve both our private and professional lives. Smart cameras can keep us and our families safe. Smart meters can be used to ensure fair and clear accounting. Smart homes can make our daily lives more convenient. It all depends on how those devices are made smart. A reliable and yet flexible software is key to any secure smart device. So before you make your things smart, make yourself smart, and find a provider you can put your trust in.
guh is a young and innovative company with an international team of top-notch software architects. The small size of our enterprise allows us to develop the perfect solution to turn your product into a digital revenue machine, fast and hassle-free. Please feel free to contact us for a non-binding first talk.
Let’s build something great together!