Even Toilets Aren’t Safe as Hackers Target Home Devices
Come home to a hot iron and smoldering clothes this afternoon? Soon, it may not be a sign of forgetfulness, but rather evidence that you’ve been hacked.
In coming years, your smartphone will be able to lock your house, turn on the air conditioning, check whether the milk is out of date, or even heat up your iron. Great news, except that all that convenience could also let criminals open your doors, spy on your family or drive your connected car to their lair.
“As these technologies become more sophisticated, it opens up a broader spectrum of threats,” said Gunter Ollmann, chief technology officer of IOActive, a tech security firm in Seattle. A world of connected devices makes it possible “for the bad guys to have permanent entry into your household.”
What the industry calls “the Internet of things” has been heralded as the next wave of tech riches. By 2020, some 26 billion such devices may be connected to the Internet, up from 3 billion today, researcher Gartner Inc. (IT) estimates. That’s almost four times the number of smartphones, tablets and PCs that will be in use.
The vision is to connect almost everything -- from cars to fridges, lamps, even toilets. Forget to flush? There’s an app for that.
Problem is, data security isn’t typically a big focus for toilet, refrigerator or baby monitor manufacturers. Security lapses on such devices could allow bad guys to disrupt home life, gather valuable personal data, or even use stolen information to extort money from victims, Ollmann said.
Trustwave, a Chicago company that helps corporate clients fight cybercrime, hijacked a Bluetooth connection that controls toilets made by Japan’s Lixil Group. (5938) That could allow hackers to open or close the lid and even squirt a stream of water at the user’s behind, Trustwave said.
Lixil said it’s difficult to commandeer its toilets as hackers would need to connect their smartphone to the loo using a special remote that comes with the device, making abuse “a very rare case.”
Even some tech companies have created devices lacking sufficient protection. Ollmann’s group broke into a home automation system from Belkin International Inc., a company that makes mobile phone accessories and Wi-Fi routers. Belkin’s WeMo box fits over electrical outlets to control lamps, fans, coffee makers and other appliances via a smartphone app.
IOActive found a way to take over those switches, turning them into poltergeists that could turn on heaters and irons -- a fire hazard and electricity-waster. Belkin said it discovered the vulnerabilities and fixed them even before IOActive discovered them in an older device.
As home automation technologies spread, appliance makers must educate buyers on security, said John Yeo, a director at Spiderlabs, Trustwave’s research unit. That would include stressing the importance of changing default passwords on such devices, which can allow even relatively unskilled hackers to gain access.
“This push to make everything under the sun Internet connected, perhaps because it’s in many respects aimed at the consumer end of the market, hasn’t had much of a focus on security,” Yeo said.
Companies that produce the next generation of smart appliances aren’t saying much about the topic. Samsung Electronics Co. (005930), which makes washers that users can monitor from their smartphones, said in an e-mail that it “takes the security of its products very seriously” and monitors risks. The company declined to comment further.
LG Electronics Inc. (066570) has Smart ThinQ technology that lets smartphone users monitor and diagnose problems in washers, refrigerators and ovens. The applications requires buyers to create a username and password. LG declined to comment.
Sweden’s Electrolux SA is developing an interactive countertop, a white surface with hidden elements for cooking food and charging devices such as mobile phones without plugging them in. The countertop even comes with a virtual chef to walk you through recipes. The company declined to make an executive available for this article.
Though not many criminal hackers are targeting such devices today, that will change once there’s a reliable way to make money from exploiting them, said Sebastian Zimmerman, a member of the Chaos Computer Club, a German hacker collective campaigning to raise awareness of security and privacy.
Criminals largely ignored mobile phones, he said, until mobile banking apps provided a way to get account information and made them more lucrative targets.
“It depends on the business case,” Zimmerman said. “As soon as you find interesting applications for exploiting appliances, I’m pretty sure people will do it.”
Some pranksters don’t need a profit motive. In April, an Ohio couple told television station Fox19 that they woke up to a strange man’s voice coming through their 10-month-old daughter’s connected baby monitor. The man was screaming obscenities and trying to awaken the baby, according to the report.
The baby monitor maker, Foscam Digital Technologies LLC, had already released an urgent notice to users, reminding them to update devices from the default username and password and to download new software. The company says that when correctly configured, its products face “no known vulnerabilities.”
Still, the growing number of hackers interested in finding illicit gains from stolen information makes these devices tempting targets, said David Emm, a security researcher at security software company Kaspersky Labs.
“There’s a whole backdrop of a black economy” where criminals profit from taking control of phones and computers, Emm said. “What we’ll see increasingly is other aspects of our life being drawn into that.”
To contact the reporter on this story: Amy Thomson in London at firstname.lastname@example.org