Latest in Badpassword

Image credit:

The coming smart-thing apocalypse

Shares
Share
Tweet
Share
Save

Bad Password is a hacking and security column by Violet Blue. Every week she'll be exploring the trendy new cyberhysteria, the state of the infosec community and the ever-eroding thing that used to be called "privacy." Bad Password cuts through the greed, fearmongering and jargon with expertise, a friendly voice and a little levelheaded perspective.

Like some people I know familiar with the ins and outs of digital surveillance (and startle like housecats when an app makes a geolocation request) I don't own any "smart" home items. My 1913 flat is well-connected to the internet, and my living room is a hacker's honeycomb hideout of entertainment playthings, but I'm far too pleased with my paranoia to own something from the class of spyware and advertising honeypottery known as the Internet of Things.

I'm also fairly certain that if I did own, say, a "smart" refrigerator, I'd accidentally trip over a setting in Transmission and download tentacle porn to the fridge. Which would mutate with malware being served to the interstitial ad I had to sit through to when I wanted eggs or milk, and I'd be assimilated in short order. This is how the rise of the machines begins; mark my words.

But if headlines are a reliable barometer for Skynet hysteria (spoiler: They are) it's easy to believe it's time to stockpile supplies, homemade paper-making kits and possibly a sundial and an abacus. Just in case hackers and/or your gadgets rise up and extract vengeance. In this spirit, last July, news outlets shouted that you should patch your Chrysler vehicle before hackers kill you. Which ones are the hackers who will take over our coffeemakers and our Jeeps and kill us, exactly? Well, in this instance, that would be the hackers who co-orchestrated the Jeep-hacking publicity stunt. So, you know, look out for those guys.

It's still important that we hear the note of the truth buried in clickbait's siren song. Many of the Internet of Things hacks pulled from headlines and editorialized on highbrow shows like CSI: Cyber are based on real, reproducible exploits. Yes, a baby monitor can be hacked, but it's for very specific models and no one is going to hack it so they can sell your baby on the darknet (CSI: Cyber S01E01, "Kidnapping 2.0").

Seriously, it's not "the hackers" I worry about. (Yes, I have tape over every camera and microphone in the house, but who doesn't these days?) No, what I worry about with things like WiFi thermostats and smart versions of boilers, locks, lamps, microwaves, dishwashers, dryers, outlets and smoke detectors is their software. And, like all things with software in them, a dev somewhere probably meant to send it for a code audit, or eliminate the hard-coded password, or file a patch, or tell comms that customers urgently need to update the firmware on their smart toilet. But ultimately they were distracted by the chance to eat a dozen tacos for $2.

Web app security company Veracode wrote in The Myth of the Smart Home Power User, "The problems [these] researchers identified were the kinds of things we in the security industry were writing about 10 or 15 years ago: a lack of basic authentication requirements to access administrative interfaces, open ports that leave the devices discoverable to internet scans, no privilege separation for user accounts and hard-coded passwords."

I'm not joking about the toilet as an attack vector, either. Veracode added, "In one example: A brand of 'smart' toilet by a prominent Japanese firm has the same, hard-coded Bluetooth passcode, '0000,' which is (coincidentally) a common default sync passcode for many Bluetooth-enabled devices, creating the possibility of a whole new category of 'overflow' attacks."

Or, you could just end up without hot water for six weeks, like this guy.

Still, how realistic is it for malicious hackers to take over my toilet? What are the chances of the next Lizard Squad deciding to weaponize my lavatory for the lulz?

Pretty low on all fronts, I'd say. In reality, hackers have shit to do, and it usually involves money.

The most we have to worry about with smart devices is their stupidity. And, absent acts of malice (like Volkswagen's shady emissions practices), that living in a state of irrational, omnipresent fear of household appliances is the cost of a connected world.

[Image credit: Getty Images]

From around the web