We've seen many vulnerabilities in internet-of-things devices over the past several years, but the problems can also extend to their companion mobile applications and cloud services. If you're using Wink or Insteon hubs to control sensors, door locks, and other sensitive devices in your home, make sure you update to the latest versions of their Android applications and encrypt your phone.
Researchers from security firm Rapid7 analyzed the Android applications that people use to control their Wink Hub 2 and Insteon Hub devices and found that both of them store sensitive access credentials in plain text in their configuration files.Read more
Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet.
The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security.Read more
A botched wireless update for a remotely accessible smart lock system has bricked hundreds of them. The locks suffered a “fatal error,” according to device’s manufacturer LockState, rendering them unable to locked. Customers are asked to either return impacted locks for repair, or request a replacement.
“We realize the impact that this issue may have on you and your business and we are deeply sorry. Every employee and resource at LockState is focused on resolving this for you as quickly as possible,” wrote Nolan Mondrow, CEO of LockState in an email sent to customers last week. More than 500 customers using model 6000i RemoteLocks are impacted.Read more
A bipartisan group of U.S. senators on Tuesday plans to introduce legislation seeking to address vulnerabilities in computing devices embedded in everyday objects - known in the tech industry as the "internet of things" - which experts have long warned poses a threat to global cyber security.
The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.Read more
Lucas Lundgren sat at his desk as he watched prison cell doors hundreds of miles away from him opening and closing. He could see the various commands floating across his screen in unencrypted plain text.
"I could even issue commands like, 'all cell blocks open'," he said in a phone call last week. Without being there, he couldn't know for sure if his actions would've had real-world consequences. "I'd probably only know by reading about it in the newspaper the next day," said Lundgren, a senior security consultant at IOActive. It's because those cell doors are controlled by a little-known but popular open-source messaging protocol known as MQTT.Read more
Your Roomba may be vacuuming up more than you think. High-end models of Roomba, iRobot’s robotic vacuum, collect data as they clean, identifying the locations of your walls and furniture.
This helps them avoid crashing into your couch, but it also creates a map of your home that iRobot is considering selling to Amazon, Apple or Google. Colin Angle, chief executive of iRobot, told that a deal could come in the next two years, though iRobot said in a statement on Tuesday: “We have not formed any plans to sell data.” In the hands of a company like Amazon, Apple or Google, that data could fuel new “smart” home products.Read more
The security woes of the internet of things stem from more than just connecting a bunch of cheap gadgets to a cruel and hacker-infested internet. Often dozens of different vendors run the same third-party code across an array of products.
That means a single bug can impact a startling number of disparate devices. Or, as one security company's researchers recently found, a vulnerability in a single internet-connected security camera can expose a flaw that leaves thousands of different models of device at risk. On Tuesday, the internet-of-things-focused security firm Senrio revealed a hackable flaw it's calling "Devil's Ivy."Read more
Security researchers have discovered a number of vulnerabilities in an internet-enabled burglar alarm that could see the device being remotely switched off by an attacker.
According to a blog post, Ilia Shnaidman, head of security research at Bullguard, said that the discovery of multiple flaws in iSmartAlarm is another example of a poorly engineered device that offers attackers an easy target. The device, said Shnaidman, has flaws that can lead to full device compromise. The cube-shaped iSmartAlarm provides a fully integrated alarm system with siren, smart cameras and locks.Read more
Smart-home controllers from German company AGFEO have adopted best practice internet things security by offering an unsecured Web admin interface. The now-patched attack vectors included unauthenticated access to some services, authentication bypass, cross-site scripting (XSS) vulns, and hard-coded cryptographic keys.
The bugs were discovered by SEC Consult, and landed on Full Disclosure after the vendor finally released an update. The AGFEO ES 5xx and 6xx firmware has three certificates with their associated private keys, which would ultimately let an attacker get administrative credentials and do as they pleased.Read more
Google’s thesis to the automotive industry came packaged in a red glinting Maserati Ghibli. The luxury sedan, parked outside last year’s Google I/O developer conference, might have looked like just another sports car — a ubiquitous sight in Silicon Valley.
But what was inside captured the interest of automakers. And now, some automakers are buying into what they found, despite long-held fears of giving up too much control to outsiders like Google. “The traction we’re seeing in the car space is just ridiculous,” Patrick Brady, vice president of engineering for Android, told. “It’s surprising even to us and has caught us off guard.”Read more