The latest “your IoT security is rubbish” takes the world one step closer to “burn it all and try again”: a “smart” electrical outlet that's actually a whole-of-network attack vector.
One of these things is a bit like the other. The Edimax SP-1101W with and without Bitdefender's obfuscation
Bitdefender plugged in the plug, which they kindly obfuscate in this image (not, however, in the image name when we checked). We say “kindly” because it's truly a Hammer House of Security Horror.
To continue: to make the plug smart, it has a built-in Wi-Fi hotspot – with weak default security credentials.
Fail the second: on the local network, it handles user credentials around in clear text. That might not be as much of a problem on wired Ethernet, but wireless signals have a way of escaping the four walls the hotspot's in.
Fail the third: because this is the Internet of Things, of course the power point sends data back to the company's servers, and of course it's not encrypted.
Fail the last: someone thought the power point should send an e-mail to the owner if it's turned off or on (why, for pity's sake?). To do that, its developers (may they be hassled by a thousand spiders) decided to use the owner's e-mail account – so it demands the e-mail account credentials.
Attack scenarios outlined by Bitdefender include taking control of the device; forcing a firmware upgrade; opening the Telnet port to an attacker, with an attacker-selected password; exposure of the user's e-mail credentials; and recruiting the device to a botnet.
We're sure readers will think up far better ways to misuse the vulnerabilities.
As we put it recently in a Tweet:
Internet of Things, where root is but a HTTP request away, best of luck for the future. Best of luck.— The Register (@TheRegister) August 20, 2016
As they say on Twitter, “sigh”. ®