New Post: The S in IOT is for Security

Recently I was given two LED desk lamps to improve lighting for video meetings, these are just lamps with three controls, on/off, temperature, and brightness. In the misguided vein of “make it an IOT device with an app to monetize human data” mentality the temperature and brightness control aren’t just knobs on the lamp, no, they are controlled by a proprietary app that you are forced (well… unless you hack it (as I explain below)) to download to your phone or computer. You also have to agree to the terms of service to install and use the application. After installing the app you must “activate” the lamp in the app by connecting it to your WiFi and the Internet.

Full Lamp Stack

This is no longer just a lamp… it is a full computer and WiFi access point. Secondarily it requires a proprietary app to be installed on a phone or computer that cannot be audited for security. Ownership is the ultimate measurement of privacy, security, and freedom; if you don’t own the device fully, you are owned by the developer (and manufacturer) of the device. The only way to own my lamp was to pwn my lamp.

Read the rest of the article here:

5 Likes

Apologies in advance for an outdated reference but…

3 Likes

Am I right in thinking you need to connect to your lamps wifi AP every time you want to toggle a setting from your app?

I’m past the games against vendors. If the lamps where any good, I’d gut them and put in my own controlling circuits, with four knobs each. But most probably, th3em lamps would get trashed.

To get fancier, one would connect that lamp to the local wifi as suggested, isolate it via firewall from the internet, and you would not have to connect to a special wifi. The real scandal is 1) no passwords whatsover to get and set things, a need for a 2) proprietary app which is probably crap, malware infested and sells your data and 3) no way to ugrade or check what that lamp does.

Pawning it was no problem here as there were clearly no attempts in making it harder. But if it were any harder, the thing would have been useless or worse.

The instant I saw the heading “Full Lamp Stack” I had the biggest laugh I’ve had all week! :laughing:

1 Like

Do you have a hint how to do this?
“A brief search returned the web API URL path”

I think I am familar how to get until there. But not how to do this in a efficent way…

The real problem: an easily pwnable device with an always-on radio (which likely can act as a wifi client as well as an access point) is inside your security perimeter. After you’re done setting the brightness and temperature of the lamp, how do you know the bad guys haven’t also pwned the lamp and turned it into a base for further attempts to find a hole in your security?

1 Like

Just but it behind a firewall and block all outgoing connections?

Then only local access via WLan would be possible, but also limited to that device.

1 Like

I would like to see “things” that doesn’t have to get hacked before they are usefully. I mean, most people just buy IOT and connect to cloud, installing app and so on. It is not just a risk for there own security in local network. It is also possible to hack 100.000 devices via internet and start a DDOS or something else to another target. 10 years old devices with 5-8 years no updates (or even more) need to get any protection against potential best hackers in the world. That’s just impossible.

And one of the best description of IOT connected to internet: it is a earth giant robot. Lamps, doors, freezer, cooker, cameras and so on … these are all arms and legs and eyes and can make real harm.

As nice as it is to be able to save yourself, that is by far not enough.

What does mean the word “pwn”? Thanks

Internet language. Means in Kayle_Rankins case, that he got fully access and controlle to the lamps internal computer in a way, that other companies have no longer access to his lamp.

I understand the meaning, but from what “pwn” comes from?

Read the link in my post before.

Firewalls don’t prevent your pwnable IOT devices from being pwned. The hacker can probably reach the closest one through the wall. Then from that control can be established over the next “smart” device further into the house/office/property. Then the next. All of these devices can then be programmed to continually watch for vulnerabilities. If you have a single vulnerable computer/router in your place and a lot of IOT devices, one of the IOT devices will likely be in a position to attack your vulnerable computer/router. Then the hackers are in your net behind your firewall. Given the coming ubiquitousness of IOT devices, it is not clear what the best defense is. It will be a pain to open up every device, find the radio, and rip it out. This will probably break a good portion of the devices. The alternative of continually scanning radio frequencies to detect suspicious behavior by your IOT devices seems challenging. Government regulation seems unlikely to solve the problem.

Nice hack :slight_smile: . But - as I understood from the article - it only replaced the closed source app to adjust those lamps. It didn’t replace the firmware of the lamps.

Since the lamp has a way to communicate (wifi), it could collect data of its environment and leak it to wherever (which is some receiver or relay within its reach). This could be someone scanning from the street or the use of any open network nearby or in reach of a self-organized relay network of evil devices.

Data collected could be something obvious like usage patterns. If the firmware and hardware is not know and understood it could relay audio. Through its wifi interface it could self-organize with other lamps in reach to build a network to triangulate wifi devices moving through its area of reception.

All these evil capabilities could sleep until triggered by some external event…

That sounds for me quite complicated. You have to be physical near the IoT devices. So the attack would be very targeted or max. by wardriving. Also I assume that for most devices it needs quite some time to manipulate the IoT device so that it scans for others incl. vulnerabilities and report back.

Even If you can use something Like Tuya convert, you would have to prepare a firmware replacement. (If there is something Like Tuya convert it would have been probably used by the person which put the device behind a firewall and controls it without App).

And then you would have to hack at least one more device from the IoT device to gain Internet access.

I guess there are much cheaper ways to gain control over devices which are connected to the internet.

So not prevent but probably make it hard enough.

I was thinking also of what @ChriChri called “a self-organized relay network of evil devices”. To target someone it might be enough to target the apartment building or city block and let your worm/virus spread.

You forget, that we will get milliards of IOT in future over the world. It’s such a nice target to hack massively and automatically like Joe said. And if you are vendor you already have physical access to these IOT devices. How can you know as normal consumer if there is any manipulated flashed code on your device (installed by vendor for example), that get activated automatically after some time?

What would be the benefit for an vendor to Invest resources to keep control over so isolated devices?

And I can’t be sure that the vendor integrates such functionality in there devices. Even WLan cards for which an open source firmware is loaded from an open source OS can be affected. Because a hidden Code/firmware could be easily placed in the chip from the vendor for such activities.