There's a reason Internet-connected thermostats, televisions, and other everyday appliances are growing increasingly popular. In an age when smartphones are nearly ubiquitous, people can crank up the heat, record TV programs, and check home-security systems without getting off the couch or leaving the little league game that's gone into extra innings.
But there's a flip side to the convenience. Just as Internet connections give new capabilities to the people using the devices, they also create new opportunities for stalkers, thieves, and hackers. A case in point: in August, Ars described how smartphone-controlled lighting systems from Philips could be commandeered by malicious websites to cause persistent blackouts. Now, the same researcher behind that hack has devised a new proof-of-concept attack. It turns a wireless baby monitor made by Belkin into a stealthy bugging device that can be accessed by someone in your front yard... or halfway around the world.
The WeMo brand monitor is simple to use. Connect it to a home Wi-Fi network and access it just once over the same network with an iPhone or iPad app Belkin makes available for free. The device will then have unfettered access to all audio picked up by the pint-sized device. Access to your home Wi-Fi network isn't necessary for the app to work after initial setup; all conversations within earshot of the monitor can be tapped as long as the iPhone or iPad has an Internet connection. The ease of connecting is no doubt intended to be one of the selling points of the WeMo monitor. But its lack of password authentication can just as easily be viewed as a liability since it exposes users to surreptitious monitoring by baby sitters, former spouses, or anyone else who even once manages to get on the home network. The only way to be sure that the device is locked down is to continually check the monitor's settings panel to ensure no unrecognized devices are connected to it.
Letting one-time access be the sole determinant for authenticating a device is likely to strike many readers as an obvious weakness. But independent security researcher Nitesh Dhanjani is calling attention to another potential hole that's more subtle: the same mechanism that authorizes an iPhone that connects to a WeMo even once can be abused by malware to give virtually any Internet-connected device remote bugging capabilities. The upshot of this finding: it's trivial for any computer that is already infected to obtain the credentials to tap the audio feed of a WeMo baby monitor connected to the same home network.
Dhanjani also uncovered weaknesses in two other Belkin products. The WeMo switch, which allows people to turn electric devices on and off with a smartphone, also grants permanent permissions to any device that gains one-time access. A proof-of-concept toolkit for benign hacks of this capability is available here. The Belkin Wi-Fi NetCam, by contrast, requires a password to access video feeds, even by users on the same Wi-Fi network. Unfortunately, Belkin developers have undone this good deed with a fatal flaw. The password is transmitted in plaintext to a server at the IP address 66.160.133.67, once again making it trivial for machines already infected with malware to retrieve the password and tap in to the video feed. This abuse scenario opens up the possibility of a whole new wave of remote snooping that exploits webcams, microphones, and other Internet-connected devices.
No more insecure than any other device
In March, Amazon customer Lon J. Seidman posted a review that raised many of same criticisms Dhanjani has made. It specifically called out a "very poor security model that leaves the WeMo open to unwelcome monitoring." In response, Belkin support representatives said the WeMo baby monitor was no more insecure than any other computing device, at least when users follow standard security procedures.
"For homes that use a password for their Wi-Fi, our product is as secure as any item on that network," they wrote. "For someone to get access to the baby monitor a person would need to discover that password."
The statement is similar to the one a Philips executive gave Ars in response to Dhanjani's previous work showing how easy it was for a malicious website to take control of the company's smart lightbulbs. The lighting system, the Philips exec said, was intentionally designed to grant access to any device connected to a user's home network. Company designers went about doing this by using digital security tokens that are generated without requiring a user to take special actions, such as pressing an authentication button on the wireless bridge of the system.
In other words, representatives from both Belkin and Philips seem to be saying, the devices operate on the premise that they're not running in an environment where even one connected device is compromised. Once exposed to malicious code, a compromised Wi-Fi password, or some other threat, all bets are off. Neither company said this explicitly, but it's implied in their statements. There's plenty of legitimacy in this point. People who don't take the time to lock down their networks with the WPA or WPA2 encryption protocols and a strong password can have no expectation that they're free of a long list of privacy- and security-threatening hacks. Similarly, computers that are infected with malware are by definition insecure. If the computer or network is controlled by malicious software or hackers, what reason is there to think that someone won't be able to connect to a baby monitor or turn off all the lights?
It's a valid point. At the same time, there's a serious risk to the security model guiding most designers of Internet-of-things devices. At the moment, devices connected to most home networks can probably be counted on one or two hands. In a decade, it's not hard to envision networks that have dozens of devices connected to them. When they're all electronically tethered, what's to stop a PC, smartphone, or even a washing machine from interfering with a thermostat? The short answer is that under the model guiding devices today, nothing. And therein lies the problem.
"It's been a decade since we've accepted the idea that the perimeter strategy to security is ineffective," Dhanjani wrote in a blog post, referring to the now largely discarded practice of erecting an impenetrable network defense and allowing local devices to operate freely inside of it. "The endpoints must strive to protect their own stack rather than rely on their network segment being completely trustworthy."
He continued: "When it comes to residences, the implicit notion is that controls beyond network address translation (NAT) aren't immediately necessary from the perspective of cost and complexity. The emergence of Internet of Things is going to dramatically change this notion."
reader comments
46