Hijacked Robotoilet: Even Toilets Aren’t Safe As Hackers Target Home Devices – ‘Forget To Flush? There’s An App For That’

Even Toilets Aren’t Safe as Hackers Target Home Devices (Bloomberg, June 10, 2014):

Come home to a hot iron and smoldering clothes this afternoon? Soon, it may not be a sign of forgetfulness, but rather evidence that you’ve been hacked.

In coming years, your smartphone will be able to lock your house, turn on the air conditioning, check whether the milk is out of date, or even heat up your iron. Great news, except that all that convenience could also let criminals open your doors, spy on your family or drive your connected car to their lair.

“As these technologies become more sophisticated, it opens up a broader spectrum of threats,” said Gunter Ollmann, chief technology officer of IOActive, a tech security firm in Seattle. A world of connected devices makes it possible “for the bad guys to have permanent entry into your household.”

What the industry calls “the Internet of things” has been heralded as the next wave of tech riches. By 2020, some 26 billion such devices may be connected to the Internet, up from 3 billion today, researcher Gartner Inc. (IT) estimates. That’s almost four times the number of smartphones, tablets and PCs that will be in use.

The vision is to connect almost everything — from cars to fridges, lamps, even toilets. Forget to flush? There’s an app for that.Problem is, data security isn’t typically a big focus for toilet, refrigerator or baby monitor manufacturers. Security lapses on such devices could allow bad guys to disrupt home life, gather valuable personal data, or even use stolen information to extort money from victims, Ollmann said.

Hijacked Robotoilet

Trustwave, a Chicago company that helps corporate clients fight cybercrime, hijacked a Bluetooth connection that controls toilets made by Japan’s Lixil Group. (5938) That could allow hackers to open or close the lid and even squirt a stream of water at the user’s behind, Trustwave said.

Lixil said it’s difficult to commandeer its toilets as hackers would need to connect their smartphone to the loo using a special remote that comes with the device, making abuse “a very rare case.”

Even some tech companies have created devices lacking sufficient protection. Ollmann’s group broke into a home automation system from Belkin International Inc., a company that makes mobile phone accessories and Wi-Fi routers. Belkin’s WeMo box fits over electrical outlets to control lamps, fans, coffee makers and other appliances via a smartphone app.

Fire Hazard

IOActive found a way to take over those switches, turning them into poltergeists that could turn on heaters and irons — a fire hazard and electricity-waster. Belkin said it discovered the vulnerabilities and fixed them even before IOActive discovered them in an older device.

As home automation technologies spread, appliance makers must educate buyers on security, said John Yeo, a director at Spiderlabs, Trustwave’s research unit. That would include stressing the importance of changing default passwords on such devices, which can allow even relatively unskilled hackers to gain access.

“This push to make everything under the sun Internet connected, perhaps because it’s in many respects aimed at the consumer end of the market, hasn’t had much of a focus on security,” Yeo said.

Companies that produce the next generation of smart appliances aren’t saying much about the topic. Samsung Electronics Co. (005930), which makes washers that users can monitor from their smartphones, said in an e-mail that it “takes the security of its products very seriously” and monitors risks. The company declined to comment further.

Interactive Countertop

LG Electronics Inc. (066570) has Smart ThinQ technology that lets smartphone users monitor and diagnose problems in washers, refrigerators and ovens. The applications requires buyers to create a username and password. LG declined to comment.

Sweden’s Electrolux SA is developing an interactive countertop, a white surface with hidden elements for cooking food and charging devices such as mobile phones without plugging them in. The countertop even comes with a virtual chef to walk you through recipes. The company declined to make an executive available for this article.

Though not many criminal hackers are targeting such devices today, that will change once there’s a reliable way to make money from exploiting them, said Sebastian Zimmerman, a member of the Chaos Computer Club, a German hacker collective campaigning to raise awareness of security and privacy.

Baby Monitor

Criminals largely ignored mobile phones, he said, until mobile banking apps provided a way to get account information and made them more lucrative targets.

“It depends on the business case,” Zimmerman said. “As soon as you find interesting applications for exploiting appliances, I’m pretty sure people will do it.”

Some pranksters don’t need a profit motive. In April, an Ohio couple told television station Fox19 that they woke up to a strange man’s voice coming through their 10-month-old daughter’s connected baby monitor. The man was screaming obscenities and trying to awaken the baby, according to the report.

The baby monitor maker, Foscam Digital Technologies LLC, had already released an urgent notice to users, reminding them to update devices from the default username and password and to download new software. The company says that when correctly configured, its products face “no known vulnerabilities.”

Still, the growing number of hackers interested in finding illicit gains from stolen information makes these devices tempting targets, said David Emm, a security researcher at security software company Kaspersky Labs.

“There’s a whole backdrop of a black economy” where criminals profit from taking control of phones and computers, Emm said. “What we’ll see increasingly is other aspects of our life being drawn into that.”

 

2 thoughts on “Hijacked Robotoilet: Even Toilets Aren’t Safe As Hackers Target Home Devices – ‘Forget To Flush? There’s An App For That’”

  1. Not my smart phone. I started carrying a portable phone in 1995 when only a few people had them. They were expensive, the hearing and sound were outstanding, people could not tell I was speaking on a portable, they were analog, the resolution was excellent.
    Last year, I realized these phones had become electronic leashes, and dumped mine. I don’t miss it at all. If I need one, usually one of my friends have one I can use……usually, I don’t.
    I used a Kindle until it started sending me ads on what was on TV specials , somehow, it knew what channels I had access to, and what ones I watch. That freaked me out, I got rid of it. I am not interested in being on an electronic leash or a marking statistic.
    Carrying mobile phones when nobody else had them was really cool. I would flip it open, an operator would ask me what number I needed, dial it for me, and that was it…..hello, friend. It was really good service, and I enjoyed having it. I gave the number to nobody……I was not interested in being interrupted when busy. My home number was unlisted, so was my mobile.
    Fools today don’t even realize they are on an electronic leash……….

    Reply

Leave a Reply to Marilyn Gjerdrum Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.