The IOT insecurity / indifference issue – vulnerability found in "Switcher".

I love gadgets and my house is full of beeping robots, semi-automated lights (meaning every now and then we need to “kick something” to make them work), and obviously WiFi enabled boiler and air-condition systems (giving you the luxury of returning home to a cool house and a warm bath without hiring a butler)

The biggest problem with these gadgets (putting aside all the UX / functionality / complexity issues) is the very obvious indifference shown by most of their manufacturers when addressing the device security architecture.

As an example, let me take one of these devices which is now in its second iteration, called the “Switcher II” which is basically a wireless on / off switch for a boiler that connects to a cloud service which provides scheduling, remote activation, IFTTT integration etc.

The first iteration of this device was very buggy mostly due to a faulty WiFi chipset, but when releasing the second version the company claimed all previous version issues were solved.

To make sure their claims are true I waited a few months after the initial release and read all the new reviews which started popping up in local technology blogs, and it seemed their claims were right.

For further verification, I emailed the company with a list of issues I saw in the initial release (the faulty WiFi chipset which caused ongoing network dropouts, an issue with scheduling, and a security issue I found with the initial release which I will describe below…)

The company friendly representative assured me that all those issues are gone, and that I can happily spend my hard-earned money on yet another gizmo which I did.

As they said, most of the technical issues were indeed resolved, however the security issue was still very much there: as you can see in the screen capture below they are simply sending the username and password in clear text without any encryption, which obviously poses a real security issue for various reasons:

1. The very obvious issue which most customers think of which makes this a negligible issue in their eyes – a possible attacker can use these credentials to turn the boiler on or off and gain knowledge of such usage.

The much more serious implications, which most customers are not aware of:

2. A friendly hacker might gain these credentials and try to gain access to other more important services (email…) knowing most users (other than you of course) just re-use their passwords in multiple services.

3. Our friendly hacker can use these credentials as an initial foothold to gain control over the device (shouldn’t be very hard, given the obvious disregard of security safeguards by the vendor), and use it to gain access to more interesting stuff (being a “man in the middle”, listening to all your traffic, spoofing traffic, etc.)

4. Gain access to the cloud service and siphon more user data from there (home address etc.)

On device – traffic screen-capture showing the switcher app passing clear-text credentials.

I contacted the vendor immediately, hoping for a quick response and received a phone call on the very same day I reported the issue from a company representative and later from one of the developers.

The developer asked for network traces, which I sent him, confirmed the issue and promised a quick response, claiming this was a minor mistake their QA missed in the initial release.

This seemed like an exemplary response: mistakes do happen and when the vendor is a very small one (which is true for this tiny startup) and their speed and willingness to solve the issue seemed like the perfect way to handle such issues (gain exact knowledge of the issue, be totally open and try to resolve the issue as fast as possible.)

However, a month passed nothing happened, two, three… nearly half a year now.

During this time, I contacted them repeatedly and the only response I received was “the item is on our To-Do list”.

This is just another example of the total lack of understanding of why it is important to keep IOT devices secure, and although you can do something about it (below), most customers are purchasing these devices without realizing the security risk they pose.

What can you do?

1. Complain to the vendor, complain on forums, blogs… until the vendors realize what is the right thing to do and fixes the issue.

2. Separate your “production” network (the Wi-Fi / Wired network your PC’s are connected to) and your IOT network.

You can read an exellent guide on this matter, presented in Steve Gibson’s security podcast here

3. Install one of the free open-source IPS / UTM packages on an old computer and protect your networks. (I use the excellent open-source SNORT IPS)