Security Risks from Remote-Controlled Smart Devices

We’re starting to see a proliferation of smart devices that can be controlled from your phone. The security risk is, of course, that anyone can control them from their phones. Like this Japanese smart toilet:

The toilet, manufactured by Japanese firm Lixil, is controlled via an Android app called My Satis.

But a hardware flaw means any phone with the app could activate any of the toilets, researchers say.

The toilet uses bluetooth to receive instructions via the app, but the Pin code for every model is hardwired to be four zeros (0000), meaning that it cannot be reset and can be activated by any phone with the My Satis app, a report by Trustwave’s Spiderlabs information security experts reveals.

This particular attack requires Bluetooth connectivity and doesn’t work over the Internet, but many other similar attacks will. And because these devices send to have their code in firmware, a lot of them won’t be patchable. My guess is that the toilet’s manufacturer will ignore it.

On the other end of your home, a smart TV protocol is vulnerable to attack:

The attack uses the Hybrid Broadcast Broadband TV (HbbTV) standard that is widely supported in smart television sets sold in Europe.

The HbbTV system was designed to help broadcasters exploit the internet connection of a smart TV to add extra information to programmes or so advertisers can do a better job of targeting viewers.

But Yossef Oren and Angelos Keromytis, from the Network Security Lab, at Columbia University, have found a way to hijack HbbTV using a cheap antenna and carefully crafted broadcast messages.

The attacker could impersonate the user to the TV provider, websites, and so on. This attack also doesn’t use the Internet, but instead a nearby antenna. And in this case, we know that the manufacturers are going to ignore it:

Mr Oren said the standards body that oversaw HbbTV had been told about the security loophole. However, he added, the body did not think the threat from the attack was serious enough to require a re-write of the technology’s security.

Tags: , , , , , ,

Posted on June 10, 2014 at 8:24 AM46 Comments

Comments

paul June 10, 2014 8:37 AM

So essentially the broadcast TV industry has learned nothing since the Captain Midnight escapades of 1986? Relying on an unauthenticated channel because you think no one will have (access to) the equipment needed to use that channel is so … quaint.

Meanwhile, although the toilet-flushing exploit seems mostly funny, it could be pretty serious if there’s a local concentration of bluetooth-enabled toilets (e.g. in an apartment building). Simultaneous flushing of a bunch of toilets on one line can cause pipe-damaging water hammer on the input side and some nasty reverse-siphoning effects on the output side.

AndrewL June 10, 2014 8:54 AM

It’s an interesting addendum to the “lets connect everything to the internet” argument.

All the vendors who are desperately trying to steal some advantage on their rivals by connecting the fridge and the microwave to the home lan are putting in more and more microprocessors which are vulnerable to attack and unlikely to be patchable.

Smart TV’s are probably the thin end of the wedge here. Once the tech becomes cheap enough it will be included by default in all white goods.

Lorin Ricker June 10, 2014 9:10 AM

Will people forget to vote with their pocketbooks? …i.e., don’t buy this crap. Although it’s normal human nature to want and like to acquire cutting-edge and otherwise “neat things”, and the early days of the IoT is likely going to produce lots of useless products, I’m hoping that common sense and market sanity will ultimately prevail. While it may be nice to be able to blow warm water and air on your keister, why in the world anyone would want to involve their cellphone and an app in that activity is simply beyond me, especially if the NSA’s going to be watching your backside as you do it!… Isn’t this a job for a simple push-button or lever?

And eventually — soon(er), I hope — consumers are going to wise up to the fact that techno-products which benefit the producers, the marketers, are really not a good bargain. See Eben Moglen’s brilliant discussions of the non-transactionality of privacy, for example and guidance.

Shawn Smith June 10, 2014 10:01 AM

@paul, One of the lessons that stuck with me in my American history class when covering the gilded age was about how a bunch of soldiers were quartered in a hotel in New York, and, being a very regimented force, all got up at the same time and relieved themselves at the same time. The resulting synchronized flushes blew out manhole covers all around the hotel. I guess there won’t be much memory of unintended consequences when this “cool” technology hits U.S. markets.

Chelloveck June 10, 2014 10:19 AM

The HbbTV flaw seems to be by design. The sole intent is to give an over-the-air broadcast access to your Internet connection, which it does admirably. And if other people can use it maliciously, well… That doesn’t harm the broadcaster a bit, does it? Adding some sort of authentication would harm the broadcaster. As I understand it this is a unidirectional one-to-many transmission with the only backchannel being over the Internet connection. Authentication is difficult in this case. You have many different broadcasters and many different TV manufacturers. If the authentication tokens are all pre-shared then you may as well not have them; so many people have access that they will get out. Otherwise you have to have the cooperation of the end user to install the auth tokens. Manually visit the broadcaster’s web site at the very least. But HbbTV doesn’t really benefit the end user, so why would they bother? No, this is broken by design.

paul June 10, 2014 10:23 AM

@shawn I’m not nearly that old, but in my youth one of the first college legends I was exposed to was “No matter how much fun it sounds like, do not get a bunch of friends together to flush all the toilets in [dormitory redacted] because the university will find you, and they will stick you with the bill for fixing the pipes.” So I expect there will be just enough memory of the possible consequences for a group of anklebiters to think they can get away with it.

Thoth June 10, 2014 10:33 AM

Are we too “overly-connected” ? When do we have our private times and when do we go public ? Will our addiction of constantly typing away on phone screens and browsing websites while crossing a road junction while vehicles zoom pass us ever come to an end ?

xd0s June 10, 2014 11:04 AM

“Mr Oren said the standards body that oversaw HbbTV had been told about the security loophole. However, he added, the body did not think the threat from the attack was serious enough to require a re-write of the technology’s security” Emphasis added by me.

The issue here was at least in part (as so many cases are) that the security review and issue presentation was AFTER the code was written. If it had been caught prior to the main body of code being set this could’ve been addressed inline and at much less cost. Instead we have yet another “write first security later” technology that is possibly problematic.

Simon June 10, 2014 11:06 AM

Do you know what’s so stupid about this? Try and remember the post about hackers causing a Diesel engine to over-rev and blow up being labeled as SCARE-MONGERING. But here we are, toilets flushing are now a big threat to nat’l security. Give me a break. This belongs on the HP.

MikeA June 10, 2014 11:30 AM

Why wouldn’t this work over the internet? You just pwn the SmartTV and use its bluetooth to flush the toilets (Or put them in continuous bidet mode). Or use the bluetooth in pretty much every computer these days. Remind me, how many of those are already backdoored?

James Ward June 10, 2014 12:10 PM

@Lorin Ricker

I think there is an education gap that allows the free market to perpetuate these products. My opinion: even among IT professionals only a minority consider the proliferation of internet enabled appliances from a security perspective. Among the general population it’s likely that a majority don’t know that the devices they’re buying have these capabilities.

One of the most frustrating experiences I’ve had in IT has been discussing these stories only to be met with blank stares from otherwise inspired developers, security specialists and other professionals.

Stuke June 10, 2014 12:15 PM

A remote controlled toilet? Ahhhh! Won’t it be great; having your own, private Tsunami?

Dodo June 10, 2014 12:30 PM

I am sure that NSA will backdoor these toilets so they can look straight into our asses.

Anura June 10, 2014 1:43 PM

I’m trying to think of the devices in my home that benefit or would benefit from an internet or wireless connection:

Desktop
Laptop
Phone
TV (And associated devices)

That’s a complete list. I think we are going internet/wireless stuff for the sake of internet (or patents), or technophilia. I love technology, but I don’t trust it. My car has passive keyless entry/pushbutton ignition, an electronic parking brake, and digital this and that; I don’t trust the passive keyless entry to be secure, and I don’t trust the electronic parking break at all. The keyless entry provides me with some worry (what if my battery dies? What if someone hacks it to steal my car?), but I will admit that it is convenient (before pushbutton ignition: locked keys in car twice, after pushbutton ignitiion, never locked keys in car). The electronic parking brake adds worry, and I don’t see the advantage at all. It feels like technology for the sake of technology.

Clive Robinson June 10, 2014 2:36 PM

Regular readers will know I’ve been banging on about the idiocy that goes into embedded devices when it comes to security, and the fact I think NIST should sort the issue out prior to it becoming a disaster.

Apaert from home entertainment consider other more dangerous things with this idiocy,

1, home white goods, do you realy want your oven slow roast to turn into short term cremaion with attendent smoke and fire hazards?

2, home heating and ventilation, I hear arizona gets hot and alaska gets cold, do you wanf your AC augmenting these effects?

3, Smart meters, do you realy want your services cut off, or criminals to monitor your usage to know if you are out, or worse in but in the bath etc.

4, How about all those pacemakers US insurance companies are getting peoples chests cracked open to install, do you realy want some skript kiddy with a semse of humor setting it so your heart beats in time with the latest high energy dance craze music?

If you think well it’s not going to happen, just google what a senior member of the Bush administration who had an insiders knowledge had done befor his pace maker was fitted. It screams volumes in of it’s self.

However there is a problem, the expected life time of some of these embedded devices is well over 25years. As far as I’m aware no security protocol of any use for embedded devices has made it into a quater centuary without a secrurity break or significant question mark hanging over it.

Thus this means that whatever NIST or other standards organisation comes up with it will have to allow for the updating of algorithms, protocols and even standards in place on all devices. This is going to need a framework standard where all parts of it can be upgraded in place, which means in practice a frame work standard to deal wirh other standards frameworks that in tun will have to support framework standards for protocols which in turn will have to support all likely algorithms not just for security but communications at all levels of the stack.

This is not going to be an easy task, so he sooner a standards body starts the better. NIST and most US influanced standards bodies are well behind the curve on this sort of thing, and currently the nearest is those standards bodies working within the auspices of Europes Common Market which has given us the CE standards processes which includes amongst others the basic electrical safety and radio and commu ications standards that has alowed for GSM and all it’s subsiquent augmentations.

moo June 10, 2014 5:21 PM

Remote-controllable toilets. Brilliant.

Its still not as bad as those notoriously-insecure “smart meters” that utility companies seem to have a growing fondness for, though. I’m just waiting to see the first big reported hack where half the houses in a neighborhood receive absurdly-large bills. Or have power cut to their refrigerators in the middle of the night.

Carmelo June 10, 2014 6:42 PM

I have to agree with MikeA: determining whether something’s “on the internet” isn’t nearly as simple as people often imply. It’s easy to say, for example, that power plants should use a private network not connected to the internet; but all it takes to bridge those networks is one field tech laptop with exploitable BlueTooth/802.11 firmware/software (operating outside a Faraday cage).

While it’s silly to set an unchangeable PIN of 0000, that’s unlikely to matter in practice—someone will eventually find an exploit for the BlueTooth stack, and then it’s not going matter what the PIN is. Nobody’s checking for security updates for their toilet seats, if manufacturers even offer such a thing.

People tend to overlook anything that doesn’t look or feel like a computer. We see now (again) that smart TVs are exploitable, but what about dumb TVs? Remember that, these days, they still contain several full MPEG stream parsers and decoders, working on over-the-air data. (Or over-the-wire data; but there are hundreds of cable modems sitting on that wire, able to transmit, whose code has rarely been inspected.)

Dave June 10, 2014 7:17 PM

All zeros code for the toilet?

Wasn’t that also the code to arm the nuclear missles in WWII? Bombs away!

Click my name for the hillarious article about it.

Wael June 10, 2014 7:25 PM

@Dave,

Wasn’t that also the code to arm the nuclear missles in WWII…

Conclusion? Same engineers designed them? The smart toilets I saw in Tokyo coverd the seat when someone left the bathroom, and the seat covere reopend when someone opend the door to use the “facilities”. Strage though! Why have the toilet seat covered when no one is there?

Chris Abbott June 10, 2014 9:01 PM

The NSA is already on it. Check out one of the TAO documents I got (like I’ve said before, I have special sources):

TOP SECRET//SI//REL. TO FVEYS

SUPERFLUSH

SUPERFLUSH is an implant designed for smart toilets. For the first time ever, NSA has the ability to cause toilets to “flush backwards” using Bernoulli’s principle and flood the home of a target with sewage. Local plumber’s websites are QUANTUM ready, so when the target attempts to get a phone number from a local plumber’s website, they get queued for QUANTUM and we then have unfettered access to the target’s machine.

Unit Cost: $0.10
Status: Available

But seriously, WTF reason would you want your toilet to be on the Internet?? As you can see from the newly leaked document above, this is a recipe for total disaster (and a call to ServPro).

Me June 11, 2014 2:34 PM

I saw that a recent Consumer Reports cover story was on these ‘smart home’ devices, I started reading it thinking, ‘they’ll just gloss over/not mention security.’ Nope, first section (after the opening explaining what these things are) is about the lack of security that has been observed and how connecting them suddenly opens a security issue that didn’t exist before.

Made me like my subscription to CR all the more.

Wesley Parish June 12, 2014 3:24 AM

This is giving some enterprising crims an extra few million botnet slaves for nefarious purposes.

Enjoy the prospects of being spammed by some million other peoples’ fridges? I don’t.

Nile June 12, 2014 5:37 AM

So… Let me get this straight:

Hotels and apartment blocks with a installed base of bluetooth-enabled lavatories now have an attack surface for a ‘coordinated flush’ attack that can cause tens of thousands of dollars of damage and knock the entire building’s sanitation offline for days.

Do that twice to a hotel in the peak season and the business will fail.

Political conferences and conventions in such an hotel are an obvious target, knock the sanitation out and the conference is over – and there are people motivated to do that.

Could this work elsewhere?

At a guess, this probably won’t work against office blocks – fewer lavatory cisterns per floor, and offices are an unlikely market for fashion-driven bathroom technology – but my rusty knowledge of hydraulics suggests there is a potential for severe damage in a carefully-timed attack to generate a ‘water hammer’ propagating down a forty-storey tower block from a relatively small number of pressure waves. And the flush system on the urinals in most male restrooms runs on a timer, which may well be over-engineered into connectivity in an integrated building management system. But that is an entirely different can of worms.

Wesley Parish June 12, 2014 7:04 PM

@Nile

I think it would make a very efficient weapon to disable a high-rise CBD. Al Qaeda would not need to commit suicide to disable New York.

Mike the goat June 13, 2014 2:02 PM

Although I see the humor in gaining remote access to an Asian bidet, this does raise some damn serious questions about the ‘connected’ world we live in. I noticed in the local appliance store that they are embedding web browsing appliances into refrigerators now – why? I have no idea. I guess that the geek that decides to rig everything in his house up to x10 and have everything from his curtains to door locks remotely controlled will assess the risks and likely not only use application level security but also encapsulate everything in a VPN. The real danger is with the large number of completely clueless members of the general public who are buying things like CCTV kits etc and keeping default settings. On some of those cheap Asian imported cctv systems, their ‘cloud’ website allows access to the CCTV feeds of any installation simply by entering an eight digit serial number. If these serial numbers are issued, well, serially then I imagine it would be trivial to look at other user’s feeds.

Wael June 13, 2014 10:56 PM

There are use cases for refrigerators connected to the internet. They’ll have sensors inside, and will periodically order food for delivery so it arrives at your home. The fridge will place the order on your behalf, and pay as well. Could be useful for elderly people.

Wael June 14, 2014 3:01 AM

@Mike the goat,
Geez! two screw-ups today already! First one I put @Nick P as my name, and the second was the smiley which was meant for your “TV specials” post… Was working on the OpenSSL stuff.
You still have not answered my question about Yaesu or ICOM!

Wael June 14, 2014 3:22 AM

@Mike the goat,
Speaking of wireless, I’ll share something with you that I discovered a long time ago. I have not searched for it on the internet, so it maybe published somewhere. If you have two FM radios try the following experiment: Turn Radio A on and tune it to channel you like. Take Radio B a few feet way – say 1 – 15+ feet. Turn Radio B on as well, and keep moving the channel dial slowly. At some point, you will notice that radio A becomes silent. It worked better with older radios (RF coils, transistors, capacitors…).

I used this trick to turn off the loud music on stereos in rooms 20 feet away from mine in the dorm 😉 It shut their stereo silent! If they changed the channel, I did the same. Had a lot of fun with it 🙂 – If you try it and it works for you, we can talk about the reason why 🙂 – it works on AM radios as well, but the range is not good.

Mike the goat (horn equipped) June 14, 2014 3:56 AM

I wonder if there will be a new category of device on Shodan – “IP latrines”?

Wael: so now you’re impersonating Nick? Your use of language is so similar I am beginning to think there is some sockpuppeting going on ;-).

Didn’t see your question – sorry. People rave on about Yaseau equipment but anything from an Asian source with a name that sounds like a Greek greeting has to be untrustworthy. Seriously though the gear is good too. My ICOM 2m has been fantastic. Same goes for a “borrowed” TETRA radio that I used to listen to local ostensibly “scrambled” emergency services.

Mike the goat (horn equipped) June 14, 2014 4:01 AM

Wael: I heard that the emanations from receivers were used in the early days in the UK to defect people who didn’t pay their TV license fees (yeah, a license for public TV – I thought my Brit friend was full of bs when he told me about that years back). I have it on good authority that those “TV detector vans” were just propaganda and were/are just empty and driven around to spook people into paying up.

Wael June 14, 2014 4:12 AM

@Mike the goat,
Thanks for the Radio info – I am leaning towards ICOM…
Re: Me and Nick P… I have no need for sockpuppets (or pantyhosepuppets). Not sure about Nick P, though 🙂 – Tell you what: I’ll never use “I” in the possessive form as Nick P does when he says “I’s”. And if that ever happens, then it means my sock has holes in it, resulting in broken ass grammar — LOL

Jonathan Thornburg June 15, 2014 9:09 AM

@Mike the goat:

In his book “Spycatcher”, Peter Wright (who was a scientist working for
the UK spy service) tells the story of inventing the technique of using a
sensitive radio receiver to listen for weak signals from the local oscillator
of superhetrodyne radios being operated by USSR spies “operating” in the UK.
This was around 1959-60; the technique was code-named “Rafter”. Wright
describes using this for several purposes, including monitoring when known
spies exchanged messages with their controllers, checking if the USSR was
monitoring UK-spy-agency radio frequencies from inside the USSR embassy in
London, and a program to have the RAF fly regular patrols over the UK with
aircraft equipped with Rafter listening radios to try to find who was
listening to the USSR “numbers stations”. Wright also mentions learning
later that the USSR knew of the technique, and used it to try to track US
and UK spies operating in the USSR & eastern Europe.

So, it’s perfectly plausible that the TV-detector-vans are real.

[Yes, the UK has a TV-license-fee — that’s how the BBC is funded.
The system gives the BBC a relatively stable budget which is fairly
immune immune to political meddling. The contrast with (say) the
CBC in Canada or NPR in the USA is instructive…]

Wesley Parish June 16, 2014 5:30 AM

@Jonathan Thornburg

Of course. With the amount of unshielded cabling inside one of those old valve radios, and the high voltage necessary to run the valves, it would be easy to pick up radio emissions from the superheterodyne circuitry (which is after all a radio frequency oscillator on its own.).

Jennifer Long July 18, 2014 1:05 PM

This is why framework for any and all embedded devices should focus on security first; however, this will never happen. With Bluetooth, Zigbee, Z-Wave, etc. the security market is flooded with devices that are exploitable.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.