Published in News

Now your power point is a security risk

by on19 August 2016


21st century worries

It if we did not have enough to worry about, it seems that, thanks to the internet of things, we have to be concerned about the security of our powerpoints.

Security researchers from Bitdefender have found an IoT smart electrical socket which leaks your Wi-Fi password, your email credentials and is so poorly coded that attackers can use it to hijack the device and use it for DDoS attacks. In the good old days, all the power point could do was turn electrical equipment on and off.

Bitdefender didn't reveal the device's manufacturer but said the company is working on a fix, which it will release in late Q3 2016.

Smart electrical sockets are small electrical socket extenders, which you can plug into a regular wall socket. In this case the device comes with a module that allows users to manage power consumption using predetermined limits and schedule the socket to allow usage only between certain hours.

Bitdefender said that there were several major problems with this unnamed smart socket. When users set up the product, they also need to install one of the accompanying iOS or Android apps. These apps allow the user to connect to the smart electrical socket's built-in hotspot and configure it by entering the local Wi-Fi network credentials.

The IoT socket uses these credentials to connect to the local network, and contact the vendor servers, where it sends a configuration file that includes several device details, such as model, make, device name, firmware version, MAC address, and others

All this networking is done without encryption, in cleartext, which an attacker can easily pick-up if sniffing the local network at the right time.

Additionally, the device's default admin username and password is easy to guess, even without reading the device documentation.

The device also comes with a built-in feature to send users email notifications when a device scheduled task executes successfully. For this feature to function properly, users must fill in their email account username and password in the device's configuration panel. The device improperly stores these details.

Bitdefender researchers say that an attacker that knows the device's MAC address and default password can take control over the device, rescheduling it, or access data on the user's email account and password.

 

Last modified on 19 August 2016
Rate this item
(2 votes)