Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Privacy & security nightmares: Hacking smart toilets, smart toys, smart homes

Network World | Aug. 5, 2013
From anywhere on the planet, a hacker could open and close the lid to your smart toilet, turn your child's smart toy into a covert surveillance device, or unlock the doors of your smart home.

Disregard for a moment why you would ever want to connect a toilet to the Internet to "record a toilet diary," and instead ask why would a person hack a smart toilet? Because it's there; it's vulnerable and it helps to highlight new security risks associated with smart devices connected to the web, making up the Internet of Things.

LIXIL Satis Bluetooth smart toilet

Since the Japanese manufactured LIXIL Satis smart toilet is extremely expensive, as much as about $6,000, and not readily available in the U.S., researchers at the security firm Trustwave reverse-engineered an Android app for the bluetooth-controlled Satis. It has a hard-coded PIN of "0000," according to the security advisory, and:

any person using the "My Satis" application can control any Satis toilet. An attacker could simply download the "My Satis" application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.

Although that hack is more of a prank, you might take the security risk more seriously if an attacker could secretly access the webcam in your child's toy, capture video and then upload it to a remote server.

Violet's Karotz Smart Rabbit

The toy in question is a Karotz plastic bunny that "can connect to the Internet (to download weather forecasts, read its owner's email, etc.)," stated the bunny security advisory. It "can be controlled from a smartphone app and is outfitted with a video camera, microphone, RFID chip a speakers." In fact, an attacker could "take control of it from a computer and remotely watch live video, turning it into an unwitting surveillance camera."

Hacking smart houses
At the Black Hat Home Invasion v2.0 presentation, Trustwave researchers showed serious topics as well, such as how someone other than the home or business owner can unlock doors from anywhere in the world. As an example, Trustwave security researcher Dan Crowley took a random four-digit number from a hacking conference attendee and then changed the lock's PIN. They also discussed poor security issues discovered when testing a Belkin WeMo Switch, Linksys Media Adapter, Radio Thermostat, and Sonos Bridge.

Although one of the benefits of having a smart home is that you remotely control it via a smartphone, tablet or PC, that convenience comes with a plethora of personal security and privacy risks. During the Black Hat session [pdf slides], the researchers showed how the home automation gateways Mi Casa Verde Veralite and Insteon Hub have "vulnerabilitiesthat, if not fixed, could result in covert audio and video surveillance, physical access to buildings or even personal harm."


1  2  Next Page 

Sign up for CIO Asia eNewsletters.