You may think that the worst you will risk by buying a bargain-bin smart bulb or security camera will be a bit of extra trouble setting up or a lack of settings. (19659002) Although these so-called gadgets of internet of things are small and rather dumb, they can still compromise your network. they're still full-fledged networked computers for all intents and purposes. They may not need to do much, but they still need to take many of the same basic precautions to prevent them from, say, broadcasting your private information unencrypted to the world, or granting root access to anyone walking by
These are the "smart" bulbs investigated by Limited Results (via Hack and Day), the issue is not what they do while connected but what they keep on their tiny brains and how. 1
The data was completely unencrypted, including the wireless password to the network to which the device had been connected. One device has also exposed its private RSA key, used to create secure connections to whatever servers it connects to (for example, to check for updates, upload user data to the cloud, and so on). This information would be available to anyone who grabbed this bulb out of the trash, stole it from an outdoor fixture, or bought it secondhand
"Seriously, 90 percent of IoT devices are developed without security in mind. It's just a disaster, "he wrote. "In my research, I have targeted four different devices: LIFX, XIAOMI, TUYA and WIZ (not published yet, very unkind people). Same devices, same vulnerabilities, and even sometimes exactly the same code inside. "
Now, these particular bits of information exposed on these devices are not that damaging in themselves, though if someone wanted to, they could take advantage of it in several ways. What's important to note is the total lack of care that went into these devices – not just their code but their construction. They are really just basic enclosures around an off-the-shelf wireless board, with no consideration given to safety, security, or longevity.
These devices all proudly assert that they support Alexa, Google Home, or other standards. (19659002) In fact, in addition to all of them having essentially no security at all, one had its (conductive) metal shell is isolated from the PCB only by a loose piece of adhesive paper.
As with any other class of electronics, there's always a pretty good reason why one is a whole lot cheaper than another. But in the case of a cheap CD player, the worst you'll get is skipping or a scratched disc. That's not the case with a cheap baby monitor, a cheap smart outlet, and a cheap internet-connected door lock
I'm not saying you need to buy the premium version of every smart gadget out there – If you want to limit your own risk, a simple step you can take is to have your smart home devices and those isolated on a subnet or guest network. Make sure your devices and your router are password protected, and take common sense measures like changing that password regularly