IoT Security News - Wi-Fi Connected Water Heater Vulnerability

I had to do a triple take on your title. Wtf. Who in their mind would ever think they need wifi on their water heater

Ridonculous how far this IoT trend has gone; sounds like a good idea to get good at hardware hacking just to make some of these smart devices dumb again

The name alone: “internet of things” told me all I needed to know. 😂

I remember trying to create API endpoints as a backend engineer for embedded developers and I was astonished by their total lack of care for security, we're talking about sending (monetary) transactions over the internet, are you insane ? of course you need TLS. That was in 2016, and they where using a crap Microchip PIC32F or something like that, that wouldn't cut it. But worry not, I know that the radio link CPU is much capable and I'll prepare a firmware for you. Me, a backend developer able to create embedded software because the electrical engineers are just bad at embedded software engineering. He was using the SIM900 radio link (classic, also noob), and he thought he could just open a TCP connection by using some AT command and just sending the transaction like that, in plain text. Then me, a backend developer found out that the SIM900 is actually capable of doing TLS if you upgraded the firmware, then I just wrote the entire software for the guy and installed it on the CPU of the SIM900 and just send him the firmware for him to upload it into the SIM900. I found from the datasheet that the SIM900 can actually run some user applications if you provide them together with the firmware update, neat. Is that how they develop hardware ? always ? If I were developing the product I would have chosen a better integrated application processor with the actual CPU/Modem/everything and would have done certificate pinning but actually using the serial number of modem as a key to authentication on the backend API. How hard would that be ? using the same credentials is insane, at least allow the user to change the password if you're going to use one. Using a serial number to activate the hardware into the API would require the backend to know the serial number of the devices manufactured, that would be a logistics problem to figure out how to make the factory send a list of the serial numbers they manufactured so I can input it into a database. Or maybe it can be activated by the factory themselves making a call to my API when they flash the firmware, they can do that, right ? otherwise how do I do QC ? Heck, this is not even a problem, you can use a hash of the serial number, put it into the box you send to the user and let the user plug the hash into a web site where he can set his password. Then I can match the hash to the actual serial number and update the password for that device over the internet. The hash is to protect the serial number from being leaked on the internet. As the device would be sending it via a TLS, only the user has the serial number and only the hardware has it, that guarantees the user owns the device and can safely set his password to the API. Every single Android phone works like that when authenticating to google-play, they use a hash of the IMEI, that should be enough. Those embedded things have NO business being on the internet or ever talking to any API over the internet.

Louis is such an advocate for privacy and user rights. He really does try to tell the sheep about the wolf(s)

Video quality is significantly better compared to your previous video.

Thank you.

Would you recommend the pickit 5 mplab as starter kit

Wow that is wild Matt. I am not surprised with the current environment.

I think not including something like the chromebook's write protect screw is an oversight. Ideally, 2, one to completely disable connectivity and one to prevent firmware meddling over the wire.

This is awesome and scary. Btw i sent you a message on linked in about a rfid iot device. I dumped the bin

I see the potential for connected home appliances such as this, but there is no reason to put them on the internet. Have a local hub that handles connections via zigbee or something. Local network access only for the hub (at a maximum, maybe even just usb updates), and it can have an interface that allows your web browser to push a signed update file over the from your pc to the device.

Your USB UART Adapter link is dead. Great videos Matt.

Hey bro you should explore smart tv's and fridges, curious to see whats possible haha saw this thing on the potential of bluetooth toothbrushes with redundant wifi cards.

These companies aren't going to stop until we start writing our own open source firmware for their devices to eliminate the live service dependencies. I would buy products from a company that supports this over one that does not.

IoT and internet access don't mix. Sounds crazy, but having a device in your home permanently connected to "the cloud" (aka just somebody else's computer) should sound crazy. Anything "IoT" in my home has custom firmware if the manufacturer doesn't support offline connectivity (thankfully at least some do) and is on a separate VLAN with NO access anywhere else, including the internet. The only thing that can access that VLAN is Home Assistant.

This is exactly why I personally buy hardware I can hack, with debug enabled. So I can write my own firmware and use it locally.

wifi water heater, and people wonder why everything cost so much and breaks so often.

Whooda thunk that a water heater company wouldn’t be really good at netsec?

cool