• United States



Privacy & security nightmares: Hacking smart toilets, smart toys, smart homes

Aug 04, 20135 mins
Data and Information SecurityEnterprise ApplicationsMicrosoft

From anywhere on the planet, a hacker could open and close the lid to your smart toilet, turn your child's smart toy into a covert surveillance device, or unlock the doors of your smart home.

Disregard for a moment why you would ever want to connect a toilet to the Internet to “record a toilet diary,” and instead ask why a person would hack a smart toilet. Because it’s there; it’s vulnerable and it helps to highlight new security risks associated with smart devices connected to the web, making up the Internet of Things.

Since the Japanese-manufactured LIXIL Satis smart toilet is extremely expensive, as much as about $6,000, and not readily available in the U.S., researchers at the security firm Trustwave reverse-engineered an Android app for the Bluetooth-controlled Satis. It has a hard-coded PIN of “0000,” according to the security advisory, and:

any person using the “My Satis” application can control any Satis toilet. An attacker could simply download the “My Satis” application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.

Although that hack is more of a prank, you might take the security risk more seriously if an attacker could secretly access the webcam in your child’s toy, capture video and then upload it to a remote server.

The toy in question is a Karotz plastic bunny that “can connect to the Internet (to download weather forecasts, read its owner’s email, etc.),” stated the bunny security advisory. It “can be controlled from a smartphone app and is outfitted with a video camera, microphone, RFID chip and speakers.” In fact, an attacker could “take control of it from a computer and remotely watch live video, turning it into an unwitting surveillance camera.”

Hacking smart houses

At the Black Hat Home Invasion v2.0 presentation, Trustwave researchers showed serious topics as well, such as how someone other than the home or business owner can unlock doors from anywhere in the world. As an example, Trustwave security researcher Dan Crowley took a random four-digit number from a hacking conference attendee and then changed the lock’s PIN. They also discussed poor security issues discovered when testing a Belkin WeMo Switch, Linksys Media Adapter, Radio Thermostat, and Sonos Bridge.

Although one of the benefits of having a smart home is that you remotely control it via a smartphone, tablet or PC, that convenience comes with a plethora of personal security and privacy risks. During the Black Hat session [pdf slides], the researchers showed how the home automation gateways Mi Casa Verde Veralite and Insteon Hub have “vulnerabilities that, if not fixed, could result in covert audio and video surveillance, physical access to buildings or even personal harm.”

“The big risk is that a compromise could give you access to hundreds of thousands of homes all at once,” Crowley stated. “I could see that as an attack someone could actually use to launch a crime spree.” He added that if someone broke into your house, but there was no sign of forced entry, then how would you get your insurance company to pay?

Granted the toilet hack is invasive but more like a prank, yet an attacker could also seriously mess with a person’s mind by simply running a web search for smart homes with Insteon and then remotely taking control of the lights as if the house were “haunted.”

The potential for hacking smart homes and the Internet of Things—from exploiting network-connected toys, thermostats, wireless speakers, to automated door locks—will only continue to grow as more people adopt these technologies. There are plenty of privacy risks in addition to the security vulnerability issues as their white paper [pdf] states:

There are also privacy concerns in the compromise of these devices. Compromise of a device with a built-­in microphone or camera comes with the ability to perform audio and video surveillance. Compromise of a motion sensor could be used to determine when there are people at a physical location. Reading the status of door locks and alarm systems as could be achieved by compromising the VeraLite could be used to determine when the building in which it resides is occupied.

Legally, devices that store data on third party servers also enjoy a lower level of privacy protections due to the 3rd Party Doctrine. Many of the devices in this paper fall into this category.

Like this? Here’s more posts:

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.