The D-Link DSP-W215 Smart Plug is a wireless home automation device for monitoring and controlling electrical outlets. It isn’t readily available from Amazon or Best Buy yet, but the firmware is up on D-Link’s web site.

the DSP-W215 contains an unauthenticated stack overflow that can be exploited to take complete control of the device, and anything connected to its AC outlet.

Being a SOAP-based protocol, HNAP is served up by a lighttpd server running on the smart plug,

Controlling a wall outlet can have more serious implications however

So, if you’ve left a space heater plugged in to the outlet and some nefarious person surreptitiously turns the outlet back on, you’re in for a bad day.

Incidentally, D-Link’s DIR-505L travel router is also affected by this bug

The D-Link DSP-W215 Smart Plug, a wireless home automation device for monitoring and controlling electrical outlets has just been hacked. Even though it isn’t readily available from Amazon or Best Buy yet, the firmware is already up on D-Link’s web site. The very well detailed write-up explains all the steps that led to this exploit creation.

The apps however, appear to use the Home Network Administration Protocol (HNAP) to talk to the smart plug running a lighthttpd server.

Another revealed that the firmware could accept an unlimited amount of POST request bytes which were copied in a fix length buffer without any performed checks.

What happens when your oven is on the Internet? A malicious hacker might be able to set it to broil while you’re on vacation, and get it so hot that it could start a fire. Or a prankster might set your alarm to wake you up at 3 a.m. – and what if someone gets access to the wireless security camera over your front door and uses it to gain access to the rest of your home network, and from there to your bank account? Not good.

Anyone who watches the procession of SCADA vulnerabilities, the exposures discoverable through the Shodan search engine, or the recent bugs popping up in cars, routers, home automation and (maybe) smart appliances knows that the Internet of Things is a security minefield.

participants have until June 17 2014 to put forward proposals for dealing with Internet of Things security

We’re connecting more of our world every day through smart, IP-enabled devices ranging from home appliances, healthcare devices, and industrial equipment. These new connected devices are offering new ways to share information and are changing the way we live. This technology transformation is what we call the Internet of Things (IoT) – and it is evolving daily.

With this in mind, Cisco is launching the Internet of Things Security Grand Challenge. We’re inviting you — the global security community — to propose practical security solutions across the markets being impacted daily by the IoT.

the Challenge offers up to US$300,000 in prize money

Belkin has published fixes for the flaws discovered by IOActive in its WeMo Home Automation system, and is urging users to download updated versions of its control apps from either the AppStore or Google Play.

As discussed by The Register yesterday, the bugs opened a wide range of holes in the kit, including opportunities to spread malicious firmware and gain unauthorised access to the home automation products.

The internet of things, smart home monitoring, and thermostats you can adjust from the web … all of these are things which are going to cause security problems, because most companies doing these kinds of things seem to completely ignore security, or when they try, still do a piss poor job.

I view the whole thing as a big “what did you expect?”.

Source:
http://it.slashdot.org/story/14/02/18/1756251/oops-security-holes-in-belkin-home-automation-gear

A fridge has been discovered sending out spam after a web attack managed to compromise smart gadgets.

The fridge was one of more than 100,000 devices used to take part in the spam campaign.

Uncovered by security firm Proofpoint the attack compromised computers, home routers, media PCs and smart TV sets.

The attack is believed to be one of the first to exploit the lax security on devices that are part of the “internet of things”.

About 25% of the messages seen by Proofpoint researchers did not pass through laptops, desktops or smartphones, it said.

Instead, the malware managed to get itself installed on other smart devices such as kitchen appliances, the home media systems on which people store copied DVDs and web-connected televisions.

About 25% of the messages seen by Proofpoint researchers did not pass through laptops, desktops or smartphones, it said.

Instead, the malware managed to get itself installed on other smart devices such as kitchen appliances, the home media systems on which people store copied DVDs and web-connected televisions.

Many of these gadgets have computer processors onboard and act as a self-contained web server to handle communication and other sophisticated functions.

Mr Knight speculated that the malware that allowed spam to be sent from these devices was able to install itself because many of the gadgets were poorly configured or used default passwords that left them exposed.

Summary:
Google intends to buy a connected thermostat that knows when you’re home and where you are within it. Given Google’s quest to index all the world’s information, this deal should jumpstart the conversation about privacy and the internet of things.

Google rocked the smart home market Monday with its intention to purchase connected home thermostat maker Nest for $3.2 billion, which will force a much-needed conversation about data privacy and security for the internet of things.

It’s a conversation that has seemingly stalled as advocates for the connected home expound upon the benefits in convenience, energy efficiency and even the health of people who are collecting and connecting their data and devices together through a variety of gadgets and services. On the other side are hackers and security researchers who warn how easy some of the devices are to exploit — gaining control of data or even video streams about what’s going on in the home.

But when a company like Google — which has had numerous run-ins over privacy in the U.S. and abroad — plans to buy a company that makes products equipped with motion detectors that track what’s happening inside the home, it’s time that conversation about privacy and the internet of things takes a step forward.

More information:
http://gigaom.com/2014/01/13/when-google-closes-the-nest-deal-privacy-issues-for-the-internet-of-things-will-hit-the-big-time/
http://gigaom.com/2014/01/13/the-winners-and-losers-in-googles-acquisition-of-nest/
http://investor.google.com/releases/2014/0113.html
http://gigaom.com/2014/01/13/breaking-google-acquires-digital-device-maker-nest-for-3-2b/
http://tech.slashdot.org/story/14/01/13/2256228/google-buys-home-automation-company-nest
http://www.theregister.co.uk/2014/01/13/google_buys_smart_home_device_builder_nest_for_32_beeelion_in_cash/
http://www.tietokone.fi/artikkeli/uutiset/googlen_suuri_yritysosto_nest_kalliimpi_kuin_youtube
http://www.tietoviikko.fi/kaikki_uutiset/google+alkaa+nuuskia+koteja+uusilla+vempeleillaan/a959351
http://techcrunch.com/2014/01/13/nest-says-customer-data-from-devices-will-only-be-used-for-nest-products-and-services/
https://nest.com/blog/2014/01/13/welcome-home/
http://recode.net/2014/01/13/google-acquires-nest-for-3-2b/
http://daringfireball.net/2014/01/googles_acquisition_of_nest
http://www.wired.com/business/2014/01/google-nest-buy/
http://www.theinquirer.net/inquirer/news/2322719/google-spends-usd32bn-feathering-its-nest
http://www.elektroniikkalehti.fi/index.php?option=com_content&view=article&id=833:google-panostaa-kotiautomaatioon&catid=13&Itemid=101
http://techcrunch.com/2014/01/13/nest-investors-strike-it-rich/?source=gravity
http://www.tietokone.fi/artikkeli/uutiset/googlen_suuri_yritysosto_nest_kalliimpi_kuin_youtube
http://www.mercurynews.com/business/ci_24834727/palo-altos-nest-labs-reportedly-raising-at-least
http://www.tietoviikko.fi/kaikki_uutiset/google+alkaa+nuuskia+koteja+uusilla+vempeleillaan/a959351

There’s been a lot of discussion recently around the changing face of manufacturing, the forces causing that shift, and how those forces are leading to a world that’s smart and connected — what some refer to as the Internet of Things (IoT). As defined by McKinsey & Company, the “IoT is embedding sensors and actuators in machines and other physical objects to bring them into the connected world.”

There are many ways that end-users and manufacturers alike can benefit from such a world. For example, the IoT lets businesses manage assets, optimize performance of those assets, and even create new business models from those same assets. But perhaps what’s most remarkable about this pervasive network of “things” is how much potential economic impact it carries.

A recent McKinsey Global Institute report, “Disruptive technologies: Advances that will transform life, business, and the global economy,” estimates that by 2025, the economic impact of the IoT could be as much as $5 trillion to $7 trillion. A similar Gartner report is a bit more conservative, but still estimates a whopping $1.9 trillion worldwide economic value impact from the IoT by 2020.

So where does that economic value come from? Certainly there are the cool IoT consumer use cases that everyone is familiar with.

Industry experts agree that one industry sector poised to see great IoT impact is manufacturing. The first point of economic impact is in how products are manufactured. The “Industrial Internet” rapidly increases the complexity of creating ever smarter, connected products. By closing the loop between early-stage engineering design activities, production processes on the plant floor, and the service organization, manufacturers can reduce errors, increase flexibility in how they manage late-stage engineering changes, reduce work-in-process, and, ultimately, accelerate new product introductions with products they’ll hope can be financially successful.

When you take it one step further though, that’s when things really start to get interesting. When you manufacture that smart, connected product, it can then give you back real-time data to help maintain and service it at optimal levels. Being able to maintain a product after the point of sale gives manufacturers a “digital umbilical cord,” which allows for remote visibility, where they can interact with products whenever and wherever.

Imagine if your washing machine itself were the diagnostician, as opposed to having to schedule a service man to come to your house to determine the problem — and then hoping that he has the right part in his truck

Today, all signs point to the value of the IoT. It’s here, it’s not going anywhere, and it has the potential for a multitrillion-dollar worldwide economic impact by giving manufacturers an opportunity to engage customers beyond the purchase, using service-based contracts to create a partnership built around product performance.