back to article I got the power – over your IoT power-point

The latest “your IoT security is rubbish” takes the world one step closer to “burn it all and try again”: a “smart” electrical outlet that's actually a whole-of-network attack vector. Edimax power points One of these things is a bit like the other. The Edimax SP-1101W with and without Bitdefender's obfuscation Bitdefender …

  1. frank ly

    Mitigation?

    Fail the third: Would a properly set-up firewall block that? What data does it send back to the mothership?

    Fail the last: I'd give it the Edimax e-mail address.

    Fail the continuous: Why do they think that any of this is ever a good idea? What do they want the data for anyway?

    1. Charles 9 Silver badge

      Re: Mitigation?

      "Fail the third: Would a properly set-up firewall block that? What data does it send back to the mothership?"

      Probably not if it uses an encrypted connected and mixes up the destinations, especially if they use legit IPs meaning you can't block them without collateral damage.

    2. VinceH Silver badge

      Re: Mitigation?

      "Fail the last: I'd give it the Edimax e-mail address."

      My take from that fail is that it wants more than just an address - the piece says "it demands the email account credentials" which I suspect means it's asking for access to an SMTP account in order to send those emails.

      1. PacketPusher
        Meh

        Re: Mitigation?

        Rather than blocking the destination, you can block the source. You can control what address the DHCP server hands out to it so you can block that address from the internet. That would stop the e-mails too.

        1. Anonymous Coward
          Anonymous Coward

          Re: Mitigation?

          "Rather than blocking the destination, you can block the source. You can control what address the DHCP server hands out to it so you can block that address from the internet. That would stop the e-mails too."

          What if it gets smart to that and changes its IP before doing it? Your router has to honor static assignments, too, and it COULD try to pose as an existing address.

        2. Darryl

          Re: Mitigation?

          Or just don't buy the damn thing and use a plug and/or switch like the unwashed masses have to deal with

  2. m0rt Silver badge

    I notice their website, http://www.edimax.co.uk/edimax/uk/, has a strapline:

    "30 Years of excellence - Your trusted partner going beyond your expectations"

    How true! We don't usually expect much from companies such as yourself, and you certainly exceeded these expectations.

  3. Anonymous Coward
    Anonymous Coward

    The problem

    is that the great unwashed will slurp all these pointless "toys" up because "its sooo cool to be able to turn the lights on and off from the other side of the planet."

    Gormless bastards being gormless.

    1. Anonymous Coward
      Anonymous Coward

      Re: The problem

      the bigger risk is that a "newspaper" will pickup on this story and demand the IT industry provide a fix for the gormless bastards being gormless ...

      1. m0rt Silver badge

        Re: The problem

        But we have a fix. We can just adapt a common solution to this particular case. "Just turn it off....."

        1. Stoneshop Silver badge
          Boffin

          Re: The problem

          The best fix for this device (in fact, for all Edimax crap) is to turn it off by applying sufficient kinetic energy by means of, for instance, a Fiskars X46. Do wear safety glasses.

          1. Anonymous Coward
            Anonymous Coward

            Re: The problem

            What if it has a component that could explode given sufficient kinetic energy?

            1. Kiwi Silver badge

              Re: The problem

              What if it has a component that could explode given sufficient kinetic energy?

              upload.youtube.com (you were videoing it, right?)

              1. Charles 9 Silver badge

                Re: The problem

                I don't have one, but I'm just warning that percussive destruction isn't a universal solution. For example, one would be wise to avoid doing this with a compressed gas container of any sort. You never know just how unknown compounds can react if forced together like that.

      2. ma1010 Silver badge
        Joke

        Re: The problem

        the bigger risk is that a "newspaper" will pickup on this story and demand the IT industry provide a fix for the gormless bastards being gormless ...

        A fix for idiots being idiots? Wow, that would really be something to see!

        Perhaps someone could take their cue from a Monty Python episode and sell brains people could strap on top of their heads before buying anything IOT related? (And maybe even before voting, dating and other various activities.)

  4. billse10

    when you said "power point", I was expecting a whole other class of evil ...

  5. MrT

    Where's the PowerPoint?

    We heard that you like power points, so we made a PowerPoint giving you all the information about our smart power points so you could give all your information away as you use the power point to power a projector projecting our PowerPoint.

  6. Rich 11 Silver badge

    Spiders

    may they be hassled by a thousand spiders

    Of the anus-infesting sort*.

    *Like a bubble sort, but much, much, slower and more painful to watch.

    1. Stoneshop Silver badge
      Devil

      Re: Spiders

      may they be hassled by a thousand spiders

      Of the anus-infesting sort*.

      The article's author is from Vulture South. No need for those spiders to crawl up particular places; their bite will be agonisingly painful (if not deadly) anyway.

  7. Anonymous Coward
    Anonymous Coward

    solution

    An initial solution might be to write a review on the Amazon product page with a link to this article?

  8. Chris King Silver badge
    Flame

    ClickyClickyClickyBANG!!!!

    I wonder how fast these things can turn the power on and off ? And have Edimax implemented any sort of rate-limiting to protect the device ?

  9. Anonymous South African Coward Silver badge
    Trollface

    Great security to be had with this and in combination with this SOHOpeless router : http://www.theregister.co.uk/2016/08/22/ioactive_turns_up_the_most_sohopeless_router_so_far/

    Who's up to test a combination of these two great toys?

    Bonus points for getting any IT security firm or IT security specialist to install these two on their network...

  10. hattivat

    (visits the website)

    "Edimax Pro - Enterprise Wi-Fi solutions"

    .........I'm out of witty comments at this point.

  11. Ian Menzies

    Why not get the SP-2101W

    OMG I want the Smart Plug Switch with Power Meter Intelligent Home Energy Management version please. Remotely manage via iDevice or Android and set rate limits :), what fun we could have setting everybody's rate limit to -1 then watch the confusion as all their toys suddenly turn off and refuse to start.

  12. Anonymous Coward
    Anonymous Coward

    It's about time...

    ...crap like this was regulated properly. It's only a matter of time before someone gets killed.

    If devices have to be certified to physical standards in order to be sold (CE, BS, ISO etc), why the hell shouldn't the firmware -and the ongoing support for at least a warranty period- be subject to at least some bloody straightforward standards. I can propose a very simple list as a starter, feel free to add any more...

    1. Doesn't use any hardcoded passwords that are common across all devices.

    2. Doesn't use default passwords that can be derived from the MAC address.

    3. Doesn't use insecure WiFi authentication (at least WPA2-PSK).

    4. Doesn't allow authentication in the clear.

    5. Doesn't allow inbound access through ports apart from those clearly defined and documented as required for the primary purpose of the item.

    6. Doesn't allow outbound access except to hosts and ports clearly defined and documented as required for the primary purpose of the item.

    7. Is hardened against simple common exploits (SQL Injection, CSRF, etc...)

    1. Anonymous Coward
      Anonymous Coward

      Re: It's about time...

      They could just do a Volkswagen: pretend to comply during the testing phase then go nuts afterward. And in the event they find out, have a quick exit to China ready beforehand so that you can put a hostile sovereign power between them and you.

  13. Walter Bishop Silver badge
    Facepalm

    Based on Fedora 7

    "Building Image OS: Fedora 7 (Fedora-7-i386-DVD.iso) - test ok" SP-2101W ..

    This is what happens when you get some unpaid intern in India to write your software.

    1. Charles 9 Silver badge

      Re: Based on Fedora 7

      Right. You also pocket the savings: enough to have an escape plan should you be found out.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019