IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

App to Turn off Your Living Room Lights Woefully Insecure

The idea of turning lights on and off remotely might seem enticing, but make sure the software downloaded is properly secure.

(TNS) -- When Matthew Garrett recently ordered a cheap Internet-connected electrical socket on Amazon, he found significant security defects — flaws so severe they could also allow hackers to switch off many people’s lights at once.

“By default this is stupendously insecure,” wrote Garrett, a principal security engineer at San Francisco software company CoreOS, in a single-star Amazon review that made waves with those considering the product. “There's no reasonable way to make it secure, and if you do make it secure then it's much less useful than it's supposed to be.”

The idea of turning lights on and off remotely might seem enticing. With a tap of a smartphone app, people can virtually flick a switch from as short a distance away as the couch — or as far away as the Bahamas.

But adding connectivity to a wide variety of household objects has risks, experts say.

Researchers and vandals have proved as much by remotely shutting off Internet-connected cars, demonstrating that they can take over medical devices, and commandeering baby monitors to scream at toddlers.

In July 2015, for instance, the Food and Drug Administration published a warning about a specific drug infusion pump that when connected to a hospital’s network was vulnerable to cyberattack.

“If you go to RadioShack, you don’t think about an attacker controlling aspects of your home without your permission,” Garrett said in an interview. “But, honestly, at this point, many devices still fall into that category.”

Especially when it comes to cheap gizmos, the economics seem to favor novelty over security. For manufacturers, it’s about “pushing new products to market, versus slowing down and focusing,” said Patrick Heim, Dropbox’s head of trust and security.

Garrett’s scathing review of the socket — a small, sleek object called AuYou Wi-Fi Switch — sparked a response from the merchant.

A company representative said that if he didn’t remove his review, she would lose her job, according to emails Garrett provided.

The Chronicle was unable to contact the maker of AuYou Wi-Fi Switch through an email address Garrett provided for the company. Amazon did not respond to a message seeking the merchant’s contact information.

More than 1,900 people have viewed the review, and the product is currently listed as unavailable.

Smaller sellers with lesser-known brands are less likely to respond to problems when they arise, said security researcher Nitesh Dhanjani. They can only compete on price, he said, rather than infrastructure or expertise.

“They want you to purchase a simple device (and) hook it up to your home Wi-Fi and they don’t expect” customer service calls, he said. “Security causes an expense, people might forget the password, or call you and ask you for help.”

In 2013, Dhanjani said, he found security issues in Philips Hue smart light bulbs, which — like the AuYou Wi-Fi Switch — can be controlled over the Internet.

These bulbs were also connected to a remote server where their information could be intercepted, potentially allowing the devices to be manipulated.

Philips, said Dhanjani, quickly fixed the problem.

“We’re getting better,” he said. “But ... the security vulnerabilities that we’re finding are things that we learned over 15 years ago.”

A Philips Lighting company representative said that “security has been a key factor in the design of (its) Philips Hue” lighting system. (Philips Lighting spun off from its parent company in May.)

To avoid these risks, people can stick to unconnected appliances or rely on brand names, said Garrett, whose Oakland apartment is littered with similarly connected objects. Even then, as with any new category of electronics, unexpected problems may crop up.

“My advice is certainly don’t buy any of these,” he said. “But the problem is what kind of better advice can you give people, when even some of the brand-name stuff is not significantly better?”

©2016 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.