According to TheNextWeb (via [H]ardOCP), a Dutch woman named Rilana Hamer bought a small Internet-connected camera from a local store, with the goal of keeping an eye on her puppy while she was away from work. “I thought I was going crazy,” Hamer said in a public Facebook post. “I suddenly heard sounds in the living room. I walked up there and saw my camera move.”
The camera, purchased from a discount chain store called Action, apparently claimed to offer password protection to protect its stream from being snooped on. But the implementation was clearly cataclysmically flawed. The person controlling the camera began speaking to her, initially in French. Shocked, she disconnected the device, but later decided to set it up again to see if the same thing would happen twice. Within a minute, it was.
The problem here, I’d argue, goes beyond the specific security protocols of any single product. Manufacturers have fallen over themselves to push “smart” devices to market, with a heavy emphasis on making those products accessible, as opposed to making them secure. On the one hand, this makes sense. The more secure a product is, the harder it typically is to use, though good UI and strong default choices can bridge the gap here.
But many of these same companies are also interested in extracting useful data from their own devices that they can monetize and sell. Even companies that never attempted to turn a profit on customer data, like Roomba, now plan to do so. This gives companies two reasons to downplay device security: They want to exfiltrate as much data as possible, and they want to make connecting to your internet camera as easy as possible. Both goals are exactly the opposite of what you want a design team to be thinking about when they implement the security on an IoT device.
The takeaway here is to assume any iOT product is going to spy on you or steal something until proven otherwise. Sort of like Craigs List where everything is a scam until verified otherwise. Much of the creepy shitty iOT crap is made in China, which should be a big red flag to anyone paying attention.