Are you building or planning the next generation of Web-enabled household appliances?

Is your company designing tomorrow's:

• Web-enabled refrigerators?
• toasters?
• ovens?
• heaters?
• air conditioners?
• other consumer gadgets which are Web-controlled but not for information processing?

Are you sure that your appliances aren't going to become big, fat, easy targets for hackers as soon as people start plugging them in?

Web enabling without adequate network security can result in an ordinarily harmless set of household appliance being OwnEd by script kiddies down the block.

The probable result is that a hacker will be able to make them interact in ways that can cause:

• serious injury
• death
• massive property damage
• theft / burglary

Hint: If your engineers add enough remote diagnostic and control features to your appliances to make them useful for the purpose of reducing your company's customer and field service costs, you can not figure that all the service docs labeled "Internal Distribution Only" will stay inside your company. Especially documents containing internal appliance URLs and explanations of "authorized personnel only" instruction sets intended to allow tweaking voltages and turning things off and on within the boxes.

It is more likely that they will be mirrored as .PDF files on every other "black hat" ftp site on the planet. It's your company's responsibility to customers to make certain that it doesn't matter who gets the documentation because the only way to access your products in the field is legitimately.

Fail in this responsibility and there will be plenty of plaintiff's attorneys ready to explain this to you in detail.

Even someone hacking into a dishwasher and discovering its patterns of usage might find out things the owner does not want public knowledge. Finding that dishes are washed twice a day normally but not for the last several days could mean that the users are on vacation and the coast is clear for the burglary or black bag job one has been waiting to do. In fact, once the security has been breached, having a "bot" query an appliance or set of appliances on a daily basis for whatever parameters are of interest would be possible. Imagine a burglar getting a daily list of places whose owners are probably on vacation based on reports generated by household appliances.

Read the antivirus.about.com article. I expect this to be the first of several articles that will run before these products become important. After these products become important, there will be plenty of news coverage of amazing new product failures followed by reports of multi-million dollar damage awards against the manufacturers. The hackers responsible will probably never be found, leaving your company alone in the courtroom in a sea of enemies, and very possibly, you on the witness stand.

I'll have more article links on the subject posted soon, ZDnet and the CRYPTO-GRAM security newsletter have recently commented on insecure Web-controlled hardware in the wake of the Code Red virus that among other things, targets Web-controlled Cisco routers.

Your company needs your web-enabled appliance design or concept checked over by an organization that:

1. knows how the Internet works as a network
2. knows how it is actually used by people, both normal and the dangerous kind
3. understands electronic / computer design
4. has enough mechanical background to understand
   • what physical variables are being measured and controlled and *why*
   • what to ask about with respect to repair history of previous non-Web versions of the item

The real bad news is that ReptileLabs consultants might be the hired guns.

It's up to you, but hiring ReptileLabs in advance might save your company a great deal of money, in damage judgments and in factory recalls your company won't need to make.

Contact Page.

• Web-enabled toilet. Neither the BBC nor Tynford are joking about this.
• IBM/Panasonic/Honeywell home networking standard. One of several, generally mutually incompatible.
• LG Electronics, better known as GoldStar in the US, has a Web-enabled refrigerator, washing machine, and microwave scheduled for introduction in 2002.
• Cisco /Whirlpool are collaborating on products. Hopefully, their joint effort will result in appliances both Web-enabled and Net-secure.
• Belkin UPS review. The UPS is Web-enabled with a mini-Web server running on the workstation it is connected to. NO security means that if the appllication is enabled according to the defaults on a workstation operated by the UPS and connected to the Internet, anybody who knows what page to connect to can shut down the UPS power to the workstation at any time if the firewall isn't set up to prevent it. I know this because I tested it personally (version 3.16i and the UPS is sitting next to my foot right now.

  UPDATE: I am delighted to report that Belkin finally got around to making the network password screen actually work. As of at least version 3.17.15, any attempt to directly access any page other than the main page with password goes to a page displaying "Authentication Error". The best news is that the most dangerous function, the ability to simply shut off power at the outlet to virtually unplug whatever is plugged into it has been disabled. If your UPS icon in the Systray (Windows) looks like a plug instead of a violet shield with UPS in small letters on it, if you actually want it Web-enabled, get the new version.

  The bad news is that they still haven't implemented SSL in the mini-server, i.e. passwords are transmitted from a remote browser in plain text ready for capture via packet sniffer. At least the ability to run an exploit against the box has been taken above the WebTV level. However, this problem wasn't corrected until a nasty review of the product was written and multiple e-mails to customer service. Thousands of these units are in the field, and if Belkin has informed its customers of the 'fix', I certainly didn't received the notification. Needless to say, my UPS is NOT Web-accessible.

• Even networking companies that are supposed to know what they are doing have been bitten by vulnerabilities that result from the use of non-secure Web mini-servers on their products. See the Cisco Web page on Code Red Cisco network hardware fixes.

ReptileLabs is not currently involved in any of these projects. These projects are just a sample of what's out there. Your default assumption should be that whether announced or not, all major manufacturers of household appliances are working on Web-enabled appliances. The "killer app" here is remote diagnostics running on appliances to reduce customer service and repair costs.

While improved customer convenience will be the marketing angle, I believe that improving profits and customer satisfaction concurrently will be the real reason why Web-enabled of appliance will become universal a lot sooner than even the most optimistic manufacturers expect.

I look forward as a consumer to the convenience and improved performance of these future appliances. The idea of having a field service representative get an automatic alert when my washing machine is about to go down and send me e-mail giving me a choice of dates and times for a service call, followed by a field rep showing up knowing exactly with exactly the right part impresses me as a good thing. The idea of being able to turn on a hot tub remotely and have it at exactly the right temperature when I get home impresses me as a good idea.

I can also lock down my own network and if I feel compelled, retrofit my own appliances for secure Web access. DON'T expect your customers to do this.

home page