The so-called internet of things was always a solution in search of a problem. The promise of an automated house that would behave just the way you like is one of convenience, set up so you “just don't have to worry about that.” Whatever “that” is, perhaps it needs some worrying about. Did I turn the coffee pot off before I left? This is something both to worry about and not worry about. The answer is: Finish your coffee and you will remember to shut the damn thing off. If you don't finish your coffee, you should not be going anywhere. Those moments of mindful contemplation over coffee at the start of the day are not a problem that needs solved. The actual problem being solved by a house that can be run remotely via a network is your boss's problem of getting more work out of you and not your problem of convenience.
Samsung took the internet of things idea so far forward it jumped back to the paleolithic age. In their urge to tighten modern society's ever deepening and granular surveillance regime they have brought us the internet gas stove, which is a fire you can supposedly ignore.
Fire was the first breakthrough technology humankind achieved. The use of fire may predate our ancestors being termed Homo Erectus. Home Erectus definitely used fire. There has not been definitive proof that Homo Erectus made fire rather than captured fire. Early modern humans definitely did make and control fire, and the use of fire lead to other technologies. We brought it with us to the cave, then to the tent, then to the hut, and then to the hearth which made the technology we cherish “home”. This changed us over time from gatherer-hunters to hunter-gathers to farmers to pastoralists to overstressed office cogs slurping our coffee and running out the door to be monitored, quantified, and berated by our bosses for our daily bread.
All along that evolutionary journey we also always knew, and Smokey the Bear always reminded us, fire is a dangerous tool that we should not turn our back on. Unless the hearth in your home is internet connected and made by Samsung. Then it is a damn dangerous high tech retreat down the evolutionary ladder done for profit.
I registered the outline of this monsterous retreat from being a Homo Sapiens a year ago in a home improvement store while helping my mother move. While getting things needed to hang pictures I chanced upon the most useless product to be put on the market since Gerald Ford. That product would be the internet aware range hood. I saw no need to turn a fan on in the kitchen from my phone, and I thought to myself as any modern hacker would “Can I install a Bitcoin miner on that thing?”
I filed that away until yesterday when I asked myself “Well can I?” So the initial investigation began. I investigated who makes the things in this past of the internet of things, what microcontroller is used, what communications and security protocols are used etc. In short, “Can I remote install a bitcoin miner in a huge number of range hoods and use their spare time to make myself rich?” What I discovered was foolish design assumptions bordering on reckless criminality. The internet of naughty dirty things had just bee transformed into the internet of damn stupid things.
I discovered that Samsung's internet aware range hood couples with their internet aware stove. I should have known about this years ago but I have not ever been shopping for a new stove. Stoves, in my proletarian universe, are classified “things that landlords grudgingly provide as required by law” not “things you spend more than the value of my car on.” The internet aware range and smoke hood are part of a product line that includes internet aware washers, dryers, refrigerators and toasters. Samsung lets me activate the toaster via the internet. There is no way to put the bread in the toaster via internet. There is no way to retrieve the bread from the toaster via the internet. There is not even a direct way to get the neighbor's toddler to stick a fork in the toaster and sell videos of the event on the internet. It is a useless invention. It is welfare for unimaginative minds with engineering degrees.
All of these things are part of the SmartThings(r) suite of products and connect to a “Smart Things” hub. Smart things are not as smart as they claim to be. There is a well known security vulnerability in the system, which Samsung promises to fix. They really do promise. They got a new bunch of engineers off the engineering welfare roles to make them a new set of even smarter allegedly smart things.
The weakness was revealed in 2015 in the German publication Heisse Online. It was a brief overview which I had to translate from German, but I will give the reader a summary. Smartthings works via Bluettooth protocol implemented via Zigbee chips. This is a communications method I first worked with in 2008 in a free extension course. The hackers demonstrated that they could connect to the hub by pretending to be a new device. The hub would then send the default encryption key via plaintext. This would be intercepted. The hackers demonstrated that they could unlock the so-called smart lock on the front door of a house using a laptop, a Zigbee, and a Raspberry Pi. A total of $400 worth of equipment (not counting the price of the getaway car) and a modicum of intermediate college level programing.
What is worse than sending default keys via plaintext is the encryption scheme itself. Smartthings is using 128 bit symmetrical encryption. This makes it weaker than the encryption protecting certain elections equipment, which has already been proven to be laughably weak. Symetrical encryption is especially vulnerable on a high traffic network to chosen plaintext attacks. It is an encryption protocol that would have been considered too weak in the 1970s.
Once an attacker has access to the network, it is trivial to compromise every device on it. They now do as their controller demands. The most likely scenario is that they behave normally when given a task and do something else when they are supposed to be dormant. An attacker with more resources can force a spoofed firmware update on every device and permanently control them until the electronic components were replaced with new ones from the factory.
More security holes were found in 2018. Samsung promised to fix those two and issued a patch later that year. I could find no word on the initial set of security of security holes being fixed like Samsung promised. Samsung is now up to a third version of their Smarthub product that sits at the center of this farce. A new vendor has been found. Yet they are still building from the old assumptions which is like adding a course to the meal in the Titanic's main dinning room without steering the ship. Everyone eats lobster until the lobsters eat everyone. New versions of the Smartthings suite will be backward compatible with the older versions in order to keep all the units they have shipped relevant. Thus the security flaw will be preserved by design.
Further investigation led me back to my initial question “Can I make it mine BitCoin?”. This is a profitable thing when someone else buys the hardware and pays for the electricity. The answer is kind of but not very well. These are not powerful micro-controllers and although I might be able to squeeze a BitCoin miner onto one, it would not be very fast or efficient. The solution to that is to take over many kitchens. Without market intelligence to tell me which homes are connected to the internet of stupid useless things via the auspices of Samsung, I would have to drive slowly around the suburbs at night. Were I to do that and stop at houses to hack them with my homemade equipment one by one, eventually I would be caught. In short, there will be no free BitCoin for me.
As I am a slightly paranoid fellow who has a tendency to say mean things about powerful people in public, I wondered if there was a way to use this functionality to harm me should I enter a home these “SmartThings” in them. Control of your gas stove, the hearth fire in your home, gives an attacker the ability to turn on the gas, leave it on, and then ignite it later remotely. A dissident political figure and their whole family could have a very unfortunate gas leak at a very fortunate time for a ruling party somewhere if this was the case. Luckily, it appears that these ovens have a pilot light and more importantly, a thermocouple that does not appear to be connected to the internet aware “brain” of the appliance. Thankfully thermocouples on pilot lights default to closing the valve rather than opening the valve. The lesson of leaving fires unattended from the stone age was not lost on everyone.
Samsung invested capital and time in putting this so-called functionality into people's homes. They built a product they need to convince you to want that is of at best moderate usefulness. They are in business to make a profit and thus this product must produce money for them somehow. It does this by spying on you for them. Samsung knows when you cook, how much, how long, what's in your fridge, how you like your bagels, when you wash you clothes, when you cook steak as opposed to boil vegetables, and a host of other inferences can be made from knowing the constant state of your appliances and linking that with you internet habits and your phone number and address. The data about you is the product that they are selling, and you are producing it for them in volume. You pay for the privilege of creating data that is used to push advertise you more products that you did not want enough to go shopping for.
As Samsung sells your data, it in turn becomes a business record of Samsung. Thus it is available to law enforcement and the intelligence community. Because of Samsung, the NSA knows how you like your eggs, and they can make that data point available to the FBI or local police if you are considered some kind of dissident. All of this is easily prevented by using a less expensive non-internet aware appliance and not walking out of the house with food on the stove, just as our caveman ancestors did for literally millions of years. This means that niether Samsung nor the NSA knows what you had for breakfest, at least if you don't mention it on the phone. What happens in the microwave stays in the mircowave, unless your microwave is part of Samsung's internet of damn stupid useless things.