Beware the trashed connected objects
Gadgets and gizmos have gradually worked their way into our homes. When they break down or need upgrading, we discard them. But there are unforeseen hazards to throwing out (or recycling, if you have a green conscience) a connected object such as a light bulb or a camera. Even without an electrical current or a connection to the internet, these gadgets hold important information, such as your Wi-Fi network’s password. Because these objects are all-too-often developed without much concern for security, these data are usually unencrypted (shocked gasps).
For example, Limited Results dismantled a “smart” bulb, the LIFX Mini White that is sold by Best Buy, Amazon, Apple Store, etc., for US$ 20-25. The writer discovered, among other vulnerabilities, that the password was stored unencrypted in the flash memory. What’s worse, the SoC that was used, an ESP32, can encrypt the data in the flash memory. Which means the designers were just careless. “Seriously, 90 percent of IoT devices are developed without security in mind. It is just a disaster,” wrote Limited Results in an email to TechCrunch. “In my research, I have targeted four different devices: LIFX, Xiaomi, Tuya and Wiz (not published yet, very unkind people). Same devices, same vulnerabilities, and even sometimes exactly same code inside.” TechCrunch’s reporter suggests putting this kind of device on an isolated subnet or a guest network. One commentator adds, “The best way to avoid problems with IoT gadgets is to leave them in the store.”
⇨ Limited Results, “Pwn the LIFX Mini white.”