Surprising Security Risks Found in Some of our Favorite Connected Devices
It’s hard to hear when a connected device that has given you so much joy, is found to have a software vulnerability that is easily exploitable. Even worse when it’s riddled with them. In this blog we highlight the software vulnerabilities that exist in some widely used connected devices.
The bottom line – you have two choices. Either you move-on-up and upgrade with a more updated and secure device or move-on-out and stop using it altogether.
Okay, consider yourself warned, here’s the list…
1. Don’t break a sweat over your Peloton
Has that Peloton of yours helped you stay sane over the long gruelling months of coronavirus lockdowns? Well, unfortunately that home fitness routine may need to be replaced with another one. A recently disclosed vulnerability was found on the Peloton Bike+ which can provide the hacker with access to your bike. By having either physical access to the bike or access to any point in the supply chain, the hacker could get remote root access to Peloton’s tablet. The vulnerability would make it possible for the hacker to install malicious software, intercept traffic and your personal data. But more than just exposing data, the hacker could also gain control of the bike’s camera and microphone over the internet. To make matters worse, the same vulnerabilities are on the Peloton Tread exercise equipment too.
Peloton’s wide customer base makes this vulnerability particularly significant. Estimated to have 4.4 million members on the platform, Peloton experienced a surge in sales during the coronavirus period, where sales grew 22% between September and the end of December 2020. While Peloton’s high-end luxury equipment provides users with great convenience and a top range of features in which to stay fit and healthy, many of those users are unaware of the risks that their IoT fitness equipment poses to their online security and privacy.
2. The stealth that gets you ThroughTek
Does that CCTV you just installed give you a sense of confidence that all is protected? Well, there is no denying the irony of the device you’re using for physical security is a gateway to undermine your cyber security. A new vulnerability was discovered in the software component of a company called ThroughTek. The component is used by many manufacturers, as part of their supply chain that provides consumer-grade security cameras, smart doorbells, baby monitors, and CCTVs. It is approximated that this component is found in over two million connected devices, impacting brands such as HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM, being just a few.
ThroughTek’s P2P Software Development Kit (SDK) provides remote access to audio and video streams over the internet. The risk of using cameras with this vulnerability is that it provides unauthorized access to confidential camera footage. For critical infrastructure operators, this could reveal sensitive business intelligence, employee information, and physical production processes. Oops and there goes the security of your physical premises!
3. No trifle for your Trifo
The Trifo robot vacuum cleaner comes highly recommended, but we’re not sure it’s worth it considering the security risks it brings into your home. In 2020 the connected vacuum cleaner was found to have several high-severity flaws that expose the device to remote attacks. These included a denial of service (DoS) attack that shuts down the vacuum and a hack that allows adversaries to snoop into the victim’s home through the embedded camera. The device and its security flaws were featured in a report by security company Checkmarks, which caused significant brand damage to Trifo.