MacInTouch Amazon link...

Internet of Things (IoT) security issues

Channels
Security, Products, News
The inverter(s) I am guessing will use a power-line-like communication over your household wiring, which this kit picks up for display.
I have a solar edge inverter, and it gets its data from the solar panels it is directly connected to and from the connection it has to your main electricity supply (including a loop that goes around the incoming mains electric cable). It doesn't need to have powerline-type communication; the only communication is over wifi.
 


I have a solar edge inverter, and it gets its data from the solar panels it is directly connected to and from the connection it has to your main electricity supply (including a loop that goes around the incoming mains electric cable). It doesn't need to have powerline-type communication; the only communication is over wifi.
Any thoughts about whether this device should raise concerns regarding network security? I have not had clarification on this from Solaredge. I suppose it is like any other device connected... phones, tablets..., but it is yet another device having somewhat unknown characteristics to me, so therefore a bit dubious. 8-|

OK, maybe paranoid, but I feel like unplugging the monitoring device at night when I do online banking ... feel free to disabuse of this notion if it's unwarranted. ;-)
 


Ric Ford

MacInTouch
Any thoughts about whether this device should raise concerns regarding network security?
Pretty much any device raises concerns about network security nowadays. One reasonable approach is to isolate such devices from your main computer network, for example, by using a completely separate router, or an isolated "guest" network, if such is available in your router.
 


Well, basically it is talking to the internet. The converter talks to the wifi kit at the modem and uploads data to a remote server on the web, which we would access via a login account. I am waiting for word from Solaredge to clarify any issues. My concern is sort of based on the new articles about home monitoring systems like Nest, which are being hacked. This is over my head – networks were never intuitive to me. I think there is something pertinent with whether this device is an outbound data generator or allows inbound data** ... but does it operate completely independently? I would think all data transferred has some potential of being sifted through the device, or the device allows a back door entry point. Like I said... over my head.
John, you have it right. I have a SolarEdge converter and WiFi kit to monitor my solar collection using the SolarEdge app. The solar system provider also has access to my SolarEdge collector box, but my experience has been that I detect first if a panel is underperforming or a panel inverter is broken, and then I notify the provider. The app only collects panel kWh; my experience has been outbound data only unless SolarEdge app upgrades also include firmware updates. Never bothered to check details.
 


John, you have it right. I have a SolarEdge converter and WiFi kit to monitor my solar collection using the SolarEdge app. ....The app only collects panel kWh; my experience has been outbound data only unless SolarEdge app upgrades also include firmware updates.
I talked to an installer recently, and he claimed that there were two types of Solaredge connections – one uses WiFi and goes through your home router, and the other uses a cellular modem. It seems to me (in otherwise total ignorance) that the cellular modem might be preferable, as it is then outside my home network. Anyone have experience or thoughts about this?
 


I talked to an installer recently, and he claimed that there were two types of Solaredge connections – one uses WiFi and goes through your home router, and the other uses a cellular modem. It seems to me (in otherwise total ignorance) that the cellular modem might be preferable, as it is then outside my home network. Anyone have experience or thoughts about this?
I have determined that I could create a guest access on my modem per Ric's earlier comment.

I have not yet been able to determine, from SolarEdge support slow to respond, any option for the device installed to utilize wifi connectivity rather than ethernet cable connection to the modem.

I can imagine why they opt for the wifi version rather than cell version though – cell service cost, and reliability of the connection.
 


I talked to an installer recently, and he claimed that there were two types of Solaredge connections – one uses WiFi and goes through your home router, and the other uses a cellular modem. It seems to me (in otherwise total ignorance) that the cellular modem might be preferable, as it is then outside my home network. Anyone have experience or thoughts about this?
Modern apnea treatment CPAP devices report back to the mothership. I refused to get one that did so via WiFi, but the one I did get used cellular. I drew the same conclusion: that it was better to have a device off-net than on.
 


It depends on how you choose to define the term. All networked devices receive packets from elsewhere (a transmit-only device is generally not useful unless it is purely a data-collector). The real question is whether it must receive unsolicited inbound data – that is, accept data it didn't ask for or accept an inbound connection it didn't request. And, no, devices don't need to do this in order to support firmware updates. They can instead send requests (a.k.a. "phone home") to check for updates and initiate the download when they are available. They can either do this on a schedule or only when you explicitly ask them to, which is definitely safer than keeping an open port for a remote server to connect through.
I have a SolarEdge StorEdge inverter used with 32 solar panels and an LG battery system. The master inverter does talk to the 32 panels via signals sent on the DC wiring that connects them. There is a separate module, called a data logger, connected to the inverter. That has a wireless connection to a device called a Zigbee in another part of the house, which then connects via Ethernet to our Internet router.

The Zigbee is a device that can also function as a hub for other IoT devices, but I haven't made any other connections yet. But that generic Zigbee capability might be a potential vulnerability.

SolarEdge does have the ability to download firmware updates to the inverter and monitor the system operation, so there is some two-way handshaking going on there.
 


Just to add further to the Zigbee issue and customer support.... I was able to have a brief conversation with support. The basic gist was: please get back to me on my previously emailed queries, but I was able to note that the representative's basic understanding was
'hmm, right, I haven't really thought about that, but I have not heard of any security issues.'

I also recall browsing their terms of service notes, which included a hundred sub-programs and coding components of all sorts and from various repositories and open-sources, which, in my naive view, could all have their own vulnerabilities.... (Well, so does an iPhone I guess...).

Kind of still like the proverbial Wild West, with all its swingin' double half-doors into the saloon of the IoT
;-)
 



We are having a solar panel system array installed, and one of the accessories for the SolarEdge converter is a wifi kit, which allows our access to internet to view energy production monitoring/performance.
Does this introduce network security concerns?​
Backdoor access to the home network?​
Vulnerability by hackers?​
Compromising security of data over the network, like log-in data?​
One basic, duh, thing you should do, as on any wi-fi appliance, is change the default name and password. I bring this up, because it was like pulling teeth to get the info out of our solar inverter manufacturer on how to do that basic security thing.
 


Some light timers (the kind that auto-vary on and off times) and a Honeywell programmable thermostat are all the home automation I need. It really isn't a big problem to use analog light switches to adjust the room for TV viewing. And I'd rather do that than install devices that endanger the security of a home network.

That said, I do have a few surviving X10 devices. They're still available, and local-only.

"Home Assistant" is an updated way to build a true smart home that's can be independent of the Internet, integrates standard components, and may be less expensive than full-proprietary systems.
Hometech Hacker said:
Why Home Assistant is the Perfect Smart Home Hub for Me
Home Assistant runs locally and whenever possible uses local APIs to control your smart devices (not all devices expose a local API). You don’t need to log in to a cloud account to use your own smart hub. This keeps your data on your local network, and not exposed to mining and exploitation. You also aren’t subject to delays and latency of commands that have to go to the Internet and come back, making your automations snappier. You can still choose to integrate with cloud services and Home Assistant will integrate in a secure way.
Home Assistant said:
Home Assistant Main Page
Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server.
 


Ric Ford

MacInTouch
What could possibly go wrong with a "smart" TV?
BleepingComputer said:
FBI Recommends Securing Your Smart TVs and IoT Devices
The U.S. Federal Bureau of Investigation (FBI) recommends making sure that Internet of Things (IoT) devices and smart TVs in your home are properly configured to protect them and your other devices from potential attackers.

FBI's recommendations come after a long stream of malicious campaigns targeting such devices [1, 2, 3, 4, 5, 6] that usually are unsecured, to either add them to large botnets or use them as a stepping stone in multi-stage attacks aiming for other devices like smartphones and personal computers.

This advice aims to help you build a digital defense around your smart TV and IoT devices to protect your sensitive personal and financial information, seeing that they are easily reachable as they usually come with an Internet connection enabled by default.

"Unsecured devices can allow hackers a path into your router, giving the bad guy access to everything else on your home network that you thought was secure," the FBI Portland Office says.

... The following guidelines should have you covered if you own an Internet-connected smart TV according to the FBI:
• Know exactly what features your TV has and how to control those features. Do a basic Internet search with your model number and the words “microphone,” “camera,” and “privacy.”​
• Don’t depend on the default security settings. Change passwords if you can – and know how to turn off the microphones, cameras, and collection of personal information if possible. If you can’t turn them off, consider whether you are willing to take the risk of buying that model or using that service.​
• If you can’t turn off a camera but want to, a simple piece of black tape over the camera eye is a back-to-basics option.​
• Check the manufacturer’s ability to update your device with security patches. Can they do this? Have they done it in the past?​
• Check the privacy policy for the TV manufacturer and the streaming services you use. Confirm what data they collect, how they store that data, and what they do with it.​
 


What could possibly go wrong with a "smart" TV?
The new buzzword is "micro segmentation", as some networks systems folks used to depend on VLANs. Not anymore. Think of VLANs as a coarse segmenting and micro-segmentation as a very fine, granular segmenting. This article is almost two years old but may explain it better.
NetworkWorld said:
The average user will not know how to set up a VLAN or that most home-grade routers and switches are not capable. When I mention subnetting, I get that "dog head tilt" look from users.

Creating virtual LANs for putting IoT on is wise but complicated, as remote access from application can cause issues, if at all feasible. Setting up micro-segmented networks for home just for IoT requires more resources than provided to customers, let alone the average home user who wants Alexa to lower the shades, set the thermostat, check the supplies in the fridge and adjust lighting.

What is needed is a home router system that is extendible, adaptable and easy to configure – but also feature-rich for more advanced setup. Vendors need to up the security on their IoT devices, and I'm certain that isn't going to happen unless customers demand it (see wallet).
 


Some light timers (the kind that auto-vary on and off times) and a Honeywell programmable thermostat are all the home automation I need. It really isn't a big problem to use analog light switches to adjust the room for TV viewing. And I'd rather do that than install devices that endanger the security of a home network.
That said, I do have a few surviving X10 devices. They're still available, and local-only.
"Home Assistant" is an updated way to build a true smart home that's can be independent of the Internet, integrates standard components, and may be less expensive than full-proprietary systems.
I’ve been using OpenHAB for several years with similar results.
 


One basic, duh, thing you should do, as on any wi-fi appliance, is change the default name and password. I bring this up, because it was like pulling teeth to get the info out of our solar inverter manufacturer on how to do that basic security thing.
Thanks for your comments.

It appears that the set-up configuration is not a customer-configurable option. We can log in to monitor but have no access privilege to set up settings.

Yes, the manufacturer, SolarEdge, is un-responsive. In fact, at this point they seem to be booting my emails back as attempted spam and simply ignoring them. I do have nominal acknowledgement by my solar installation contractors but no definitive comments or follow-up regarding security measures employed on the settings, such as you suggest... which I will inquire about when I communicate again.
 


I might suggest you consider a different inverter manufacturer and style. I currently have a 25-panel system that uses micro-inverters from Enphase. Each panel requires one, and they all feed back to a combiner (Envoy).

The Envoy communicates your power production and usage either to your internal network (via WiFi or ethernet) or, in my case, a cellular modem directly to Enphase. If you use a cellular modem, you just monitor your system via ether a web browser or an iOS app. This is a much more secure approach in my opinion.

The cellular modem only updates every six hours, but that is probably for the best, as I would be monitoring it all the time and would get nothing done.
 


I might suggest you consider a different inverter manufacturer and style. I currently have a 25-panel system that uses micro-inverters from Enphase. Each panel requires one, and they all feed back to a combiner (Envoy)....
Well... replacing components of our brand-new system would not be practical at this juncture... To digress: due to some initial glitches in the system, if it turns out there's a "lemon" going on, while we are still well ensconced in the warranty period, we could address system components choices. ;-)

I think our installer is actually in the same boat with regard to getting responses from the manufacturer (of things - MoT?) with regard to my initial inquiries and new ones...

It seems apparent that the installation contractor does not have privileges to access the system performance logs, other than, perhaps, the general displays that I, too, can access. They don't have access to system settings, re-configuring i.e. renaming and password options...

SolarEdge does advertise the option of cell modem monitoring. I have made inquiries, but there seems a delay in customer service response, as earlier mentioned.
 


SolarEdge does advertise the option of cell modem monitoring. I have made inquiries, but there seems a delay in customer service response, as earlier mentioned.
We have a SolarEdge inverter with the cell connection kit. That was just the default offered by the installer. Yes, there is a nominal cost for the cell connection. I don't have the contract in front of me right now, but it was very small... less than a rounding error in the overall installation cost for a 5-year cell connection. The installer then covers the first renewal (10 years total), and after that we are on our own.

I knew there was an Ethernet option, but since our inverter is mounted on the exterior of the house, it was a little more completed to run cable to it. I don't recall if we were aware of a WiFi option, but even that could be troublesome if you have to update the inverter whenever you change your WiFi password, sell you house, etc. The cell connection with the very low costs was the best choice for us. And while we didn't consider the security aspects of it (since we never considered Ethernet/WiFi), the cell connection has that added benefit.

We haven't really had any issues, that I've noticed, with cell connectivity, except once when SolarEdge pushed an updated and for some unknown reason the cell connection stopped working (no issues with electricity generation). Our installer came out and rebooted the system, and all was fine except for the gap in data while the cell connection was down. We've had the system for 6 months now, and that's been the only hiccup, and for the first couple months I was logging into the dashboard multiple times a day to see how our new solar panels were performing, so I would have noticed any other communication issues.
 



Ring has blamed this very disturbing encroachment on the user for not setting up 2FA, despite numerous other invasions around the US....
For my "peace of mind" I have no IoT devices at all. Because, although the IoT manufacturers want to desperately hide this fact, the truth is anything the end user can do, everybody else on the Internet can do. Nothing is secure. So to quote "War Games", "The only way to win is not to play."

How long I'll be able to buy major and even minor appliances and not have them somehow connect to the Internet or cell towers, I don't know. But I'll resist as long as I'm able. Just trying to defeat my smart TV from spying on me is challenging enough, but in that case at least I get streaming services for my trouble.
 


Ric Ford

MacInTouch
Ring has blamed this very disturbing encroachment on the user for not setting up 2FA, despite numerous other invasions around the US....
More about Ring abuses...
Ars Technica said:
Wave of Ring surveillance camera hacks tied to podcast, report finds
A series of creepy Ring camera intrusions, including one where a stranger sang to an 8-year-old child and said he was Santa Claus, may be linked through a forum and associated livestream podcast, a new report finds.

... In all the cases, the residents stopped the intrusions by unplugging or removing the batteries from their devices, successfully cutting off access to them.

... Cheap tools for accessing Ring illicitly are plentiful and easy to get, reporters for Vice Motherboard found yesterday. The reporters also found a reason so many incidents using those tools are popping up all at once: the NulledCast.

The NulledCast is livestreamed on Discord, Motherboard explains, and it's connected to the forum (also called Nulled) where the tools for accessing Ring cameras are sold and traded. Motherboard continues:
"Sit back and relax to over 45 minutes of entertainment," an advertisement for the podcast posted to a hacking forum called Nulled reads. "Join us as we go on completely random tangents such as; Ring & Nest Trolling, telling shelter owners we killed a kitten, Nulled drama, and more ridiculous topics. Be sure to join our Discord to watch the shows live."
 





The timing on this is ironic, as when I logged into my Ring to update the password (I had no password found in my 1Password app!) and reset it, it now asks for 2FA (phone, etc).

I do believe that Amazon (Ring) was correct that the issue was as much Amazon's fault that compromised breaches, re-used passwords (a no-no) and associated email were used, along with SHODAN or other tools in the wild. Amazon (Ring) has 2FA now, but it did not when I created my Ring setup, which was over iPhone app, not at computer/browser. Now that I reset my Ring credentials (1Password-generated), unless Ring's servers are breached, no one should get into my camera (plus I put it on a subnet, which is another story).

Which brings me to: companies should not use your email as a login. All merchants should be default Guest and not retain your info. If you place an order, it can email you, but it should not create an account to blast you, subscribe you, etc. It can tie your order number to your billing info (but not retained payment info). It goes with my complaint that it should be illegal for them to retain your email, along with some websites not allowing any access without you accepting cookies or having Javascript enabled. If companies like Home Depot, Network Solutions, Equifax, etc., cannot secure your info, what gives them the right to keep it?
 


Which brings me to: companies should not use your email as a login. All merchants should be default Guest and not retain your info.
Never going to happen. Buying and selling customer data is simply too valuable. Plus, merchants like being able to tie sales to specific customers to figure out how much to accommodate them when things go sideways.

Suggested alternative: create a separate email address for every merchant, either by setting up a domain with a catch-all account or some of the other options out there. Then ban the ones that resell or otherwise abuse your trust.
 





As unhappy as I am about people having their privacy invaded, I am hopeful that something good will come out of this [Ring fiasco], namely better awareness and a kick into the backside of industry to address the gaping security holes. Some do this better than others.

For example, while the default wifi password for a Arris gateway I recently played with is random (and affixed as a sticker on its side), the password and login for console access was not (admin/password). It does beg the question why not randomize both?

The benefits of security are likely weighed at each company with an eye on implementation frustration. Make good security too difficult for the "average" home owner to set up, and the support boards / call centers / etc. will light up, followed by negative reviews. Make it non-existent, and support becomes easy until the whole thing is hacked.

It will be interesting to see if more companies follow down the same path as the likes of Gryphon to offer internet gateways with mesh capability, etc. as well as allegedly easy-to-use parental controls and security features... all on a post-hardware-acquisition software service subscription basis, of course... but they allegedly will tame even the naughtiest of iOT hardware.
 



Ric Ford

MacInTouch
More on Ring:
Ring lacks basic security features, making it easy for hackers to turn the company's cameras against its customers.
Here's more trouble with Ring privacy/security:
BuzzFeed said:
A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users
The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”

Using the log-in email and password, an intruder could access a Ring customer’s home address, telephone number, and payment information, including the kind of card they have, and its last four digits and security code. An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user’s cloud storage plan.
 


The latest episode of the "Smarter Every Day" YouTube channel explains a hack to penetrate voice-activated IoT devices using a laser. Anyone who still thinks a "smart home" is a good idea should watch it.
 


The latest episode of the "Smarter Every Day" YouTube channel explains a hack to penetrate voice-activated IoT devices using a laser. Anyone who still thinks a "smart home" is a good idea should watch it.
This has been previously reported. It's not as big a deal as pundits would have you believe.

In order for this "hack" to work, you need to aim the laser directly into the device's microphone element. These mics are typically on the top of smart speakers, not on the sides. So unless you like running your device horizontally (and aimed out a window), you really shouldn't have much to worry about.
 


Disclaimer: I'm a very happy user of Wyze cameras. I chose Wyze cameras because their software is developed by Wyze.

Wyze suffered a data leak that was first reported on December 26. Wyze's blog is very informative about what they know and what they're doing:
Wyze said:
Twelve Security first published this:

followed by this:

I think the Twelve Security articles are short on facts and full of hyperbole and conjecture. Sadly, Engadget regurgitated what Twelve Security said without fact-checking:
 


Ric Ford

MacInTouch


I've been a very satisfied Wyze user (3 cameras, 2 smart bulbs). Although I think the breach is significant, I also think the company's information flow about it has been excellent and deep.

User emails being released could prompt phishing, and that's a pain. But, to me, the more serious problem could be the release of SSID names of wifi networks... and the user-created names of individual devices (cameras, bulbs, etc.) Seems like bad actors might be able, somehow, to search for common device names (such as "door camera") and use them for nefarious purposes if they can link email addresses associated with those names to home addresses and then to wifi network names.

Makes me think those bits of user data maybe should be encrypted in their database. Or stored separately from user account info.

Passwords, apparently, were not compromised.
 


…But, to me, the more serious problem could be the release of SSID names of wifi networks... and the user-created names of individual devices (cameras, bulbs, etc.) Seems like bad actors might be able, somehow, to search for common device names (such as "door camera") …
Relying on SSID or device names to be secret is not good security practice (security through obscurity). Decent encryption and secret keys are the way to go.
 



Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts