Search CE Pro






Print  |  Email  |  Comments (29)  |  Share  |  News  |  Follow on Twitter, Facebook, Google+ or RSS

Visit Arlington Industries
CE Pro Blogs

Hammacher’s DIY Lighting Control Screams, ‘Come Hack Me!’

Hammacher Schlemmer advertises $150 Internet-of-Things light and appliance controller that requires wireless router with port forwarding.


image

Hammacher Schlemmer IoT lighting controller opens ports to hackers.

The Smartphone Light And Appliance Controller from Hammacher Schlemmer “enables remote control of lights and appliances while you are away from home using a smartphone connected to the Internet.”

For $150 you get the tiniest configuration/control hub with one very ugly wall dimmer and one on/off appliance module.

I assume they communicate via Wi-Fi (Internet of Things) because the base station communicates with the devices “through a home’s existing wireless network.”

Here’s the goofy part: “Requires wireless router with port forwarding enabled for accessing system devices via the Internet while away from home.”

First, how many consumers who buy a cheap little lighting control know what port forwarding is?

Second, for those who do know what it is, how many know that port forwarding is the surest way to get your whole home hacked? Not just your light switches but everything connected to the home network?

Next headline: Millions of consumers hacked through Hammacher lighting control.

MUST READ: How to Protect Clients from Home Automation Hacker Bots

UPDATE: Who of my network-savvy friends would like to chime in? My response was: Then it gets complicated, possibly expensive, but I’ll ask my smart friends for the best alternative for a DIY product.

@ganeshts:
@juliejacobson @Hammacher Very interested in knowing the alternatives available if the vendor doesn’t want to maintain a ‘cloud server’





Subscribe to the CE Pro Newsletter

Article Topics

Blogs · Product News · Internet Of Things · Iot · Hack · All topics

About the Author

Julie Jacobson, Editor-at-large, CE Pro
Julie Jacobson, recipient of the 2014 CEA TechHome Leadership Award, is co-founder of EH Publishing, producer of CE Pro, Electronic House, Commercial Integrator, Security Sales and other leading technology publications. She currently spends most of her time writing for CE Pro in the areas of home automation, security, networked A/V and the business of home systems integration. Julie majored in Economics at the University of Michigan, spent a year abroad at Cambridge University, earned an MBA from the University of Texas at Austin, and has never taken a journalism class in her life. She's a washed-up Ultimate Frisbee player currently residing in Carlsbad, Calif. Follow her on Twitter @juliejacobson.

29 Comments (displayed in order by date/time)

Posted by Joe Whitaker  on  02/12  at  04:50 PM

I amazed the term “port forwarding is still used! Of course it is not acceptable. I recent looked at some updated manuals for products that used to say just that. They at least have now edited them to say pptp or IPSec. Silly company is gonna fail for that bad advice alone regardless if the product is actually good, which I am doubting. Looks like a prototype found on a work bench in a factory in China

Posted by Fred Harding  on  02/12  at  05:04 PM

Julie,

I disagree with your envisioned headline.  I suspect it will read “Dozens of consumers hacked through Hamacker lighting control”.

Posted by Julie Jacobson  on  02/12  at  05:19 PM

You got me there, Fred. Actually, I was thinking that, but figured millions was more dramatic. Headline would likely be - thousands of customers return Hammacher lighting product because they can’t figure out how it works.

Posted by Julie Jacobson  on  02/12  at  05:25 PM

See the update at end of story. What is best answer for a DIY product?

Posted by Peter Radsliff  on  02/12  at  06:00 PM

Nice post, Julie. I would suggest the answer to manufacturers for how to design an “Internet-of-things” lighting control system is: “Just copy Nest Labs.” But then again, if they could have, they would have done so already. Or, they can just wait for Nest to add lighting control to their thermostat and smoke detector. Can that be far behind?

Posted by Bjørn Jensen  on  02/12  at  06:01 PM

They should stress the warning that you should NOT use port forwarding and NOT give directions on how to do that.  Instead they should recommend specific routers that have VPN capabilities and then offer instructions on how to configure it properly to work with their service. You can actually some that do this for very cheap.  The cheapest are the hardest to configure at that low price level, the $100 ones are substantially easier and instructions would be minimal.

That would be DIY but proper.  There is no excuse, with all of the known and unknown dangers out there these days, for a manufacturer to recommend their clients open themselves up to hackers.

Last comment, Joe I completely agree.  The only thing I would stress is that IF you’re going to use PPTP VPN then you MUST encrypt it, you can’t leave it as plain PPTP.

Posted by Julie Jacobson  on  02/12  at  06:07 PM

Seems to me there would be an OEM or retail market for such solutions.

Posted by Joe Whitaker  on  02/12  at  06:14 PM

Yup Bjørn it’s gotta be encrypted! I was just talking about some manufacturers that used to push port forwarding now changing the verbiage to pptp and IPSec. I have seen it like 10 times now. I think it’s about time, but to think they were promoting the opening up of a persons home or business to the outside world is crazy! Bit good catch to get the encryption part in the dialog here, we definitely don’t want to accidentally mislead readers!

Posted by shownuff  on  02/13  at  08:45 PM

Port forwarding is not, by itself, a security problem.  No it doesnt automatically lead to the compromise of your entire network.  And it is preferable to monthly fees and data collection.

Posted by Bjørn Jensen  on  02/14  at  09:02 AM

“Who da master? SHONUFF!”

Haha…anyway you are right that port forwarding by itself is not a security problem.  This is because if you forward ports to nothing then there is no problem.  Also, if you forward ports to a highly secure device that is made by companies to be incredibly secure, all the time, then you’re probably alright as well.

For instance, people generally have to forward ports for their mail servers to work correctly (eg. port 25 for smtp connections).  Of course, these servers must be constantly updated to receive the security patches they need so that new exploits are not used to compromise the system.

My question to you then is, how much do you trust the coders at Hammacher?  Are they constantly improving and updating their security?  Did they create this product with security at the top of their list?  How much do you trust ANY company for that matter?

What’s preferably to monthly fees and data collection AND unsecure networks is a secure VPN that gives you the security and ease of access without unnecessarily opening yourself up to potential issues.

Posted by Julie Jacobson  on  02/14  at  09:50 AM

That’s why we pay you the big bucks, Bjorn! Thanks for your comments.

Posted by Bjørn Jensen  on  02/14  at  09:54 AM

Though I’m not averse to forms of monetary payment aka “big bucks,” I have yet to receive a check from CEPro.  wink

Posted by shownuff  on  02/14  at  05:50 PM

@Bjørn Jensen - Yes well there is an element of “how much do you trust the device” but at the same time, how much time are hackers going to invest in an exploit that compromises an embedded device’s network stack in such a way as to allow a reliable proxy into the entire LAN?  And even then, they have to first find you and then go on to compromise the other devices on that LAN as well.  Or would they rather work on breaking into the big server that holds millions of customer records, lives at a known address, and possibly leads to the same type of compromised LAN access on a much wider scale since a lot of devices keep an open socket to the cloud server.

But yes, VPN is a good choice and this device is compatible with that.  Or at least decent firewall rules.

Still, the content is too alarmist about port forwarding.

Posted by Bjørn Jensen  on  02/16  at  11:57 AM

“Still, the content is too alarmist about port forwarding.”

Well I guess that depends on your client and what they expect of you.  Our clients purchase our systems because we aren’t so cavalier about their security.  Everything you mentioned above admits that port forwarding allows one to compromise a device and gain access to the network in some form or another.

Now, imagine a very high profile client purchasing one of our systems expecting that we will do everything, to a reasonable point, to secure their network and then we decide to enable port forwarding…...would we be doing our job?  Thank answer is clearly no.  Does that make it alarmist?  Again the answer seems clear to me.

In my experience EVERY client deserves to be treated like their personal information is “the big server that holds millions of customer records.”  We are also fortunate enough to have such high profile clients that the proper security isn’t just what they should have by default, but what they NEED to have.

How difficult is it to give a client access to a secure VPN?  These days I would say it’s easier than setting up port forwarding for 2 or more devices and/or ports.  Why risk it?  I’m not even sure why there is an argument over this.  I guess it’s good to have the back and forth so that people can have a better understanding of the risks and then they can decide for themselves what their clients are looking for.  To each his own.

Posted by Julie Jacobson  on  02/16  at  04:00 PM

One hacker is not going to spend “all that time” to try to hack a single network. Bots will do that for millions of networks and whose ever is open for business ...

Page 1 of 2 comment pages  1 2 >
Post a comment
Name:
Email:
Choose smileys | View comment guidelines
Remember my personal information
Notify me of follow-up comments?

Sponsored Links

  About Us Customer Service Privacy Policy Contact Us Advertise With Us Dealer Services Subscribe Reprints ©2013 CE Pro
  EH Network: Electronic House CE Ideas Store Commercial Integrator ChannelPro ProSoundWeb Church Production Worship Facilities Electronic House Expo Worship Facilities Expo