Comment by Uncle_Brumpus
6 hours ago
"You can just make it type words, what's the risk in that?"
Makes you wonder what other peripheral companies out there are also operating with seemingly no security team. There must be other vulnerabilities like this just waiting to be discovered.
My brother was awoken one morning at 2am because some neighborhood kids connected to his bluetooth speaker and blasted fart sounds on loop at max volume, and that's literally only the absolute tippy top of the malicious bluetooth use iceberg.
> "You can just make it type words, what's the risk in that?"
I don't know if it's a useful answer to people saying this kind of stuff, but here are some examples of other attacks arbitrary USB pwn allows.
A USB device can appear as a network adapter and most OS will happily route all your traffic there, so your speaker can know which porn you're looking at!
It can also appear as a DisplayLink dongle, so it can see what's on the screen (it does require those specific drivers installed, and uh yeah, no way in hell it's technically possible on that MCU).
It can also turn it into a mouse jiggler to prevent lock screen (yes it's technically the same thing as your first point, just HID, but different angle).
It can also appear as a USB-storage: You don't trust the cloud, so you're writing those super secret documents to give to your boss on the USB drive you just plugged in? Surprise, you actually sent it to the attacker.
The ability to "type words" is worse than all of that. Just type Win+R, "cmd", Enter and you've got arbitrary code execution on the connected PC. I think that was GP's point. Any competent security team would be aware of such risks.
See also the debacle with Razer gaming mice giving you root access just by plugging in, which I think takes the cake for clownshoe software practices almost rivalling Riot Games (though not with the latter's degree of self-congratulatory Dunning-Kruger gusto.)
Oh yeah, for some reason the companies with the highest risk products seem to be the ones that care less about security. Don't even get me started with "smart" bulbs and cameras that each individually connect to your local network and the Internet. You have 5 lightbulbs? That's 5 different devices you need to track, keep updated and trust the in the vendor firmware's security.
> "smart" bulbs
Thankfully I don't think I've seen these for sale.
What sensors would they have that could be exploited by an attacker?
You don't need to exploit sensors. If a compromised device is connected to the internet (because the vendor app requires it to set up and control), you can use it as a part of botnet with a nice residential IP address.
Shopping in the US, these have entirely replaced zigbee and other sensible mesh-based options at hardware stores like Home Depot and Lowes. The only exception I can find is Phillips Hue, and those seem to be slowly getting phased out with (sigh) a new "hubless" (requires wifi) series.
I run my home automation network entirely offline, so anything that needs the internet doesn't get added to my cart. I just do not trust the security of these IoT vendors at all, and refuse to have their nonsense cluttering up my limited network bandwidth and causing unknown problems.
(Edit: maybe not obvious, this is in the "smart bulbs" product category. Regular bulbs are still much more common on store shelves, because why fix what isn't broken? Most people don't need to automate their light bulbs.)
Probably most of them. It's not exactly an area with a great focus on quality, let alone security.