Your smart light bulb might be sending your data to China
Apps connected to smart light bulbs sold in Walmart and Best Buy are communicating with Chinese servers, report says
Most of us would assume that having a smart light bulb at home involves minimal risk. But turns out, it's not the light bulb we might need to worry about -- it's the apps and platforms that control it. And some of these apps might be gathering data from our phones without our knowledge, and sending them to China.
American cybersecurity company Dark Cubed says they discovered a light bulb that does just that during tests they conducted on several random smart devices widely available in Walmart, Amazon, Best Buy and other stores across the US. They also found that some of these devices carry other security risks.
On the outside, the Merkury light bulb did very little besides switching the light on and off. It didn’t have hidden microphones, not like the Google Nest camera. But the app that controlled the bulb required a number of significant permissions, including knowing your location, recording audio, and other permissions. Researchers say that could potentially enable the theft of passwords and data from users' smartphones.
The Geeni Android Application also contained hard-coded links to about 40 third-party websites. They include US companies such as Facebook and Twitter, but also China-based internet companies such as Alibaba, Taobao, QQ, and Weibo.
(Abacus is a unit of the South China Morning Post, which is owned by Alibaba.)
This may have been just an accident.
“It is possible that the developer was just sloppy and imported code called ‘software development kits’ to add additional functionality and didn’t clean out things that weren’t being used,” said Dark Cubed CEO Vince Crisler.
But there's also a possibility that the links were there on purpose: Dark Cubed researchers believe the app might be mining personal data for advertising purposes.
Alibaba declined to comment, saying they don't discuss clients of their cloud services. We've also reached out to Merkury, Tencent and Weibo and will update if we receive answers.
Besides light bulbs, security researchers also looked into other smart home products such as cameras and plugs. Out of the 12 devices surveyed, they say several used software with shoddy encryption that could be easily bypassed, leaving personal data such as contact, phone numbers and birthdays exposed.
Even more concerning, Dark Cubed say, was that devices could be manipulated remotely. Two of the connected cameras that were tested could be hacked to view images uploaded to the cloud.
That our smart devices could be used to spy on us is not exactly a revelation: Amazon’s Alexa has found itself in several eavesdropping scandals, which the company has stressed were isolated incidents.
But much of the focus has been on devices themselves instead of the platforms they are using, according to Scott Ford, CEO of a US platform provider for smart devices called Pepper IoT, which co-published the report.
“We call it a race to the bottom: smart device prices in the US are getting lower and lower,” said Ford. “The problem is that there's no economics in that price to provide for cybersecurity protection and that device has to be managed and hosted a long period of time.”
Ford and Dark Cubed warn that the numerous security issues could be exploited by Chinese state actors. For now, the US does not have regulations for handling data gathered by IoT devices -- but that might change because of US-China cybersecurity tensions.
Still, others point out that sending data through IoT devices is not necessarily malicious.
“There are a lot of non-nefarious reasons for sending data to other companies”, said Larry Salibra, founder of software startup New Internet Labs. “If you ask why are they sending it to these big companies, it's the same if you look at any software written outside China: They are probably sending your data to Google or Amazon. These companies provide tools for developers that help them analyze user data.”
The bigger problem might be that users don’t know this is happening and they should definitely be asked for their permission, said Salibra.