It's no secret that virtually anything that runs on code can and will eventually be hacked. There's no dearth of examples. Our desktops, laptops, smartphones, and tablets are just the playthings of any attacker with sufficient skills and time.
But now it's getting personal. Hackers are hitting us where it really hurts: below the belt and with our pants down.
[ Meet the new hackers: Johnny Law. | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter and follow Cringely on Twitter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]
Yes, I'm talking about our crappers. As the BBC reported earlier this week, it seems so-called smart toilets aren't so smart after all. Researchers at Trustwave's Spiderlabs recently discovered security flaws in a $6,000 commode that could allow attackers to control the john remotely. The Beeb reports:
The toilet, manufactured by Japanese firm Lixil, is controlled via an Android app called My Satis. But a hardware flaw means any phone with the app could activate any of the toilets, researchers say.
The toilet uses Bluetooth to receive instructions via the app, but the PIN code for every model is hardwired to be four zeros (0000), meaning that it cannot be reset and can be activated by any phone with the My Satis app, a report by Trustwave's Spiderlabs information security experts reveals.
"An attacker could simply download the My Satis application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner....Attackers could [also] cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to [the] user."
In other words, using an extremely simply hack, an attacker could gain Roto-Rooter access to the device's OS.
They don't make $6,000 toilets like they used to
Admittedly, I don't know anyone who owns a $6,000 toilet. Then again, if I owned a $6,000 toilet -- which from the description above sounds more like a Ty-D-Bol-Man-sized personal valet -- I'd probably never leave the house.
In Japan, where smart toilets were invented, higher-end models are able to do sophisticated analysis of one's, umm, personal effluvia and email the results to your doctor. Imagine if a hacker could get his hands on that. Talk about your data dumps. (I'm here all week, folks.)
Though this particular scenario is ripe for potty humor, the problem is unfortunately real. As all the devices around us become "smarter," the opportunities for mischief and mayhem multiply. If anyone out there is working on serious security solutions for these devices, I haven't found them -- and I've looked.
Security plays second banana
Most technologists are so focused on getting these new gizmos to work and adding groovy new features that security tends to get second or third billing. Exhibit A is Google, which shipped beta versions of Google Glass to 8,000 pasty white guys with exactly zero security controls built in.
And that's how we end up with an $80 million yacht whose GPS navigation system can be commandeered by a handful of college kids. And smart cars that can be controlled remotely via a dingus plugged into the onboard computer, not to mention easily hackable smart charging stations for electronic cars. And pacemakers whose settings can be altered via Wi-Fi and forced to deliver shocks of 830 volts. The whole realm of digital medical devices is just waiting to be exploited. Good luck finding anyone who can tell you what security will be built into them.
Security by design is not a new concept, but it's often ignored in the race to be first with the latest digital whatever. These devices may be smart, but this approach is stupid.
Live long enough, and you will probably have a smart toilet in your smart home. Hopefully the manufacturers will have flushed out all the security bugs before then. And if they don't? I for one don't intend to take that sitting down.
Would you use a smart toilet? Did I miss any obvious puns? Skip to the loo below or email me: firstname.lastname@example.org.
This article, "Watch the throne: The cruelest hack of all," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, follow Cringely on Twitter, and subscribe to Cringely's Notes from the Underground newsletter.