My Air Purifier is in the Internet – should I be worried?

Typical IoT system level components

Typical IoT system level components

It is 2016 and everything is connected to internet in a way or another, what’s the big fuzz about privacy and security of these little devices? After all we have made consumer gadgets since ages, and one in a while malfunction or vulnerability gets discovered and shotly it gets fixed, right?

By looking closely at some of my connected devices, I found interesting stuff that has gone largely unnoticed. And more interesting is to come, for reasons I am about to explain.

Air purifier with WiFi – so what?

A while ago I bought an air purifier, Chinese Xiaomi – I know they have there quite bad air pollution situation there, so I  expected the purifier tech to be top notch – and, happy to say it is:

High level questions for deploying IoT to any place and network

High level questions for deploying IoT to any place and network – think of the device as any malicious device – what can it do?

  • Really the only component that matters: The HEPA filter is great, big and easy to replace
  • The CADR rating of the device is great
  • The mechanical (inside and outside) and aestetic design is great, among low audible noise levels it brings
  • And their price point for the device itself and HEPA filters is unbeatable.
  • Plus it has an app -based remote control, both for Android and IOS – and so far it seems to be the only air purifier that has one (well likely not, but I could not find any other)

So pretty much one can say they nailed their setup pretty well together. The only minor negatvive thing there was when I bought it was the app-based remote controller – it was in Chinese only, so I had to revert using iPad with translator to get the device installed.

Introducing an Air purifier to encrypted WiFi

  • How does one introduce WiFi credentials to an Air purifier that only has one button, no screen, no camera?
  • Easily – with a mobile App!
  • But how does that App contact the purifier?
  • Does the purifier set up an access point for the phone to contact to?
  • No it does not.
  • …. how the f#$k does it work then?
Use case based approach to IoT security assessment

Use case based approach to IoT security assessment – works for consumers as well as for designer

As it happens, this Air purifier was made in time when TI’s CC3000 was about the only hot thing available for establishing WiFI connectivity (I have not verified if this is inside that purifier – but specs and functionality seems to match). The chip is not capable to set up soft AP, where user would connect to and enter variables via form or HTTP(S) POST request. Instead it uses clever covert channel transport: The Mobile App ask user to input network SSID and WiFi access keys, then it encodes them and sends UDP stream where information is modulated to packet length. The packets via UDP protocol to a bogus host in local area net, so essentially they fall off. The CC3000 can listen to WiFi traffic, recognise the stream and  parse the keys from there. (The actual UDP stream content is  unavailable due to WiFI encryption, but packet lenghts are handily available and visible outside)

Let me rephrase that: Phone app sends network access tokens, in the form that anybody on 2.4MHz WiFi band can listen, decode and join my network.

For the defence of  CC3000 I have to say that it allows the option  of putting  basic security via pre-shared key into place, but this Air purifier does not implement that. Maybe having random key issued and printed per device was too complicated for the vendor, or the whole solution was designed as a temporary one.

While this went unnoticed, it was and still is quite a hack, and being TI’s product I would call it an old industry standard. The guys in TI probably saw the limitations of this design, and the relative easiness this would be used in insecure way, and they have obsoleted this design with newer version that has strong mechanism in place, but my air purifier is still the same, the original CC3000 probably can never be fixed via OTA upgrade.

My WiFi neighbours. This is one reason 5GHz exists.

My WiFi neighbours. This is the reason why 5GHz WiFi band is needed.

Now, one might ask: Why did they do insecure design in the first place? Because there was no easy way around it. Also this is pretty mighty and clever solution. No wide spread hacks have surfaced, so for at least so far they are off pretty well. Sometimes you have to do what you have to do, even if it insecure design, and unfixable too by design.

For me, after quite a few serious WTF moments it still bugs me: Every time I need to connect this device to my network, there is no other way but to broadcast my network access tokens for a moment. My alternatives are either this device to compromise my Wifi security, or permanently sit on it´s own guest WiFi segment. (Or wifi off, but that is not a choice for me here.)

So that was history, what about the future?

In above I was talking about quite a big and reputable companies generally doing a great thing, with limitations that are a bit beyond interests and capabilities of Joe the average consumer. For the future I want to present the following questions (- with all too obvious answers):

QUalifying questions when choosing or validating components in IoT

Qualifying questions when choosing or validating components in IoT – difficult to figure out for customer, essential to know for developer

  1. Who will be making IoT devices? – I am afraid most of the companies are startups and man&dog sized entities, with little historical context knowledge in security. If they succeed, the scale of deployments is huge.
  2. What is their primary intent? – To get out to market of course, and to get their first 1M$/1B$. What if there is security concern? Any publicity is good publicity = Free marketing! (Ok I am a bit sarcastic here.)
  3. Are they here tomorrow to fix their issues? – that is difficult question. In history of consumer products, updates and upgradeability has not been significant market force. I doubt it will be here either.

By looking at the business landscape and democratisation of 3D printing, lowering prices of PCB design and manufacturing, easier development and tooling for mobile apps, improving capabilities and lowering prices of embedded processing platforms (..the list would go on further, but let’s stop it here.) I would expect many more new players in the field – making this area quite interesting field – both for consumers as well as for security analysis and consulting. The market is already taking shape: higher quality platforms/components to emerge (AWS, Google, Oracle clouds for example) at the same time as all kinds of simple, but relatively insecure innovations pop up. (Like ESP8266 – not necessarily insecure, but most examples hardcode access tokens to code)

How to get the best networked thingie?

As consumer we only have as much power as there is money to be harvested from your pocket – from vendor’s perspective that isn’t much per person. But in bigger masses we have power, so even tiny changes of mass-benhaviour (call it education) will have an impact – unfortunately getting it right is far from trivial. Below a few ideas:

  1. As a buyer, really, pay attention to upgrades. If there is an app, it should have few upgrades behind. Vendor that fixes their issues and provides new functionality is a good sign. IoT is not your old TV, it needs OTA updates.
  2. Think about the vendor, see how their product life cycle policy goes. How are they treating their old products? Are they slacking in their upgrades? Are they actively doing stuff? Are they here tomorrow?
  3. Technical: Take a look at product related support forums – does vendor endorse homegrown modifications or firmware – what do DIY developers say? Are there any?
  4. More radical: If you are a vendor, think about it: Why do you even keep the embedded part of software closed? – consider providing out the source – or toolchain for hackers to code on. (Please do not give code if you violate patents, of course.)

To be radical, an example on the Air purifier I have: How much IPR / real invention is there really in a Air Purifier device embedded software – it probably has something like:

  • PM2.5/PM10 pollution sensor (filter, laser, counter – uses one digital IO pin from CPU)
  • motor control (Probably a FET based driver with pulse feedback to detect speed)
  • calculation logic for replacing the filter (Some kind of identifier and software)
  • button input (…)
  • logic for couple operation modes (easy piece of software)

I would estimate I could code the software logic in three days, and I do not consider myself a real coder.

Think about it.

(In the tune of DMCA: “You wouldn´t steal a car – but I bet you would like to re-code it´s dashboard GPS to a functional one.”)

After thoughts

The number of devices I have on my home network has exceeded what I felt was a home network:  I have both Xiaomi air purifier and webcam,  number of computers, phones, tablets,  smart tv, three routers, and couple of my own IoT designs there. The setup is quite substantially different from my old home LAN with simple NAT-firewall protecting couple devices and unlimited bandwidth. I am tempted to start running continuous network analyser to see where these 3rd party devices are connecting to and what data they are transmitting. I only hope the results will not look similar to normal web browsing where single page load opens connections to tens of websites for tracking, advertising and where-ever..