UW Computer Security Research and Course Blog

More and more household appliances are being designed with wireless internet capabilities. Being able to control home appliances via a web portal may improve convenience, but it comes at the cost of potential security vulnerabilities. The European home appliance manufacturer Gorenje has supplied information about concept ovens and washing machines that are WiFi-enabled.

Gorenje, a European home appliance manufacturer, has announced home appliances that connect to your home network via wi-fi and can be controlled via the web. The test application up at http://www.i.gorenje.com/home depicts the future controls for a web-enabled washing machine and an oven, which in general control starting, stopping, duration, and temperature. As this is a demonstration application, it is difficult to ascertain the exact security measures that will be in place for the final system. Nevertheless, common practice and the password field at http://www.i.gorenje.com suggest that the security model will most likely involve entering a username and password. (The current password field accepts all passwords and forwards the viewer to the demonstration application at http://www.i.gorenje.com/home).

Two stakeholder groups involved with the technology would be the people who pay the utility bills for the appliances (these people most likely also uses the appliances) and the people who spend time around the appliances, including children.

Two assets involved with the use of the iGorenje appliances are physical safety and the cost of utility bills. A security model for these appliances should have at least two goals: to protect against malicious appliance activation and the associated increase in utility use such as water, gas, or electricity; and to protect against malicious activation that could result in hazardous situations. Increased utility use is undesirable since it corresponds to an increased use of limited resources and an increased financial expense. On the safety side, while neither proposed iGorenje appliance is as dangerous as, for example, a web-operated stove, a web-activated oven could still be dangerous, particularly if there are children in the house.

One potential adversary is a griefer who wishes to cause general financial and/or environmental harm, but has no specific target in mind. Another adversary is one who targets a particular appliance or household. Both adversaries are very similar in that they must target one or both of the potential assets. The difference is that the griefer must use technological know-how to locate web-enabled appliances and crack the related usernames and passwords. The targeted attacker, on the other hand, may use either technological know-how or personal knowledge of the target to gain access to the system.

There are two potential weaknesses to the system. One potential weakness is that the web interface is open to the usual password attacks and the use of weak user passwords. (If the interface only requires a password — and not a username and a password — as in the current demonstration version, then this problem is exacerbated.) We can hope that the system will require a new password creation upon setup as opposed to using default passwords as is the case for routers. The other weakness that is inherent in the system is the use of wireless to connect the appliances to the home network. If the protocol does not use encryption, then griefers could potentially do appliance-activation wardrives.

Clearly, the iGorenje system should insist that the user create a new password upon system setup. Additionally, the system could be strengthened by requiring a wired connection between the appliances and the router, although this would come at the expense of convenience. The system could also be strengthened by incorporating (assuming that it does not) an auditing and/or an override shutdown mechanism. The auditing would allow users to receive text messages or other notification when an appliance starts its operation (this could also function as a general system confirmation mechanism). The override mode would allow users to remotely order appliances to shutdown until they receive physical instructions to power back up again. Of course, this mechanism could potentially open up the user to denial-of-appliance attacks.

If the system falls victim to remote attacks the results are annoying and potentially costly, but most likely not disastrous. A child could attempt to play with a heated oven, but would most likely not sustain terrible injuries before ceasing (unless, of course, the child decides to jump in head-first rather the putting in a hand). Washers and ovens have pre-defined use cycles that are innately meant to be safe. A more alarming scenario would arise if there were web-enabled controls for drawing a bath or activating a stove. For example, if the bath fills according to a pre-defined volume instead of using overflow sensors it would be easy to overflow the tub and cause water damage by sending repeat commands to fill the tub. Activating a stove remotely has the clear possibility of starting a fire.

In general the iGorenje system currently appears to offer more convenience than risk. The security threats involved with the wireless appliances are most likely to cause small-scale economic or physical pains. In the worst-case scenario the user could turn off the wireless functionality of the appliance and be left with a regular appliance. The larger risk is that this trend of web access to home appliances will be extended to appliances with larger safety stakes, without consideration for the potential security ramifications.