While waiting to get a much needed post-lockdown haircut I, and every other patron waiting outside the establishment, overheard a conversation between a home-automation installer and his customer.  This wasn't difficult as the installer was using the phone in speaker mode.  His client was upset things were not working on the web-based security camera.

The client sounded very frustrated, but the installer calmly said "OK, let me walk you through it.”  With every single person waiting outside the shop having no other option but to listen to the call, the installer proceeded to direct the client through the app.  He conveniently offered the hosting service’s URL, advised the customer to type the word ADMIN into the user ID field and to use the word ‘password’ as the password.  This led to a short but comical ‘Who's on 1st’ comedy routine.

After ensuring that the client had successfully navigated to and accessed his web camera account the installer hung up, shook his head and smiled to the others in line.  We all chuckled but inwardly I was horrified at what had just transpired.

The installer was not only being unprofessional, but he just offered up his client’s full access credentials on the security camera to every single person in earshot!

We may say “So what?” 

I now have his customer’s IP address and all necessary credentials to gain access to his web-hosted security camera setup.  After he received his haircut, I watched as the installer picked up his items, walked over to his service vehicle, got in, and drove away.

So now I have the installer’s company name, address, and phone number.  How many of the company’s clients have been set up this way or receive tech support this way?

I can call the company, pretend to be a customer, play dumb and ask what kind of hardware was installed. Now I know what equipment was used.

IoT devices and services are EVERYWHERE and for many of those devices security is sorely lacking - no password complexity, no passwords at all, no option to change passwords, no MFA, no security certificates. Not only are devices lacking security, it’s obvious that installers and technicians don’t adhere to privacy and security protocols - if they exist at all.  Clients should always demand that installers be professional and adhere to privacy and security standards.  Divulging client credentials in a room full of people is unacceptable. 

Not only did this installer divulge his client’s credentials he also revealed that the company does not adhere to stringent security protocols where credential complexity is concerned.  No complex passwords, no MFA rules.  That brings further security protocols into question – is external access IP filtered?  Do they use VPN?  Security certificates?  Is this company trustworthy?  Who is at fault in case of a breach?  The company for not providing and/or adhering to stringent security protocols, the installer for not adhering to privacy/security protocols, or the customer for not demanding they do? Customers assume that IT service providers automatically adhere to stringent security and privacy protocols, but this incident shows that is not always the case and may be more prevalent than we are led to believe.