Internet of fails: What's wrong with connected devices

 Your computer camera could be watching you
Your computer camera could be watching you

There's a rush to slap the Internet on everything -- from light bulbs to ovens. The missing disclaimer? Privacy and security are not included.

The consequences of badly written computer code in connected devices range from mild to serious. A criminal who hacks into your Wi-Fi network through your connected thermostat could spot your bank login and steal your money. A hacker could one day turn on your connected oven when you're not home.

"Everyone has the best intentions. and that's why this road to 'Internet of Things' is paved to hell," said Mark Stanislav, a researcher at Duo Security.

Big mistakes have already been made by connected device companies.

TRENDnet was sued last year by the Federal Trade Commission, because its connected cameras didn't limit who could tune in. Creeps were able to watch cameras and spy on you at home.

Tech startup Stem Innovation produced the IZON babycam. The flaw? Strangers could tap into video feeds. The company used unencrypted communication.

Then there's LIFX, which created a smart light bulb that connects to your Wi-Fi. It turns out the light bulb had a flaw that could let hackers into your home network.

Related: Your car can be hacked

LIFX raised $1.3 million on crowdfunding site Kickstarter in 2012. Its just one of many startups selling groundbreaking Internet-connected devices on Kickstarter and rival crowdfunding site Indiegogo.

Stanislav and his partner at Duo Security Zach Lanier worry that crowdfunding sites are becoming a hotspot for unsafe products. By definition, entrepreneurs show up there begging for money to make Internet-connected gadgets. But their cash-strapped projects get just enough support to make the gizmos -- not protect them.

Kickstarter contested that idea. Company spokesman David Gallagher said entrepreneurs on Kickstarter have a more collaborative relationship with the public than large device makers, so "there's ample opportunity to discover problems early on."

"These creators are putting their reputation on the line," Gallagher said. "They have incentive to make something that holds up to scrutiny."

Indiegogo declined to comment for this story.

 'Shellshock' can hack lights in your house
'Shellshock' can hack lights in your house

The problem is twofold, researchers said.

First, businesses are making elementary mistakes. They're not encrypting communication or limiting access to networks. They leave master passwords lying around in the devices' computer code. And they're quickly building software by piecing together existing code like Lego blocks -- without first fixing underlying errors.

Even tiny mistakes could have devastating consequences.

The most recent Internet bug, shellshock, has the potential to let hackers into a network and steal data or control machines. The fact that it was discovered in popular software -- used on millions of devices over the last two decades -- shows the danger in assuming software is vetted or safe. And startups don't have the resources to test them either.

"The small vendors just don't have the experience or resources to deal with this," said Lanier.

Second, the technology needed to make Internet-connected devices is getting cheaper.

"It takes little to no expertise to become a vendor at this point," Lanier said. "The low barrier to entry is $25."

That by itself isn't a problem. But it's drawing in entrepreneurs who don't have enough money to pay a researcher $10,000 to $35,000 to carefully pore over computer code.

Related: Your hackable house

One group of technologists, I Am The Cavalry, has risen to prominence with a related mission: To take a closer look at connected devices and not assume they're safe.

"We don't want to deter people from making connected devices," Stanislav said. "But there's a lot at stake. And you might be getting told things are secure when they're not."

Stanislav and Lanier have launched Builditsecure.ly to connect device makers with the talented researchers who can spot problems. Companies need the help. And hackers are willing to do it for a reward, or even for free -- but only if they won't get threatened for finding holes.

A few tech companies have partnered up with Builditsecure.ly so far: wireless home networking provider Belkin, chip vendor Pinocc.io and others.

CNNMoney is investigating recent hacks. Have you had money stolen from your bank account? Has someone stolen your identity? Share your story.

Social Surge - What's Trending

Mortgage

CNNMoney Sponsors