In just the last two years, the price of home automation technology has come way down, while variety has exploded. Smart home technology goes way beyond niche products like the Nest IP-enabled thermostat or (save us) the “HAPIfork.” A growing list of vendors are selling infrastructure to support a whole network of intelligent “stuff”, enabling remote management of home security and surveillance systems, IP-enabled door locks, IP enabled lights, smart home appliances, HVAC (heat and cooling) and more.
Pretty cool. And, also, pretty scary. What if that IP-enabled door lock or garage door opener could be hacked by someone outside your home and made to open on its own? Breaking and entering just got a lot easier. Or, what if a HVAC system could be hijacked and remotely disabled or forced to operate in ways that would damage the system or even cause a fire or electrical short in the home? With control over vital systems that we all rely on, home automation systems would need to be very secure, right?
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
In theory, “yes.” In practice, “no.” That’s the conclusion of researchers who will be presenting at next week’s Black Hat Briefings. In a series of talks, researchers will demonstrate what they claim are glaring security vulnerabilities that could literally open the doors to criminals, snoops and other technically minded miscreants, the Security Ledger reports.
At least two sessions will delve into security holes in home automation systems. The first will present some of the first research on the security of Z-wave, a proprietary wireless protocol that is common in a wide range of embedded devices such as security sensors, alarms and home automation control panels. The presentation, by Behrang Fouladi of Sensepost and Sahand Ghanoun, told The Security Ledger that they have discovered and will demonstrate a vulnerability in the key exchange and key establishment protocol used by Z-wave’s implementation of the AES encryption standard.
The two will demonstrate a Z-wave interception tool that will demonstrate how the encrypted communication of a Z-wave motion sensor can be intercepted by their tool, and how Z-wave devices can be impersonated on a network and used to disable Z-wave devices, or to “fuzz” (or test) other Z-wave devices for exploitable vulnerabilities.
The implementation of Z-wave is very consistent across devices, meaning that the hole could leave a wide array of devices that use Z-wave – including door locks and motion sensors – susceptible to hacking, Fouladi told The Security Ledger in an interview.
Another presentation, “Home Invasion 2.0,” will demonstrate a number of serious and remotely exploitable holes in popular home automation products – many of which have just hit the market in recent months.
“It’s a pretty bad scene,” said Daniel Crowley, a Managing Consultant for SpiderLabs, the research arm of the security firm Trustwave. “We looked over somewhere in the range of 10 products and only found one or two that we couldn’t manage to break. Most didn’t have any security controls at all.”
Crowley is part of a team of researchers who will be exploring the vulnerabilities of common home automation systems and “smart” appliances. As part of their research, Crowley and team looked under the covers of The Vera Lite home automation gateway, sold by the Hong Kong-based firm Mi Case Verde and manufactured by the firm MIOS.
According to the Mi Casa Verde web site, the Vera Lite smart home controller is an inexpensive ($180), Linux-based device that acts like a “SCADA device for the home,” said Crowley. Vera Lite boxes can control over 750 different smart products, from lighting devices to thermostats, sensors, door locks and home alarms. Each Vera Lite controller can manage up to 70 separate devices, letting users control the behavior of smart devices remotely, using web- and mobile phone based applications.
Crowley said he and his colleagues found a number of serious security issues on the Vera Lite. Among them: a lack of authentication requirements, by default, for people or devices connecting to Vera Lite controllers from within the same network. Also, Crowley warned about the use of a cloud-based network of “forwarding servers” that broker access between remote users and home based Vera Lite devices. Trustwave claims it has identified a possible flaw in a script that runs on both Vera Lite controllers and the forwarding servers that could allow an attacker to gain direct access to the forwarding server and any controller that attaches to it.
In an e-mail response, Mi Casa Verde CTO and founder Aaron Bergen took issue with the Trustwave research, saying that the security “vulnerabilities” Trustwave disclosed to them, and that would be discussed at Black Hat were, in fact, features of the Vera Lite controllers. “Yes, the ‘Mi Casa Verde Vera’ branded version of our gateway allows the owner to ssh into his Vera with root access, and thus he has complete access to the system. This is by design because Vera has a lot of power users that do all sorts of advanced things and want to have root access,” Bergen wrote to The Security Ledger, likening the open platform to a mobile phone maker offering a “geek-friendly” version of a handset that “lets the user get full read/write access to the filesystem and run his own code.”
“I went round and round with Trustwave. They were never able to demonstrate an actual vulnerability (i.e. something that would allow them to access someone else’s system). They only demonstrated that they had full access to their own system as described in the docs,” Bergen wrote.
The open nature of the Vera product is by design, Bergen said. “We do not consider it a vulnerability to allow a user to have full control over his own Vera.”
But Vera Lite is just one home automation system the team looked at.
Their presentation at Black Hat will demonstrate a serious remote authentication vulnerability in another home controller, as well as a Bluetooth vulnerability in the Satis “smart toilet” (manufactured in Japan) (in the form of a hardcoded Bluetooth password) that could allow any user with a Bluetooth enabled device to remotely connect to and control the toilet’s many features. (Gross!)
David Bryan, a senior security consultant at Trustwave, who helped analyze the home automation devices said that poor security is the norm, with late-model controllers and appliances reproducing many of the same problems that plagued Internet connected devices like web servers 10 or more years ago.
“You have no privilege separation or separation of user roles,” he told The Security Ledger. “It just seems like these products were brought to market without doing any kind of security review.”
Ghanoun, whose team was speaking about the Z-wave vulnerabilities, said that home automation vendors were relying too heavily on “security through obscurity” — using proprietary protocols or implementations of standard technology like encryption.
“One of the lessons we’ve learned, going back to the year 2000 and the first attacks against WAP (Wireless Application Protocol) is that, when it comes to cryptography, you shouldn’t try to be smart unless you really know what you’re doing,” said Fouladi. Alas, many “smart home” products have forgotten the security lessons even of the recent past, researchers claim.
Home automation and “smart home” technology is expected to be a major theme at this year’s Black Hat Briefings and DEFCON hacker conferences in Las Vegas, as attention shifts from PC-based attacks to those on a wide range of smart devices.
Among the talks scheduled to take place are demonstrations of vulnerabilities in so-called “smart TVs,” and implantable medical devices, as well as an analysis of the security of Z-Wave, a popular protocol used to connect smart appliances and other devices.
Stay tuned to The Security Ledger for more coverage of Black Hat!
Correction: An earlier version of this story incorrectly identified David Bryan as a researcher at Hack Factory. Mr. Bryan is a senior security consultant at Trustwave. His title has been corrected. PFR July 25, 2013