Mobile applications used with two, popular home automation platforms by Wink and Insteon fail to protect user login information, leaving the devices vulnerable to hacking, a researcher at Rapid7 found.
A researcher at the firm Rapid7 is warning that two popular home automation systems: the Wink Hub 2 and Insteon Hub save administrator user names and passwords in an unsafe, unencrypted state on the Android mobile application that is used to control the device.
The flaw could allow an attacker to steal the information and take control of the device, in some instances, Rapid7 said in a blog post.
Smart home control hubs are central units that connect IoT devices in the house and relay commands to them via a mobile app. Both Wink and Insteon support an array of smart products like light bulbs, thermostats, door locks, alarms and wireless sensors. Mobile applications for each hub have been downloaded more than 100,000 times on Google Play, the main Android mobile application store.
Deral Heiland from security company Rapid7 took a look at how the Android apps for the two systems worked and noticed that both of them kept in plain text sensitive credentials for authorization and authentication to the hub. Wink services rely on OAuth authorization framework to generate tokens that authorize users pass commands to the hub.
Heiland discovered that the Wink app stored the OAuth token in a configuration file format (XML) with no protection whatsoever. Even more, the token maintained persistence and validity after rebooting the phone and was dismissed only when the user logged off manually.
“Based on the nature of IoT technology, users typically stay logged in, however. Thus the authentication tokens are likely to stay valid indefinitely, unless the user doesn’t interact with the application for more than 30 days,” Rapid7 wrote in a blog post.
This was not the only problem with OAuth mechanism in Wink automation products. A deeper inspection revealed that the tokens were never revoked after logging out of the application; only the phone identification code was deleted during this procedure, which did not impact authorization in any way. Upon logging back in, a new token would be issued without invalidating the old one, even when the password was changed.
Wink has been informed of the security gaps in its mobile app and has released an update that fixes the plain text storage issue. The vendor also plans to keep failure to expire the authorization token a short-term problem.
Heiland also discovered encryption-related issues in the Insteon Hub’s Android application. Version 1.9.7 of the app stores and manages the username and the password for the account in the same way as the Wink counterpart: unencrypted in an XML configuration file, and the data persists until manual log off.
The app has received a new version recently and it features one security fix that is shy on clear details: “improved data protection on rooted devices.” If this refers to encrypting the credentials, the measure is a good step towards securing the information against malware programs that obtain administrative privileges on the phone, which can read data stored by other applications.
Rapid7 says that although the potential impact of these flaws is high, they cannot be exploited directly over the internet. An indirect way to take control of the smart gadgets managed through Wink or Insteon products over the web is to compromise a phone with malware. Otherwise, an attacker would need access to the victim’s unlocked phone.
The vulnerabilities uncovered by Heiland could be exploited in exchange for a ransom, in a scenario similar to the one presented in an episode of the hacker favorite Mr. Robot TV show. Instead of turning technology against the owner to get them out of the house, the attacker could make the environment unlivable for the purpose of getting paid. Switching lights on or off, turning the heat up and down, setting off the alarm may be sufficient for some victims to give in to the demands.
Insecure storage of sensitive data was not the only issue with Insteon hub. Heiland analyzed the communication protocol used to deliver commands to compatible devices and saw that data went unencrypted to the destination and there was no security implementation to guard against replay attacks.
“A malicious actor can easily capture and replay the radio signals at any time to manipulate any device being managed via this communication protocol,” Rapid7 warns.
The researcher tested his findings on a garage door from Insteon that was set up through the smart home hub. He captured the radio signal that opened and closed the door, and filtered the noise. Using a software-defined radio (SDR) gadget, Heiland was able to replay the signal and pass successful commands to the receiver. Apart from the risk of replay attacks, which can be mitigated only by the vendor, users can make it more difficult for anyone to extract data from the phone by simply locking access to the phone with a security code or pattern, or, where available, by enabling full-disk encryption.
Security holes in connected home products are common. In addition to serial disclosures about flaws that affect home routers and IP cameras, companies like Cisco have disclosed security flaws affected home automation hubs. Also, in 2016, the security company Bitdefender published a case study on four common IoT platforms. Among its conclusions: authentication features for such devices are inadequate. That means an intruder in close proximity of the wireless connection would not have to put in too much of an effort to compromise the home’s WiFi network. Once in, they could wreak havoc by taking control of the router and all devices behind it.