Home Invasion 2.0: Attacking the Smart Home

The home of the future is all about automation. Home owners will be able to automate thermostats, doors, alarms, cameras and other devices – and manage them all remotely.

But what if home automation systems aren’t secure?

It’s not a hypothetical situation. At the upcoming Black Hat security conference, researchers will discuss, in detail, multiple sets of vulnerabilities found in home automation systems that could enable a new and technologically advanced generation of home invasions.

Password Not Needed

Trustwave Security Researcher Dan Crowley explained to eSecurity Planet that his firm looked at multiple vendors of home automation technologies. The Veralite product from Mios, in particular, showed some weaknesses.

“If you’re on the same network as one of these devices, it doesn’t require a username or password to connect to the unit from the local network,” Crowley said.

As such, if someone has one of these devices in their home and doesn’t set it up with a username and password, anyone that can connect to the network has control of the home, to turn lights on and off and any other functions the device manages.

“Almost all of these devices assume that anyone that is on your local network should have access to control these things,” Crowley said.

Crowley noted that with the Veralite in particular, a home owner can choose to set up a username and password, but it’s not the default. He added that on the Veralite there is also a UPnP interface, that would enable someone on the home network to access the device without a username or password.

“From that UPnP interface you can also have full control over the device,” he said.

Going a step further, the Veralite device also has remote access capabilities that use the same username and password for its Web-based control panel. In order to get around potential network address translation (NAT) issues, the device uses a Web-based forwarding service.

“So there is a port open on the forwarding server that tunnels through an SSH connection on the Veralite unit,” Crowley said. “The problem is that if you could gain access to the forwarding server, you could access every Veralite that is installed.”

Crowley added that the Veralite firmware includes an SSH key. He noted that the private key for the SSH connection is the same on all Veralite units, a potential security vulnerability that has been publicly mentioned on security lists.

Back to Security Basics

Crowley’s co-worker David Bryan examined home automation devices as well, including a number of Insteon hubs. As was the case with the Veralite, username password authentication was not required. Bryan also discovered that traffic to the Insteon device was not encrypted.

In both cases, the flaws that Trustwave found violate what the researchers consider to be basic Internet hygiene and best practices for security.

Bryan said he notified Insteon about his concerns and was advised to use the company’s Web-based cloud front-end. According to Bryan, Insteon has since issued an update that requires authentication. Crowley noted that while Mios responded to his initial report, the company didn’t consider the issues he found to be vulnerabilities.

For home users, the fix will require an update of some sort from Mios, according to Crowley.

“I personally don’t think I’m going to adopt these technologies just yet,” Crowley said. “We found some pretty basic issues, and I just don’t think these technologies are ready for prime time yet.”

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles