Breaking into the smart home of the future

You don’t need to follow technology very closely to know that startups are aggressively pursuing smart home products. Whether its locks, thermostats or even kitchenware getting the hi-tech treatment, the internet of things is in full swing. But as with any new technology, there are potential security risks.
Midway through the Black Hat USA 2013 security confab, which begins later this month, researchers plan to give a series of talks on breaking into the home of the future, Security Ledger reports. The seminars, which focus on security in the age of the internet of things, delve into potential hacks and exploits that could fool your automatic lock, turn your thermostat into a harassing tool, and even take over a security video surveillance system for full-time spying.
For their talk (“Home Invasion v2.0 — Attacking Network-Controlled Hardware”), security researchers at Trustwave SpiderLabs worked on cracking smart-home devices the old-fashioned way: buying the devices and trying to break their architecture apart. While they were able to crack most of the 10 products, including a Satis smart toilet, some of them had security flaws so large that it takes just a few basic techniques to break through.



Curious, I called the company up to find out whether there were specific devices or technologies that seemed more permeable than others. Daniel Crowley, managing consultant at Trustwave SpiderLabs,  says he was particularly struck by the tests he performed on Mi Casa Verde’s VeraLite home automation gateway, a smart hub that can manage up to 70 devices including lights, cameras, and door locks.
The system is designed for remote access, and the hub can be accessed via a Secure Shell connection to open up the root of programming within the device. But doing so requires no extra authentication or security. A hacker, he says, can use simple techniques to hack the local Wi-Fi network of a homeowner and gain access to his VeraLite.
“There’s a secondary interface to the web interface of the VeraLite called UPNP, and in its basic form it doesn’t have the ability to support authentication,” Crowley explains. “If I have access to the Local Network, I have full control of the VeraLite from the UPNP without a username or password.”
With that power, a hacker can do pretty much anything with the hub and the devices it’s attached to, including view security camera footage, unlock doors and harass homeowners. And they don’t even need to be near the house’s local network to do it, as there’s a secondary flaw that utilizes remote access. As it turns out, every VeraLite works within Mi Casa Verde’s cloud system, which is a series of broker and forwarding servers. Crowley and his team found that when they located the broker server, they could simply bypass the firewall and gain access to forwarding servers — which in turn gave them access to every VeraLite on the network.
Crowley says that the only way to lock down the hub from these attacks is to hack it and prevent remote access from anyone — not something a non-technical person would even think of, let alone be able to execute.
“There’s no option that turns off remote access in the VeraLite’s standard information,” Crowley explained. “You have to go in there and know exactly what you’re doing.”
Mi Casa Verde CTO and founder Aaron Bergen responded to Trustwave’s claims in an email to Security Ledger, saying, “This is by design because Vera has a lot of power users that do all sorts of advanced things and want to have root access.”
Crowley remains unconvinced. “If the ability to have full control without a username and password is a feature, then that completely collides with the feature of having a username and password,” Crowley says. “You can’t have one feature that makes the other completely useless.”
Insteon Hub

Insteon Hub

The VeraLite isn’t the only smart hub that showed security flaws, according to the researchers. Trustwave SpiderLabs’ David Bryan owned an Insteon SmartLink to control his lights, and the device had a username and password in place to authenticate it. But when the company released its cloud-based hub device, Bryan was confused when he couldn’t find any kind of authentication methods in place to use and configure the system. He sent a message to Insteon’s tech service, and they were unsurprised.
“They said, ‘Oh, you don’t have to worry about that. We have a cloud interface that protects it all,'” Bryan says.
After the response, Bryan ran a test and was able to connect directly to the hub on an unencrypted channel with zero authentication in a matter of minutes, meaning anyone could make requests to the device. The company has since released a fix that adds user authentication.
Both Crowley and Bryan believe that there are fundamental flaws in home-connection systems at the places where gateways meet the outside world. Without a secure local connection and knowledge of the security holes in a given smart home hub — including lack of user authentication or security on the cloud server network — there’s a risk of outside tampering.
Hackers will always find ways to disable or take advantage of technology, but Crowley and Bryan says it is up to the companies to make that as difficult as possible by installing the most best security available, including stringent password authentication on all available layers, even the ones the average user can’t see and won’t think about.