{"id":3067,"date":"2013-07-31T12:37:46","date_gmt":"2013-07-31T16:37:46","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=3067"},"modified":"2013-07-31T12:37:46","modified_gmt":"2013-07-31T16:37:46","slug":"some-home-automation-systems-are-rife-with-holes-security-experts-say","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/07\/31\/some-home-automation-systems-are-rife-with-holes-security-experts-say\/","title":{"rendered":"Some home automation systems are rife with holes, security experts say"},"content":{"rendered":"

A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave.
\nSome of these devices are used to control door locks, surveillance cameras, alarm systems, lights, and other sensitive systems.
\nThe Trustwave researchers plan to discuss vulnerabilities they discovered in several such products during a presentation Thursday at the Black Hat USA security conference in Las Vegas.
\nOne of the more interesting devices they tested was a home automation gateway system called VeraLite<\/a> that\u2019s manufactured by a Hong Kong-based company called Mi Casa Verde.
\nThe VeraLite is an embedded device that sits on a home network and can be used to control other systems connected to it. It can manage as many as 70 devices at once and is equipped to work with 750 smart systems, including lights, thermostats, surveillance cameras, alarm systems, door locks, window blinds and HVAC (heating, ventilation, and air conditioning) systems.
\nIn its default configuration VeraLite doesn\u2019t require a username and password, so if the owner doesn\u2019t set one up intentionally, the device can be accessed and controlled by anyone from the local network, said Daniel Crowley, a security researcher at Trustwave.
\nEven if the device owner does create a username and password, the device can still be controlled using the Universal Plug and Play (UPnP) protocol, which doesn\u2019t have built-in support for authentication, Crowley said. You can write your own UPnP authentication feature or use an UPnP extension for it, but Mi Casa Verde didn\u2019t do this for VeraLite, he said.<\/p>\n

\"\"Mi Casa Verde<\/small>
Mi Casa Verde’s VeraLite<\/figcaption><\/figure>\n

VeraLite\u2019s UPnP functionality allows anyone located on the local network to execute arbitrary code on the device as root, the highest-privileged account type, giving them complete control over the system, the researcher said.
\nIt is also possible to exploit this vulnerability from the Internet by launching a cross-protocol attack against a user who is on the same network as the device.
\n\u201cIf I know that someone has a VeraLite on their home network and they\u2019re at home, I can trick them into visiting a web page that instructs their browser to set up a backdoor on their VeraLite device using UPnP,\u201d Crowley said.
\nAnother thing that\u2019s concerning is a remote access feature in VeraLite that involves the device connecting via the Secure Shell (SSH) protocol to a remote forwarding server operated by the manufacturer, Crowley said. The user can then log in to the forwarding server via a remote web interface and control their device, he said.
\nThis architecture has security problems, because when the VeraLite connects to the forwarding server, the port is forwarded, Crowley said. \u201cConnecting to a particular port on the forwarding server connects you to your VeraLite.\u201d
\nAccording to the researcher, this creates a single point of failure, because if an attacker managed to bypass the firewall protecting the forwarding server, he could get access to every VeraLite unit connected to it.
\nAn attacker wouldn\u2019t necessarily need to compromise the forwarding server itself. Finding and exploiting a vulnerability in the web interface or the web server could be enough, Crowley said.
\nWhen these issues were reported to the manufacturer, the company responded that these are not vulnerabilities but intended features that exist by design, the researcher said.
\nIt\u2019s an odd design to give users the option to create a log-in account and password and have different levels of access on the device, but then create a separate so-called feature that bypasses all of those security controls, he said.
\nMi Casa Verde did not immediately respond to a request for comment sent via email.<\/p>\n

Insteon Hub<\/h2>\n

Another product analyzed by the Trustwave researchers is called the Insteon Hub and is a network-enabled device that can control light bulbs, wall switches, outlets, thermostats, wireless Internet Protocol (IP) cameras and more.
\n\u201cWhen you first set up the Insteon Hub, you\u2019re asked to set up port forwarding from the Internet to the device, so basically you\u2019re opening up access to it to anybody from the Internet,\u201d said David Bryan, a Trustwave researcher who reviewed the device after buying one to use in his house.
\nThe Insteon Hub can be controlled from a smartphone application that sends commands to it over the local network or the Internet, he said.
\nWhen inspecting the traffic coming from his phone over the Internet and into the Insteon Hub, Bryan discovered that no authentication and no encryption was being used. Furthermore, there was no option to enable authentication for the web service running on the Insteon Hub that receives commands, he said.
\n\u201cThis meant that anybody could have turned off my lights, turned on and off my thermostat, changed settings or [done] all sorts of things that I would expect to require some sort of authorization,\u201d Bryan said.<\/p>\n

\"\"
Insteon Hub<\/figcaption><\/figure>\n

Attackers could use Google or the SHODAN search engine, or could perform port scans, to locate Insteon Hub devices connected to the Internet, Bryan said.
\nInsteon, the company in Irvine, California, that manufactures the device, was notified of the issue in December, according to the researcher. A new version of the product that uses basic authentication for the web service was released in March, he said.
\nHowever, as far as Bryan knows, there is no method for users to update the firmware, so upgrading to the new version would involve getting a new device.
\nInsteon did not immediately respond to a request for comment sent via email.
\nThe new version of Insteon Hub doesn\u2019t encrypt the traffic, and the password used for authentication can be easily decoded by an attacker who can intercept the traffic, Bryan said.
\nFurthermore, the password is based on a part of the device\u2019s MAC address. Getting a device\u2019s MAC address from the Internet is not possible, but it\u2019s easy to do from the local network, he said.
\nThis means that if an attacker can break into a home\u2019s Wi-Fi network or into a local network computer, he can potentially gain access to an Insteon Hub device located on the same network.<\/p>\n

Other security issues<\/h2>\n

Other devices that were found to have security issues included the Belkin WeMo Switch for power outlets, the Lixil Satis smart toilet, the Linksys Media Adapter, which is no longer being sold, and a radio thermostat.
\nHome automation systems are often connected to security devices, so they are part of the overall security of a home, Bryan said. Because of this, they should have security controls built into them, he said.
\nCompanies that manufacture these systems are trying to get their products to market as fast as possible, and they often overlook security testing because it impedes that process, Bryan said.
\n\u201cI really hope that going forward, people will start to learn from these security issues, because it\u2019s very frustrating to me as a consumer to see products come out that aren\u2019t secure and I can easily break into, and then discover a large number of the same products on the Internet that have the same flaws,\u201d he said.
\nvai TechHive<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,10],"tags":[481,1177],"class_list":["post-3067","post","type-post","status-publish","format-standard","hentry","category-security","category-technology","tag-home-automation","tag-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-Nt","jetpack-related-posts":[{"id":9378,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/07\/13\/smart-home-security-tips\/","url_meta":{"origin":3067,"position":0},"title":"Smart Home Security Tips","author":"NCCT","date":"July 13, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ESqqAf3IGok Megan Morrone and Florence Ion talk to Stacey Higginbotham about tips for securing your smart home. The advantages and disadvantages of running devices on a guest network. Plus, how do you know if your devices are getting regular firmware updates.","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ESqqAf3IGok\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9368,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/06\/18\/this-week-in-tech-671-a-bad-day-for-the-internet\/","url_meta":{"origin":3067,"position":1},"title":"This Week in Tech 671: A Bad Day for the Internet","author":"NCCT","date":"June 18, 2018","format":false,"excerpt":"https:\/\/youtu.be\/wJdSNos8swI Social media is still destroying the world. Top trends at E3. The end of Net Neutrality and the AT&T\/ Time Warner Merger are a 1-2 punch against consumers. Automation is taking jobs in China and at Amazon. White house hacked. GDPR is killing email marketing. Theranos founder up on\u2026","rel":"","context":"In "Social Media"","block_context":{"text":"Social Media","link":"https:\/\/nccomputertech.com\/techtalk\/category\/social-media\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/wJdSNos8swI\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9330,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/03\/security-now-657-protonmail\/","url_meta":{"origin":3067,"position":2},"title":"Security Now 657: ProtonMail","author":"NCCT","date":"April 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/OeSZg-ph3Ns This week we discuss \"DrupalGeddon2\", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OeSZg-ph3Ns\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9910,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/02\/11\/slap-and-flop-siri-ios-18-3-update-apple-music\/","url_meta":{"origin":3067,"position":3},"title":"Slap and Flop – Siri, iOS 18.3 Update, Apple Music","author":"NCCT","date":"February 11, 2025","format":false,"excerpt":"https:\/\/youtu.be\/Xwqi58VczQ4 What's going on with Siri? iOS 18.3 update is out now, along with a fix to a zero-day flaw. You can buy iPhones on eBay with TikTok installed on them as TikTok is still not available for download on the App Store. And on January 27th, 2010, Steve Jobs\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/Xwqi58VczQ4\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9391,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/08\/12\/this-week-in-tech-679-hotbox-the-waymo\/","url_meta":{"origin":3067,"position":4},"title":"This Week in Tech 679: Hotbox the Waymo","author":"NCCT","date":"August 12, 2018","format":false,"excerpt":"https:\/\/youtu.be\/r0sh0kx0ksQ This Week in Tech Galaxy Note 9, vote hacking, Android Q quandary, robot dogs, and more. --Samsung Announces the Galaxy Note 9, Galaxy Watch, and Galaxy Home musical cauldron. --What is AI? --Self-driving roll-out is increasing. --Amazon wants you to pick up groceries at Whole Foods, and wishes you\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/r0sh0kx0ksQ\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9930,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/05\/16\/fbi-says-toss-your-old-router\/","url_meta":{"origin":3067,"position":5},"title":"FBI Says Toss Your Old Router","author":"NCCT","date":"May 16, 2025","format":false,"excerpt":"https:\/\/youtu.be\/scR199zRjvA On Security Now, Steve talks about the FBI's suggestion that we should be tossing out our old routers.","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/scR199zRjvA\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3067","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=3067"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/3067\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=3067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=3067"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=3067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}