A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave.
Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights, and other sensitive systems.
The Trustwave researchers plan to discuss vulnerabilities they discovered in several such products during a presentation Thursday at the Black Hat USA security conference in Las Vegas.
One of the more interesting devices they tested was a home automation gateway system called VeraLite that’s manufactured by a Hong Kong-based company called Mi Casa Verde.
The VeraLite is an embedded device that sits on a home network and can be used to control other systems connected to it. It can manage as many as 70 devices at once and is equipped to work with 750 smart systems, including lights, thermostats, surveillance cameras, alarm systems, door locks, window blinds and HVAC (heating, ventilation, and air conditioning) systems.
In its default configuration VeraLite doesn’t require a username and password, so if the owner doesn’t set one up intentionally, the device can be accessed and controlled by anyone from the local network, said Daniel Crowley, a security researcher at Trustwave.
Even if the device owner does create a username and password, the device can still be controlled using the Universal Plug and Play (UPnP) protocol, which doesn’t have built-in support for authentication, Crowley said. You can write your own UPnP authentication feature or use an UPnP extension for it, but Mi Casa Verde didn’t do this for VeraLite, he said.
VeraLite’s UPnP functionality allows anyone located on the local network to execute arbitrary code on the device as root, the highest-privileged account type, giving them complete control over the system, the researcher said.
It is also possible to exploit this vulnerability from the Internet by launching a cross-protocol attack against a user who is on the same network as the device.
“If I know that someone has a VeraLite on their home network and they’re at home, I can trick them into visiting a web page that instructs their browser to set up a backdoor on their VeraLite device using UPnP,” Crowley said.
Another thing that’s concerning is a remote access feature in VeraLite that involves the device connecting via the Secure Shell (SSH) protocol to a remote forwarding server operated by the manufacturer, Crowley said. The user can then log in to the forwarding server via a remote web interface and control their device, he said.
This architecture has security problems, because when the VeraLite connects to the forwarding server, the port is forwarded, Crowley said. “Connecting to a particular port on the forwarding server connects you to your VeraLite.”
According to the researcher, this creates a single point of failure, because if an attacker managed to bypass the firewall protecting the forwarding server, he could get access to every VeraLite unit connected to it.
An attacker wouldn’t necessarily need to compromise the forwarding server itself. Finding and exploiting a vulnerability in the web interface or the web server could be enough, Crowley said.
When these issues were reported to the manufacturer, the company responded that these are not vulnerabilities but intended features that exist by design, the researcher said.
It’s an odd design to give users the option to create a log-in account and password and have different levels of access on the device, but then create a separate so-called feature that bypasses all of those security controls, he said.
Mi Casa Verde did not immediately respond to a request for comment sent via email.
Another product analyzed by the Trustwave researchers is called the Insteon Hub and is a network-enabled device that can control light bulbs, wall switches, outlets, thermostats, wireless Internet Protocol (IP) cameras and more.
“When you first set up the Insteon Hub, you’re asked to set up port forwarding from the Internet to the device, so basically you’re opening up access to it to anybody from the Internet,” said David Bryan, a Trustwave researcher who reviewed the device after buying one to use in his house.
The Insteon Hub can be controlled from a smartphone application that sends commands to it over the local network or the Internet, he said.
When inspecting the traffic coming from his phone over the Internet and into the Insteon Hub, Bryan discovered that no authentication and no encryption was being used. Furthermore, there was no option to enable authentication for the web service running on the Insteon Hub that receives commands, he said.
“This meant that anybody could have turned off my lights, turned on and off my thermostat, changed settings or [done] all sorts of things that I would expect to require some sort of authorization,” Bryan said.
Attackers could use Google or the SHODAN search engine, or could perform port scans, to locate Insteon Hub devices connected to the Internet, Bryan said.
Insteon, the company in Irvine, California, that manufactures the device, was notified of the issue in December, according to the researcher. A new version of the product that uses basic authentication for the web service was released in March, he said.
However, as far as Bryan knows, there is no method for users to update the firmware, so upgrading to the new version would involve getting a new device.
Insteon did not immediately respond to a request for comment sent via email.
The new version of Insteon Hub doesn’t encrypt the traffic, and the password used for authentication can be easily decoded by an attacker who can intercept the traffic, Bryan said.
Furthermore, the password is based on a part of the device’s MAC address. Getting a device’s MAC address from the Internet is not possible, but it’s easy to do from the local network, he said.
This means that if an attacker can break into a home’s Wi-Fi network or into a local network computer, he can potentially gain access to an Insteon Hub device located on the same network.
Other security issues
Other devices that were found to have security issues included the Belkin WeMo Switch for power outlets, the Lixil Satis smart toilet, the Linksys Media Adapter, which is no longer being sold, and a radio thermostat.
Home automation systems are often connected to security devices, so they are part of the overall security of a home, Bryan said. Because of this, they should have security controls built into them, he said.
Companies that manufacture these systems are trying to get their products to market as fast as possible, and they often overlook security testing because it impedes that process, Bryan said.
“I really hope that going forward, people will start to learn from these security issues, because it’s very frustrating to me as a consumer to see products come out that aren’t secure and I can easily break into, and then discover a large number of the same products on the Internet that have the same flaws,” he said.