Contributor: Mario Ballano
With the holiday season around the corner, thoughts turn to a warm home brightened up by the twinkle of seasonal decorations. If you’re a geek like me, it’s always tempting to opt for the high-tech solution and control your festive lights with one of the growing number of home automation devices available. However, Symantec has found that some of these devices contain security flaws that could allow attackers to gain access to your home network.
Two home automation hubs tested by Symantec had multiple security flaws that could potentially allow attackers to gain access to the hubs themselves and, by extension, to other devices connected to them. The issues aren’t specific to these particular hubs; any connected device is potentially at risk. Many more smart home devices potentially have similar security flaws.
While the explosion of internet-enabled devices, known as the Internet of Things (IoT), holds exciting possibilities for home automation, it also presents some serious security challenges and home users need to be aware that it isn’t just their PCs or smartphones that could be compromised by attackers.
A Pandora’s Box
There is a huge range of smart home devices that could find their way into your house this holiday season:
- Smart power plugs to control Christmas lights
- CCTV cameras to catch Santa’s visit
- Smart smoke detectors in case the Christmas tree catches fire
- Smart entertainment systems, allowing the festive music to follow you from room to room
- Smart thermostats to keep your home nice and warm
- Smart door locks to keep unwanted guests out
- Security alarm systems to keep your home safe while on vacation
Many of these smart home devices connect wirelessly to a central hub which lets you manage them all from a smartphone or web browser. Apart from Wi-Fi, smart home devices use a wide range of communication protocols, such as Powerline, Z-Wave, Zigbee, in addition to custom radio protocols. We started our analysis with two smart power plug and hub combinations.
Smart hubs and security
The first hub we looked at uses Wi-Fi and its own radio protocol for communication. To ensure that the hub is running the latest version of its firmware, it periodically checks the internet for firmware updates. This is a good practice, as users are unlikely to manually update their IoT devices themselves and could potentially fall foul of unpatched, exploitable vulnerabilities.
However, in this case, the firmware updates were not digitally signed and were downloaded from an open Trivial File Transfer Protocol (TFTP) server. This could allow an attacker on the same network to redirect the device to a malicious TFTP server. There are several means of doing this such as through Address Resolution Protocol (ARP) poisoning or by changing the domain name system (DNS) settings. The TFTP server could then send a malicious firmware update to the device. If this happens, then the complete setup would be compromised and other connected devices could be attacked, as the attacker would have full control over the hub.
This same smart hub uses a custom radio transmission protocol for sending commands to connected devices without any additional authentication or security implementation. Unfortunately, this allows for successful replay attacks. These are very simple attacks which allow an attacker within range of the network to intercept some of the traffic and then replay it back over the network. For example, a signal to open a garage door captured while you are leaving the house could be used again later in the day to gain access. The same can be done for turning on or off lights. The attacker doesn’t even need to understand the protocol, they simply have to capture the signal used to issue a command a replay it.
The user can store this hub’s configuration details in a cloud service, allowing them to manage the device from the internet through any web browser. Unfortunately, the user’s account is protected by a simple, four-digit PIN code. This can be easily cracked with the tools available to today’s attackers.
Apart from the problem of an attacker guessing the PIN code (especially considering how “1234” is a common, unsecure PIN choice for many users), there are other issues with this particular cloud service. We discovered that the backend server is susceptible to a blind SQL injection attack. This could potentially reveal other users’ configuration details or may even let the attacker take control of other accounts. This could let the attacker switch off Christmas tree lights, or worse, without even being close to the house.
Unfortunately, the second smart home hub that we tested was not much better. This one did not use any authentication method for commands that were sent in the internal network. If an attacker is on the same Wi-Fi network as the hub, then they could gain control of any device connected to the hub. They could even go a step further, as the hub had a remote code execution vulnerability, allowing the attacker to execute arbitrary commands with root privileges on the hub.
Risks to your smart home
These hubs are just two examples of what we managed to compromise in a short space of time and are the latest in a long line of security flaws found in smart home devices. For example, there have been cases where people modified the thermostat of their ex-spouse or disabled security locks. Recent reports warned of how thousands of webcams and baby monitors are accessible to anyone from the internet. There have also been reports of people taking control of home automation systems belonging to others.
In general, we have found that smart home device sensors can be attacked directly, for example by modifying the firmware through physical access to the device’s JTAG interface. The attackers could then sell the modified device to someone else, potentially compromising other devices or networks in their home.
Depending on the Wi-Fi network’s security settings, attackers could intercept communications from an IoT device to the central hub, smartphone, or the cloud and inject their own commands.
Additionally, if a backend cloud server is used for remote administration, this part also needs to be protected. Attackers could attempt to brute-force passwords to gain access to this server.
You may say that switching someone’s lights on and off is not such a big deal. This may be true, but the effects of a smart home attack are more relevant to security when you are on vacation. Some people may use remote-controlled lights to pretend that someone is still at home to keep burglars away. Smart thieves could also use open IP webcams to check if the owners are at home and where their valuable items are.
Another possible avenue for attackers to explore would be to apply the proven-to-work model of ransomware to the smart home. The homeowner could be coerced to pay a ransom in order to turn up the heating or even just to watch TV. This is a creepy potential paradise for stalkers, burglars, and other shady characters.
You should be vigilant when installing smart home devices and make sure that you understand the devices’ configuration settings. We at Symantec will keep our eyes open on the smart home device market and continue to inform vendors about discovered weaknesses in the devices we study.
Security varies a lot with different smart home devices, so it is difficult to give generic advice to users. Here are a few points to consider when installing smart home devices:
- Only enable remote administration from the internet if you really need it
- Set a strong password for the devices where possible
- Use strong passwords and WP2 encryption to protect your Wi-Fi network
- Use trusted smart home brands from companies that invest in security