Black Hat Talks To Outline Attacks On Home Automation Systems

Posted by timothy on Wednesday June 26, 2013 @05:34AM from the hal-do-you-do? dept.

colinneagle writes "If you use the Z-Wave wireless protocol for home automation then you might prepare to have your warm, fuzzy, happiness bubble burst; there will be several presentations about attacking the automated house at the upcoming Las Vegas hackers' conferences Black Hat USA 2013 and Def Con 21. For example, CEDIA IT Task force member Bjorn Jensen said, 'Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody's home. I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse.' Among other things, the hacking Z-Wave synopsis adds, 'Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems...An open source implementation of the Z-wave protocol stack, openzwave, is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.'"

1 of 79 comments (clear)

Min score:

Reason:

Sort:

Re:asking for trouble by Miamicanes · 2013-06-26 08:19 · Score: 4, Interesting

> For criminy's sake. TLS is *there*. It's *free*. Why the hell aren't these guys using it??
Quite a few embedded home automation devices are built around 8-bit MCUs like the Atmel AVR family. You'd be massively challenged to get even a minimal subset of TCP/IP working with a chip like the Microchip ENC28J60 ethernet controller and an Atmel Atmega 128. SSL/TLS? ROFLMAO. It's not happening. You could probably kludge something with more chips and sram, but by that point, you'd be better off throwing in the towel and buying a RPi board.
Pre-RPi, ARM boards with additional RAM were pretty expensive (at least $80-150), so a $10 AVR plus $15 Wiznet board represented a huge cost savings. Now that you can get a RPi for $30, it's kind of stupid to keep building controllers with 8-bit MCUs and ethernet-serial bridge boards... but a year ago, the RPi basically didn't exist, and even 6 months ago, it was pretty expensive once you factored in rape-level shipping charges to the US. Genuinely cheap ARM chips with external RAM are game-changing for anything that involves communication over the internet.