Black Hat Talks To Outline Attacks On Home Automation Systems

colinneagle writes "If you use the Z-Wave wireless protocol for home automation then you might prepare to have your warm, fuzzy, happiness bubble burst; there will be several presentations about attacking the automated house at the upcoming Las Vegas hackers' conferences Black Hat USA 2013 and Def Con 21. For example, CEDIA IT Task force member Bjorn Jensen said, 'Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody's home. I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse.' Among other things, the hacking Z-Wave synopsis adds, 'Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems...An open source implementation of the Z-wave protocol stack, openzwave, is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.'"

This is horrible!

If I can't connect my heater and stereo to the internet I might as well be living in a dumpster. The humanity!

Re:This is horrible!

[Freshly+Exhumed]

But think of the creative potential for staging some awesome swatting theater when the neighbours are away... lights flashing, beepers beeping, curtains ruffling as the authorities arrive... great fun.

blow speakers?

[Joe_Dragon]

So your AMP does not have a overdrive cut off?

Re:blow speakers?

[Gr8Apes]

Not until it shows potential to damage the amp....

Re:blow speakers?

The amp's overdrive cutoff protects the amp, not the speakers. Mine goes out all the time when I'm on the porch with a beer and the stereo cranked. However, if your speakers are rated at less than the amp's peak power (not root mean square) you're doing it wrong. You can't blow 200 watt speakers with a 100 watt amp any more than you can blow a twenty amp fuse with ten amps.

People make the mistake of buying 100 watt speakers and a 100 watt RMS amp and think they're safe. That 100 watt stereo can actually blast more than 100 watts.

Another mistake people make is thinking a 200 watt amp is twoce as loud as a 100 watt amp. It isn't. A 1000 watt amp is twice as loud as a 100 watt amp.

asking for trouble

[beefoot]

Anyone directly connects their home automation equipment to the internet is asking for trouble.

Re:asking for trouble

[stewsters]

No home automation system is an Island. - John Donne

Re:asking for trouble

[gnick]

Anyone directly connects their home automation equipment to the internet is asking for trouble.

If you don't realize that there are security concerns, there are minor conveniences to be had. E.g. heating up the jacuzzi for when you get home, checking to make sure you turned the oven off, cancelling the A/C timer because you won't be home until much later than expected, etc. Minor, but "neat" enough to sell to somebody who wants to show it off.

Re: asking for trouble

[peragrin]

Comcast is pushing their home automation/security system that ties into their servers.

Part of the advertising is to watch your kids come home from school and turn on the lights for them.

Now that is scary. Letting any idiot know when your kids are home alone.

Re:asking for trouble

[Miamicanes]

Connecting HA gear to the internet in a way that's both secure and works (especially with the manufacturer's own Android/iOS/ActiveX software) is actually pretty hard to do with real-world equipment, mainly because the overwhelming majority of stuff that's affordable (and shocking amounts of stuff that's supposedly top of the line) gets implemented with little more than symbolic security that's the equivalent of a TSA lock.

One of the most common ways embedded hardware gets connected to the Internet is via Wiznet w5100 modules (and variants). Basically, the w5100 is a bridge between UDP and a serial port. Data arrives on some port, and gets blindly sent to the serial port. Data comes in through the serial port, and gets sprayed out via UDP. There's some minimal logic that implements a half-assed 8-character "password" that -- at best -- might be equivalent to a 64-bit random number IF you hacked their setup utility to accept arbitrary byte values instead of just letters and digits (effectively turning it into more like a 40-bit random value). Keep in mind that there's no rate-limiting or lockout, so the only limiting factor at which someone can try to bruteforce you is your internet connection.

A few months ago, I estimated that an attacker who knows you have something specific behind a Wiznet interface that responds to a known command with a known response would take about 1-3 months to bruteforce if they kept the rate low enough to not noticeably affect your internet access or attract undue attention, and less than a weekend if they just all-out hammered you as fast as they could, trying only 8-character alphanumeric values and starting with those that begin with digits & plaintext English words.

That itself isn't necessarily the problem per se... there's nothing that says you can't encrypt the data being sent via UDP and in response, and implement stronger authentication and authorization checks on your own... except nothing actually DOES.

99.9% of the time, you have a circuit with almost no real network-level security that was developed with the assumption that someone with physical access to the serial port has already demonstrated some level of authorization, connected to a serial-ethernet bridge whose "security" is almost a complete sham, with predictable results: disaster.

Short answer: if you want to connect consumer gear over the internet, buy a Raspberry Pi, and use it as a middleware gateway device that accepts incoming connections via https, enforces its own strong authentication, passes no raw commands directly between the internet and embedded device, or at least requires that any raw value be signed with a pinned certificate. Then connect THAT to the embedded device through the Wiznet serial-ethernet adapter. Never, ever, EVER expose a serial port directly to the internet through a serial-ethernet adapter... I can almost guarantee that any such adapter that ISN'T built around a RPi and costs less than $200 is inherently insecure and a hack attack waiting to happen.

If you absolutely MUST expose some consumer-grade device with insecure ethernet-serial interface over the internet, at least hide it behind a router running OpenWRT/Tomato/dd-WRT and use something like port knocking and IP range-blocking to temporarily unblock access to your mobile device's current IP address for short periods of time when you intentionally enable it (keeping in mind that with many wireless providers, switching between HSPA/EVDO and LTE will radically change your IP address, and your address might change from request to request ANYWAY.

Re:asking for trouble

[Chris+Mattern]

For criminy's sake. TLS is *there*. It's *free*. Why the hell aren't these guys using it??

Re:asking for trouble

[g0bshiTe]

I can't believe you used Android/iOS/ActiveX in the same sentence as the word secure.

Luckily I continued reading your post and saw what you did there.

Re:asking for trouble

[g0bshiTe]

What OS did you tie it together with?

Re:asking for trouble

[Miamicanes]

> For criminy's sake. TLS is *there*. It's *free*. Why the hell aren't these guys using it??

Quite a few embedded home automation devices are built around 8-bit MCUs like the Atmel AVR family. You'd be massively challenged to get even a minimal subset of TCP/IP working with a chip like the Microchip ENC28J60 ethernet controller and an Atmel Atmega 128. SSL/TLS? ROFLMAO. It's not happening. You could probably kludge something with more chips and sram, but by that point, you'd be better off throwing in the towel and buying a RPi board.

Pre-RPi, ARM boards with additional RAM were pretty expensive (at least $80-150), so a $10 AVR plus $15 Wiznet board represented a huge cost savings. Now that you can get a RPi for $30, it's kind of stupid to keep building controllers with 8-bit MCUs and ethernet-serial bridge boards... but a year ago, the RPi basically didn't exist, and even 6 months ago, it was pretty expensive once you factored in rape-level shipping charges to the US. Genuinely cheap ARM chips with external RAM are game-changing for anything that involves communication over the internet.

Re:asking for trouble

[Miamicanes]

Oh, there will be PLENTY of such designs coming over the next year or two.

The RPi is fundamentally game-changing now that they've finally gotten the shipping charges down to non-anal-rape levels, because it means you can finally get an ARM with enough ram to do SSL via software for less than the cost of an Atmel Atmega 2560 + W5100.

In the past, it was the need for external RAM that killed everyone who tried to homebrew ARM boards with it. RAM looks deceptively easy on a schematic, but it's a BIATCH to actually hand-solder a .5mm TQFP MCU to a board with 30MHz+ bus and make it work reliably. A $30 ARM9 with a few megs of ram, glue chips, and voltage regulator would be a hell of a deal, even if the board literally did nothing else besides break out the remaining pins on the MCU to 100-mil headers.

Re:asking for trouble

[Hevel-Varik]

I've never even seen a mod point, but +1 to you, sir!

Re:asking for trouble

[Miamicanes]

For the morbidly-curious, here's a book that might give you somewhat of an idea of what USED to be involved with interfacing a microcontroller with a network over Ethernet pre-Wiznet w5100, and give the benefit of context to understand why that module (and its descendants) have been so wildly popular among embedded developers working with 8-bit microcontrollers.

http://www.amazon.com/Networking-Internetworking-Microcontrollers-Fred-Eady/dp/0750676981/ref=wl_it_dp_o_pC_S_nC?ie=UTF8&colid=75OKCKDXZ6YI&coliid=I2PABIRD1YO96X

The Microchip ENC28J60 falls somewhere between the older chips written about in that book and a "plug & play" module like the W5100. With the older chips, you were lucky to hack together your own personal networking protocol that (barely) managed to coexist on the same wire as NETBIOS, TCP/IP, and IPX/SPX. The ENC28J60 does for networking kind of what the ATI Rage Theater chipset did for MPEG-2 video compression... it accelerates and automates some of the grunt work of interacting with signals on the cable so you can pay attention to bigger details, like your actual protocol. I've never personally used it, but from what I've read, ENC28J60 TCP/IP is "do-able, but with a few cautions and limits". By comparison, the W5100 is pure black magic... to your embedded app, it turns the Internet and/or your local LAN into a big virtual serial cable.

When the w5100 came out ~5-6 years ago, embedded developers were LITERALLY dancing in the streets, because it was dirt cheap and "just worked". Security wasn't even a CONSIDERATION until 2-3 years later, when the consequences of exposing the serial ports of devices with no security besides physical access to the port started to really sink in... and the devices themselves had almost no serial-port security, because pre-Wiznet, an ethernet-serial adapter cost somewhere between $250 and $400... at RESELLER prices. Pre-w5100, serial ports just plain didn't get exposed to the internet, because the adapters to do it were too expensive to even contemplate.

Re:asking for trouble

[citizenr]

Why RPi? Do you really need that HDMI out?
You can get Ralink 350MHz MIPS modules running OpenWRT for $16 INCLUDING SHIPPING
$20 if you want fancy plastic enclusoure (HAME MPR-A1 )

http://dx.com/p/hi-link-hlk-rm04-serial-port-ethernet-wi-fi-adapter-module-blue-black-214540
http://www.hlktech.net/product_detail.php?ProId=39

http://wiki.openwrt.org/toh/hilink/hlk-rm04
http://wiki.openwrt.org/toh/hame/mpr-a1

or just get $20 TP-Link 703N like everyone else.
http://wiki.openwrt.org/toh/tp-link/tl-wr703n

Re:asking for trouble

[Miamicanes]

The RPi ALSO has a CPU & lots of ram, so it takes the place of BOTH the serial-ethernet bridge AND 8-bit MCU. The boards you mentioned are interesting alternatives to the w5100 (though I couldn't find anything about their inherent security, or lack thereof, vs w5100), but I'm pretty sure that a RPi is probably still the most cost-effective way to get internet-connectivity that includes SSL regardless of whether or not you care about HDMI.

In the grand scheme of things, HDMI adds very little to the RPi's cost. HDMI is just a collection of fast serial ports with inline op-amps to balance the signals, and the entire implementation besides the port itself is inside the SoC anyway. A Pi board without HDMI might cost a whopping 50c less, but if you actually needed HDMI, you'd end up spending half as much as the entire Pi for a HDMI port on a 100-mil breakout board by the time you factor in the purchase price and shipping.

Re:asking for trouble

[citizenr]

umm do you know what Linux is? Openwrt?
Boards I linked run full Linux. Half MHz of RPi at half the cost.

Boards I mentioned arent alternatives to W5100 .. they are complete SoCs with GPIOs, plenty of ram, ethernet and Wifi.
hlk-rm04 does >5 Mbits over ssl aes-256-cbc tunnel.
TP-Link 703N does >15 Mbits over ssl aes-256-cbc tunnel.

When I said HDMI I meant GPU part of RPi, something you would never use on a home automation box that opens garage door or operates lights.

So, do you think 5 Mbit will be enough for a remote light switch at $16 shipping included, or do you really need RPi at twice the price? :)

Re:asking for trouble

[Miamicanes]

Wait... you're saying the HI-LINK HLK-RM04 is a complete SoC, and not just a wi-fi/serial bridge module?!? Now I'm intrigued & might need to order one ;-)

You're right about not needing a GPU to open the garage door and control lights, but remember... when you're talking about ASICs, there are MASSIVE economies of scale. It's cheaper to make 5 million chips with GPU 2 million buyers don't care about than it is to make 3 million with GPU and 2 million without. Eventually, there's a point where it becomes cheaper, but for something complex like a GPU, there's also a huge area where it's still cheaper to make them all with it, test them, bin the ones with defective (or just untested) GPUs, and sell THOSE as the "GPU-less" version.

Interesting Google sidetrip: I don't remember the exact chip, but I know a few grad students (from Michigan, I think... maybe Arkansas, Kansas, and/or Oklahoma) have already built prototypes of low-cost short-range (~10-25 mile) weather radar arrays using basically three off-the-shelf chips (Broadcom agile baseband processor, TI DSP, and ARM-based SoC) with a 250-watt class-D amp tuned for ~5GHz to build an exciter with software-defined receiver that needs little more than a rotating high-gain antenna and power supply to be hardware-complete. Obviously there's a huge amount of software development remaining just to get it to the point where you can make the output look like current weather radar data & view it with off-the-shelf apps, but when you're taking about building something that could profitably retail for $10,000, and would currently be classified as "unbelievably cheap" with a $400,000 price tag, well... that's definitely dotcom-level "disruptive innovation" ;-)

Re:asking for trouble

[citizenr]

HLK-RM04 is almost the same PCB to the one that sits inside this
http://dx.com/p/hame-mpr-a1-wifi-802-11b-g-n-wireless-3g-router-w-1800mah-battery-charger-dongle-122121

I gave you 5 links and it seems you didnt read a single one of them :)

and no, its not cheaper to make SOC with GPU, Ralink CPU that is powering this board costs about $6. SoCs with GPU start around $10 (Allwinner)

Re: asking for trouble

[webdesign12]

Comcast is pushing their home automation/security system that ties into their servers.

Part of the advertising is to watch your kids come home from school and turn on the lights for them.

Now that is scary. Letting any idiot know when your kids are home alone.

What is your dream ? Please said to me, How to create responsive web design?

This is only cool because...

[Synerg1y]

Hackers can now become professional burglars. Revenge of the nerds anyone?

Re:This is only cool because...

[g0bshiTe]

What do you mean "can now" Gates and Jobs did it years ago.

Yup ...

[gstoddart]

My cable company keeps sending me crap for home monitoring whereby you can control your alarm from your smartphone -- and I wouldn't trust that.

My energy company wants me to sign up for a smart thermostat where they can remotely change my temperature if they decide I should be using less energy -- and I sure as hell wouldn't want that.

Opening up access to these things from outside of your home sounds like it might be convenient, but it's a gaping security hold waiting to happen.

No way, no how would I want things like this. Because I have zero confidence that the people writing this give a shit about my security, just getting a product to market.

Re:Yup ...

[FeelGood314]

If you are in North America your energy provider is most likely using ZigBee Smart Energy. That is a mostly open standard in that anyone can read the spec. but only ZigBee members can change it. The spec uses Elliptic Curve Cryptography for key exchange and authentication and AES for message security. It's pretty darn secure but unfortunately much harder to set up than the Z-wave. Users seem to choose convenience over security every time until after they have been attacked. Disclaimer - I'm working on a ZigBee thermostat right now.

Re:Yup ...

[plover]

My energy company wants me to sign up for a smart thermostat where they can remotely change my temperature if they decide I should be using less energy -- and I sure as hell wouldn't want that.

And why is that?

Here's the deal: the world is adding a lot of homes and factories to the existing power grid, but they're not building a lot of new electrical plants. Nobody wants coal stacks near their house, nobody wants nuclear power in their back yard, nobody's going to dam another valley and kill a bunch of endangered owls, yet everyone in those new homes and factories still expect the lights to come on when they flip a switch. The grid is not only close to capacity, it's frequently at capacity. Instead of causing rolling blackouts, your power company probably buys supplemental peak electricity from factories and data centers that have large backup generators - but that emergency electricity costs anywhere from 10X - 50X the price of their existing plants, and burns expensive diesel fuel or natural gas.

The power companies would be happy to give you regular electricity at lower rates if they could charge you peak rates for consuming extra electricity during peak times. I say this because that's exactly what mine does. By agreeing to allow them to shut off the power to my heat pump for up to 40 minutes per hour during peak demand, I pay about $0.05/kWh for all the energy it uses year round. Without their demand sharing program, it would cost me at least $0.12/kWh no matter when I use it. Between me and the other members of my co-op signing up for this program, we have saved enough peak generating capacity to defer the construction of a new power plant by 10 years, so our overall rates have remained nice and low. I haven't seen an electricity price increase in 10 years. (Yes, electric co-ops are awesome and your giant energy conglomerate sucks.)

So what if the house gets a few degrees warmer on about 5 afternoons out of the year? Cooperation is worth it.

And regarding security, our load controller is a simple FM receiver that operates a relay. When it gets a "sharing request", it picks its own time window and shuts the pump to the compressor off for a random 40 minutes out of each hour. The thermostat is calling for cooling, the HVAC system is running the fans and it thinks it's turned the compressor on, but nothing cool actually happens. The relay is the only interface to my house, and it is wired directly into the compressor. There is no other interconnection with any home systems, no back channel through which a hacker could inject a rogue FM signal to unlock my doors, or disable my alarm system, or shut off my freezer and make my frozen foods all melty.

Re:Yup ...

[Miamicanes]

> And why is that?

Because they'll cut your AC precisely on the hottest days of the year when you need it the most. But wait, it gets worse. If you cut the compressor, but allow the fan to run, you're effectively running dry air over a pool of water in the evaporator pan. If your compressor can only run for 20 minutes per hour, it's 100+ degrees outside, and your thermostat is set to 74, the interior temperature is probably going to go up more in 40 minutes than it can be cooled in the remaining 20, which means your blower is going to run nonstop for hour after hour -- raising the humidity in your house, allowing the temperature to creep up, AND using almost half as much power running the blower alone for an hour that you WOULD have used if they'd allowed the compressor + blower to run normally for 10-15 minutes two or three times per hour.

Years ago, I rented an apartment that had a FPL on-demand box installed. In return for a piddling discount of something like $5/month off an electric bill that normally exceeded $180-220, they left me completely MISERABLE several dozen times per year (2-3 times per month during the month or two we call "winter", AT LEAST 3 or 4 times PER WEEK during the remainder of the year).

Even worse, I had to fight with them for MONTHS to get it removed, and finally had to get the Florida PSC involved to force them to remove it. They apparently figured that since I was renting, if they just stonewalled me long enough, eventually I'd move out with the box still in place.

Any "savings" were completely neutralized by the fact that I had to cool the house down to 70 before 11am and keep it there all afternoon as a defensive measure against having it disabled when I needed it the most. The irony is that my bills went DOWN by ~$20-30/month (even after the discount was removed), because I no longer had to supercool the house daily before noon to subvert them.

Re:Yup ...

[Ol+Olsoc]

And why is that?

Here's the deal: the world is adding a lot of homes and factories to the existing power grid, but they're not building a lot of new electrical plants. Nobody wants coal stacks near their house, nobody wants nuclear power in their back yard, nobody's going to dam another valley and kill a bunch of endangered owls, yet everyone in those new homes and factories still expect the lights to come on when they flip a switch.

We once had a drought in our area. The powers that be demanded that we all cut back on our water usage by 20 percent. But they didn't restrict new water connections. In an area where growth was around 10 percent annually at the time, that didn't mean much. It's an interesting calculation to figure that one new connection wiped out the gains from a lot of water conservation by existing citizens.

Using energy efficiently is the wise thing to do, but we cannot conserve ourselves out of this problem, because eventually that will demand that everyone use no energy at all. Which I suspect will be a real shot in th earm for solar. Even then, we're going to have to start building nuc plants again. Hopefully not as stupidly as we used to build them.

Re:Yup ...

[Ol+Olsoc]

Maybe you can try living within your environment a bit. Keep the thermostat at 80 in the hottest part of the summer and 70 in the coldest part of the winter. You don't need the heat and/or AC the rest of the year. Try opening windows once in a while instead of depending on an artificial climate. I doubt I used my heat five times last winter and the AC is never on at night.

Because a overwhelming majority of the people who moved to Florida moved there because of the "mean cold winters", in other parts of the country. Oh, but those summers?

I have some relatives who only experience the natural summer climate when they walk to or from their cars. The rest of the time they are in air conditioned comfort.

The native Floridian, who can be comfortable in the summer, is much like the person who lives in Alaska. They just exchange the season where Mother Nature is trying to kill them.

Re:Yup ...

[Miamicanes]

Miami has two seasons: Summer and February.

In case you haven't noticed, Miami is normally about 10 degrees hotter than Daytona... especially in the evening. North of Orlando, the temperature goes down a bit after sundown. In Miami, the thermometer just kind of laughs at us and stays where it is. Or worse, in the winter, we get wacky nighttime heat inversions where it'll be in the upper 70s as the sun is going down, then start going up again around 9-11pm until it's in the mid-80s by midnight. Your air conditioner runs a lot for half the day. Our air conditioners don't get as much of a break. Especially when you're trying to cool the interior down to 20 degrees or more below ambient outside temperature.

In Central Florida, a heat pump makes sense. In South Florida, you'll get more usefulness out of a dual-speed compressor that can run longer at reduced speed to wring more humidity out of the air, but kick into high gear in the mid-afternoon and keep the house cool in scenarios where a properly-sized air conditioner would actually be fighting a losing battle against the sun & your indoor temperature would be creeping up by a degree every hour or two EVEN WITH the air conditioner running constantly. Putting the whole "heat thing" into perspective, I've literally gone for entire "winters" without ever turning on the heat. Over the past year, I think we've had MAYBE 4 or 5 days when it was genuinely cool AND DRY enough outside to open the windows... at night. MAYBE two days in February or March when it was still cool and non-humid enough during the day. Even when it's in the upper 60s, we STILL have insane humidity that ruins it.

I still remember joyfully watching a huge cold front making its way south a few months ago (January?), I think it even snowed in Jacksonville, then... DAMMIT! The cold front NEVER MADE IT SOUTH OF WEST PALM BEACH. It's like it just ran into our wall of heat & humidity & fizzled out after dumping 3 feet of snow on the entire eastern seaboard and midwest.

Re:Yup ...

[Rich0]

Because they'll cut your AC precisely on the hottest days of the year when you need it the most.

Tend to agree - the way it is implemented is really dumb.

There should be three options:
1. No participation
2. Load balancing / emergency use only.
3. Rollback on high demand days.

Option 3 should get you a big utility break - it allows the utility to greatly reduce their peak supply capacity as they can count on being able to really turn you back on hot days. This would be ideal for locations that are unoccupied during peak periods.

Option 2 is where most people would want to be. It would not affect your daily consumption at all. Instead the only thing the utility would do is manage very short term peaks. For example, if suddenly load goes up and they're reaching capacity they could turn off a bazillion air conditioners for 15 minutes. That dumps a ton of load instantly and buys them a little time to bring more plants online. The result is that they can operate closer to capacity with fewer plants online, and their emergency capacity plants don't have to be able to spin up in 2 minutes. That means more flexibility on plant design, and likely savings. There would not really be any noticeable restrictions on customers who opt-in, and the savings would be more moderate. This is about being smart about how we cool homes - not making people less comfortable.

Option 1 would be the status quo.

Option 2 is what is missing in the way load-shedding is implemented, and I think that it is potentially a large opportunity to change how we manage the grid on a strategic level. A smart grid shouldn't be about punishing people who want cool homes - it should be about helping people to save money without having to sacrifice comfort.

Encryption

[girlintraining]

I don't get it... we can't even secure our nuclear power plants, water and waste processing facilities, and other critical public infrastructure from attacks on industrial infrastructure. Why would anyone in their right mind think home automation would be any more secure?

Re:Encryption

[gstoddart]

Why would anyone in their right mind think home automation would be any more secure?

Because it's shiny.

They're not thinking of security, they're thinking "ZOMG, I can switch off teh lights from teh phone".

Nobody thinks that if there's a way for you to remotely control your home, there's a threat vector for someone else to remotely control your home.

Re:Encryption

[plover]

I don't get it... we can't even secure our nuclear power plants, water and waste processing facilities, and other critical public infrastructure from attacks on industrial infrastructure. Why would anyone in their right mind think home automation would be any more secure?

We wouldn't think they're more secure, because we don't need to take them as seriously. By the same logic, why would anyone worry too much about their home automation system when there are so many other more valuable systems to attack?

I don't yet have door locks, windows, or security systems tied into mine, so pretty much all a bad guy could do would be to blink the lights. If he was way smarter than me, he might figure out how to turn on my TV remotely (I'm still having problems integrating it, and would likely appreciate his assistance.) About the most damage he could do would be to disable my water sensors, so if my sump pump failed my basement would get wet without alerting me. He could threaten to hold my house hostage, denying me the use of my home automation system unless I paid him - which would earn him nothing but scorn until I disconnected and reconfigured the systems.

But if he attacked a water plant he could shut down water, burst pipes, or blow out pumps, causing millions of dollars in damages. He could hold the city hostage. It's a much more interesting and lucrative target.

Re:Encryption

[pongo000]

I don't get it... we can't even secure our nuclear power plants, water and waste processing facilities, and other critical public infrastructure from attacks on industrial infrastructure. Why would anyone in their right mind think home automation would be any more secure?
Reply to This Share

Because some of us are in our right mind. I use an SSH tunnel accessible by my smartphone to control a Radio Thermostat via my wifi router, with WPA-2 authentication and MAC authentication. Perfect? Of course not...but I'm reasonably comfortable with the level of security I'm using. So yes, home automation can be done securely. It would be far easier for someone to just bust a window and change the thermostat by hand than to hack their way into my setup.

Unfortunately, doing it right is beyond 99.99% of the population's technical know-how to pull it off successfully and securely. The GP nailed it: So long as there is a commercial incentive to give the public a shiny interface to their home automation stuff, it will never be done securely.

Re:Encryption

[bws111]

Yep, you're a genius and everyone else is stupid, right? Or isn't that what you were implying with your use of shiny, ZOMG, and teh?

People don't care because in the list of 'threats' we are faced with in everyday life, the threat of getting your home automation system hacked is so low it doesn't even register. Furthermore, the consequences of getting your home automation system hacked are equally as low. Think - same likelihood as getting hit by lightning with the same consequences as getting a paper cut.

There was a show on TV recently where they showed how people's fear affected their judgement of threat. If you are afraid of something, you perceive it is a big threat, often way out of proportion to the actual threat. For instance, they asked people what creature you were most likely to be killed by in the US. Many (most?) people had no idea - it was just not something they thought about. However, many people absolutely KNEW what the answer was - snakes, spiders, vicious dogs, homicidal maniacs, whatever their particular fear was. The actual answer (which absolutely no one got) was deer, because so many of them are involved in car accidents.

Geeks are terrified of getting hacked, and they blow the threat of being hacked (and the consequences of such) way out of proportion to the actual threat. Not normally a problem, except for when they insist others must also share their fears.

Re:Encryption

[Ol+Olsoc]

Nobody thinks that if there's a way for you to remotely control your home, there's a threat vector for someone else to remotely control your home.

No one is thinking, "ZOMG someone could turn my lights on and off!", because calling that a threat is stupid.

How about turning your lights off for good? How about turning your heat off during a Minnesota winter, or A/C during a Chicago Summer? People do indeed die for that sort of thing.

It's not that such a thing is all that likely. But it's like putting the Circuit breaker box of your house outside the house. Maybe those kids that keep walking on your damn lawn will let it alone, or maybe they'll screw with it.

Re:Encryption

[bws111]

How, exactly, could someone turn your lights off 'for good'? Can they somehow prevent you from unplugging a lamp from the automation device and plugging it directly into an outlet? If they kill the power to to whole house, call the utility - they will come and repair it in a few hours.

People die when their HVAC isn't working? No, they call someone to come and fix it.

As for circuit breakers outside the house, well, some places do have those. And almost everybody has a meter outside their house, which can easily be pulled in a few seconds using only a clipper to cut the seal. Ever hear of that happening? And anybody with a wrench could easily shut off gas service at the meter. How often does THAT happen?

Finally!

[SeaFox]

All your base belong to us!

Re:Finally!

[plover]

All your base belong to us!

A meme, and perfectly on topic! Congratulations, sir, you win at Internet today. Do a barrel roll!

Didn't Battlestar Galactica teach us anything ...

[schwit1]

... about being overly automated and the risks involved?

Big Trouble

Schlage made a big deal about how secure their system was, since it was basically controlled by them (hence the monthly fee). That was one of the main selling points that we were to emphasis to potential customers (I work for a Schlage distributor).

A lot of high income customers have this entire system set up, down to the door locks, cameras and everything else. This is going to make it much more difficult to sell without some sort of response from the industry.

Home security system...

[gQuigs]

I would really like to have one installed, but all the wireless ones don't seem to even consider that the attacker might be able to attack electronically first. (It's not even mentioned on most of their websites).

So.. who makes a good security system that is open and secured (means they actually need to update the software!), and ideally will install it for me? I'm fine with a wired system but I still want it to be open...

(Price range: ideally not more than $500, and I would prefer text/phone alerts with no "monitoring")

Re:Home security system...

[plover]

Mi Casa Verde makes the Vera home automation system. It's built on OpenWRT. For security systems it supports several different brands of Z-wave wireless sensors. It can control lights, locks, alarms, blinds, temperature, IP cameras, etc. It speaks Z-wave via a built in radio, but can also control Insteon and other home automation systems. And it's meant to be hacked and extended. You can even install a growl plugin for Vera, and then a growl notification app on your cell phone, if you want to be alerted by it. Nothing requires a monthly fee.

They offer a free service for remote access, but you certainly don't need them to do it for you. (All their service does is eliminate hassles with DNS and firewalls by serving as a proxy.) Some people simply poke a hole in their firewall allowing them to SSL directly into it.

The company is really good with their customers.

My only complaint is that no matter what they say, it still takes technical ability to set it up. It's not what I'd call plug-and-play ready to sell at Home Depot. No home automation system has reached that level of maturity yet.

Re:Home security system...

[gQuigs]

Yea.. I was looking at something similar (although more DIY) in http://ninjablocks.com/

> Mi Casa Verde
They really seem to want to use cameras in their packages at least. What devices do you have from them? Where is the footage stored from the cameras?

Re:Home security system...

[plover]

Sorry, I don't have cameras, so I don't know how they work through Vera. From what I understand, if you have a compatible IP camera system that can be remotely controlled, you could play it back through Vera. I also know there's only a certain subset of cameras that work through Vera - and you can find them on their wiki. But I know Vera doesn't do the actual video compression or storage - that's part of your camera/video system.

So they're even?

[tqk]

Erm ...

An open source implementation of the Z-wave protocol stack, openzwave, is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.

If the closed source implementation *with encryption* is this fragile, what reason is there not to replace it with the OSS implementation? Eventually, the OSS version will support encryption and in the meantime you'll have a better (more reliable and manageable, likely more extensible, obviously less expensive (no support contracts)) system.

No, "lawyers" or anything related is not a good answer.

Philips Hue

[TheNinjaroach]

So hackers are gonna change the colors on my lightbulbs?

Re:Philips Hue

If you can compromise all of them in your city, poll every 5 minutes, and find out who's out of town? Easier than driving around every day and seeing which cars aren't moving.

Re:Philips Hue

[dgatwood]

And then disable the alarm system, and if the home is really automated, unlock the door. Devices intended to provide security should, first and foremost, be secure. If they aren't, they are worthless—doubly so if they actually open up additional vulnerabilities that otherwise would not have existed.

Yo Dawg I heard your locks were network aware

so we found a backdoor to your back door so we can own your home if you are a homeowner!

Which is why....

[Lumpy]

Only the low end stuff for home automation uses Z-wave.

AMX and Crestron dont.

Re:Which is why....

[Lumpy]

And nobody... NOBODY uses it. 99.97% of all installs are hard wired.

Want to try again and look through their catalog to see what else you can bring up?

Re:Sometimes less "tech" really is better.

[Lumpy]

wonderfully said by a poor plebe that can ever afford it. I love how you guys seethe hate.
And yes full, real home automation DOES make your life better.

Re:Who cares

[dgatwood]

Home security systems are meant to stop the small time thieves. If you are smart enough to hack into my home automation stuff and turn off my lights its probably not worth your time.

This is the same flawed argument that makes DRM seem useful. The fundamental flaw in your logic is that you assume that each crook must learn about the systems and learn how to crack them for each home.

In reality, all that is required is for a single person to crack the security scheme once, and then develop a tool to reproduce the attack. He or she can then sell that tool to all the small-time crooks, and before long, they're as ubiquitous as lock picks. To make matters worse, you don't have to stand there looking suspicious while you pick an insecure digital lock or disable an insecure digital alarm system.

No, in the long term, easily cracked electronic door locks and alarm systems are going to make those small-time burglars very happy.

You know what this means...

[mordjah]

Wardriving is about to go to a whole new level..

think of the pron-collecting possibilities ...

[dltaylor]

Those camera are advertised as having decent resolution, at least at TWC.

Why break in?

Just collect the family in various states of undress, not to mention activity, and sell it to the underground.

I'd like to see the ad where the wife in the meeting catches her husband and neighbor having sex on the dining room table. Be a real winner to drop on the table at the meeting.