Slashdot Mirror
Honeywell Home Controllers Open To Any Hacker Who Can Find Them Online
Trailrunner7 writes: Security issues continue to crop up within the so-called "smart home." A pair of vulnerabilities have been reported for the Tuxedo Touch controller made by Honeywell, a device that's designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet. Researcher Maxim Rupp discovered that the vulnerabilities could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.
At home, sure, using a tablet to access and program the temperatures on your AC is fine.
But that is your intranet, and securing that should be an obvious practice.
And I can barely guess why you would want your locks handled that way, though in terms of security, a mechanical key is hardly inherently better than a digital one.
In the IoT world, the Internet browses you!
Please upgrade to my patented Honeypot Home Controllers.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
"The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page."
You'd think that a company like Honeywell would know better about security, especially as they have a whole cyber security division...
This is like the pages that had a crappy javascript password which you could read by seeing view source, if you knew the keyboard shortcut (right click would be blocked on javascript).
Mistakes an amateur would make.
When you get the device, plug the USB into the device and press a button. It would randomly generate a key and save it to that USB drive.
Now to connect anything to that device you have to plug the USB drive into it, transferring the password key,
excitingthingstodo.blogspot.com
how about the Internet of We Will Not Pay for, and obviously, do not care to have Robust Security for our Systems.
This brings a new meaning to "Honey, I'm home".
As in, the hacker is in your home via the Honeywell Home Contr... yeah ok never mind.
Get free satoshi (Bitcoin) and Dogecoins
More like Internet of Trash.
We've now advanced enough to consider X10 to be better than the new technology.
Get free satoshi (Bitcoin) and Dogecoins
Does it feel warm in here?
“He’s not deformed, he’s just drunk!”
I still don't get why people do not assume this is the case by default. While being far from a networking guru, this is what pushed me into learning about how to configure VLANs and OpenVPN so I could put these things into appropriate jails. While I don't doubt I have made errors in configuring the firewall for outbound traffic, it is at least better than nothing, and what testing I can think to do seems to work.
Ubiquity might be able to make some money with a security appliance that automates and simplifies the process for home users...
As someone "in charge" (Systems Architect) of how many of our product lines are secured on the network (obviously not Honeywell), most people in the field would not believe how much time I waste explaining to people over and over and over again that I will not "simplify" the authentication protocols by getting rid of (strong security practices) just because we use SSL. Its an ongoing fight to keep things strong against a thousand little pushbacks from developers, product management, marketing, sales, and legal. Posting anon as its still in progress, comes up at least once a week.
I have a hard time thinking of anything more obvious than the fact that "smart " are technology security disasters waiting to happen. With the current architecture of the internet and networking from the top down there is nothing truly safe. Especially consumer grade at home tech built with technology plebeians in mind.
Call me old fashioned but I see enough at work and stories online every day to commit to keeping my home, appliances, vehicles, and anything else possible off the internet.
Wow, you mean commercial products designed to connect to the internet have absolutely crap security?
Well, color me fucking surprised and shocked.
No, wait, the other one .. where I point out these companies are either incompetent or indifferent to security, have no penalties or liability, and have products rushed out the door by asshole CEOs and marketing people who don't give a damn about security.
This is precisely why I look at pretty much every damned product which wants to connect to the internet, or has an app for your smartphone and think "oh hell no".
Trusting this shit is idiotic, and quite frankly, I'm beyond the point of sympathy for people who buy this shit. It's insecure so that it can be convenient. Pretty much at least weekly we see an entire class of products has pretty much zero security. And we're a long way away from being able to trust them.
Just stop buying this crap.
Lost at C:>. Found at C.
maybe you're too dull to realize some people have multiple homes, and controlling things remotely is helpful. Of course a vpn would be better.
So why does having multiple homes mean you need to have your controls on the Internet at Large?
If the government doesn't force a recall then they aren't doing their job.
I know I'm shocked that consumer-grade gear is wide open to misuse over the web and that no one bothered to think about security when designing it, how about you?
Just cruising through this digital world at 33 1/3 rpm...
The thing has an entire API unauthenticated to whoever is able to connect to it (https:///system_http_api/).
It's well documented that the point is not to have these things port-forwarded on your router but to be controlled through their proprietary gateway which comes with a monthly fee. Sure you can surf to it on your local network but that's more of a convenience and a lot of features the API exposes are not in the GUI.
Custom electronics and digital signage for your business: www.evcircuits.com
"There are two separate vulnerabilities in the Tuxedo Touch: an authentication bypass bug and a cross-site request forgery flaw."
So, yet another demonstration of the dangers of putting an embedded web server on the device. All so as they can be advertised as easily configurable through a browser and the end user won't have to read an instruction booklet.
NAT is not security.
Unless you're the odd one who doesn't allow internet access to your intranet.
Or you're the really odd one with real IPs on your intranet, in which case, I hope you trust your firewall!
Except for security monitoring, or maybe an IP camera trained on the dog, I can't see much use for any of this IoT shit.
Also, ssh passkey to tunnel to your home network?
No, but it adds an considerable element of security. If you disagree with me then feel free to attack my PC via the internet, it's IP address is 192.168.1.60
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
The home control allows for instance turning heating/AC on when coming home from holidays earlier than expected - for this, a normal user would use his mobile and web interface or an app. If this is done over vpn then it is (in theory) not exposed but I have serious doubts if normal users would expect vpn to be be necessary for it. In any case it was apparently not in the cards to use vpn.
There are other uses too. Clearly they are not a must but if you can control some of the house functions from your phone then why not from outside of the house?
At one thing you are correct - having multiple house is not a must with this technology and probably not even most used albeit a summer house at the seaside is a multihome situation already.
No, but it adds an considerable element of security. If you disagree with me then feel free to attack my PC via the internet, it's IP address is 192.168.1.60
Hey! How dare you use my printer as your PC. No wonder it takes forever to process and print a PDF file.
--- Keep the choice with the user..
If I decide to go out drinking and I'm out late, I can use my phone to tell my furnace to heat up my house before I get home. Normally it goes to 16C after 10pm, which is when I'm normally in bed. This way, when I get home buzzed / wasted, my house is nice and comfy.
Also the Honeywell controllers require fingerpoking to change outside of a subset of their normal range. I can't use remote to change outside of 4.5C to 32C... uh, okay, that's a little more range than I would have expected. Voice limits me to a little less than that, but you'd already be inside and could do a lot more damage by throwing my dining room chairs through 4 windows and the TV.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
There aren't many "hackers" around in the real world, making the potential pool of people able to attack nicely small.
No? That not how it works? Then stop using purposely-void terms like "hacker".
:poop: :poop: :poop:
It is very easy to identify vulnerable/backdoored hardware - it has the word "smart" somewhere in the name!
Honeywell, never again be afraid not to find somebody who will open the door for the contractor when you at work.
With our system, anybody with access to Google can open your front door.
Also not only you will be able to see the babysitter masturbating, the other 7 billion people will be able to watch too.
... I can use If This Then That with it! And control my home appliances with Facebook! What could go wrong?
though in terms of security, a mechanical key is hardly inherently better than a digital one.
Well, at least random Russians would have to fly over here first, and get through the INS. At least they used to have to ...
I think that security in the consumer sphere is worth having (for our society as a whole) even if nobody (in the market) wants to do it.
So I was wondering if this (security for electronic equipment that controls real-world stuff) isn't an area that could genuinely benefit from government regulation. Just like minimum safety norms for electrical equipment, building fire regulations and safety regulations for cars.
First: What is not noted in the OP is the statement at the end of the article that [this] vulnerability has been fixed. This article interested me in that I recently installed one of their fancy wifi-enabled thermostats, the VisionPRO 8000. I was a little disappointed that I had to access it through their site rather than locally but it is nice to be able to control it from my office computer. I can't imagine I'll ever have the need to access it when away from home. I don't see much risk inasmuch as the worst that can happen is a hacker might make me a bit too chilly. Of course, I don't know that for sure. Perhaps there is some deeper hack that can gain access to my network as a whole through that interface. Then again, there are probably so many holes in my system now that a hacker would just take a more obvious route through one of the garage-door-sized holes.
You can only access that system through their website?
Now that's an utter rejection condition on its own.
Local systems should have a local connection, and the hardware to do it is so minimal that I wouldn't expect that they're saving much by offloading it onto theirs.
But even if it did take a bit more, I'd prefer that over relying on Honeywell or one of the other companies to keep things working on their end that long.
To have something so ridiculously easily hackable in this day and age is beyond a pathetic disgrace. It's criminal negligence.
There should be law that any device that can be controlled via a network interface *MUST* have reasonable security. Shipping a device without should get the company fined/sued into extinction.
There is *NO EXCUSE* whatsoever for releasing crap like this in 2015. It's criminal negligence. If a car manufacturer released a car without brakes there'd be hell to pay. Time to make it the same for morons who pull crap like this.
Yeah, that's the thing, they aren't a must, they are conveniences, and no convenience should come with bad security decisions.
I'm at work. The plumber shows up at my house at 10 a.m. I verify his identity and arrival with my front of house cameras. I talk to him remotely via the door intercom, disable the security alarm, and unlock the front door for him. I monitor his work and actions with my internal cameras and watch him leave. I remotely lock the door behind him and re-arm the security system. All the video is watched in a small window in the corner of one of my monitors, while I still get real work done. All without having to take time off from work.
Doesn't everybody do this kind of thing? Or do you still actually wait for the Comcast guy between the hours 8 and 2?
BTW, the reported vulnerability has already been fixed.
"Unheard of means only it's undreamed of yet,
Impossible means not yet done." ~~ Julia Ecklar
Because somebody asked if they could and nobody asked if they should.
So it starts with a machine that does your temperature settings and lights. As the computer can tell time, they add programming it to do it on time.
Now add security camera's. That is nice to access when you are not home, so connection via Internet.
Hey, we have Internet and you see you left the lights on, why not add turning of your lights?
Opening the front door from wherever you want inside the house when somebody is at the door? Sure, no problem.
You can now open the door when somebody is at the door when you are not at home for whatever reason.
Basicaly if it has a switch or a handle, you cn now connect it to the same computer that does everything.
So why do people want it? Because it is easy. Persons are smart, people are stupid. They give out all their private information, because it is easy. People do not think about security, because they are not bad people. They can not imagine that somebody would want access to what they have, so they do not think about protecting it.
Don't fight for your country, if your country does not fight for you.
There's no comfort for me in a home equipped with internal cameras.
I bought a Honeywell thermostat that touted the ability to control your HVAC through WiFi, but when I got it installed it became clear that I had to allow Honeywell to access my thermostat remotely. The way the "WiFi" control worked was that the thermostat connected to Honeywell's servers over my home WiFi and if I wanted to change the temperature I had to create an account at Honeywell, log in, and change the temperature from their Web page. The Honeywell servers then sent the command to my thermostat over the Internet.
WHY THE FUCK IS THIS NECESSARY? What idiot vetoed a direct link to the thermostat from the user's LAN in favor of this security disaster? That's apparently how Honeywell operates all of their network-capable devices. Good going, idiots.
Doesn't everybody do this kind of thing? Or do you still actually wait for the Comcast guy between the hours 8 and 2?
BTW, the reported vulnerability has already been fixed.
We need a -1, Smug mod for this sort of comment.
Hey! How dare you use my printer as your PC. No wonder it takes forever to process and print a PDF file.
And here I thought that was just because it was old and only has 2mb RAM in it...
Do not look into laser with remaining eye.
This is exactly why I have never gone for "smart controls" like this. Liftmaster is equally stupid with their "MyQ" system on the Liftmaster, Chamberlain, Craftsman, and several other brandings applied to their garage door openers; you have to use Liftmaster's stuff through their servers to control your garage door opener in your house. It literally serves to act as an advertising revenue stream for them if they so choose.
Do not look into laser with remaining eye.
Sorry, I really don't want cameras in my bathrooms, and given the risky nature of operating high-temp torches I'd rather be there in person. I've seen a couple of instances at friends' houses where the plumber accidently set-fire to the paper outer layer on the drywall.
Do not look into laser with remaining eye.
Similar to my question. I don't understand how these things are on the internet - what does that mean? I haven't been able to find technical details.
If I have a basic home firewall (e.g. Netgear) - with uPNP disabled - are these things on the "internet?" Are these devices found via portscan?
I went through this when looking at baby monitors. I only want to use them in my house - on the local WiFi. Are these things tunneling out to "the cloud" and are accessible through another channel? Can they be blocked at the perimeter of the house network - using basic equipment?
In the baby monitor case I decided to go with a proprietary model without "internet" features.
Can you run systemd on it?
You don't need cameras in your bathrooms. Mostly I make certain workmen are not going into rooms they shouldn't be, and the hallway cameras are more than adequate for that.
Even if you are there personally, you're not hovering over them every minute they are there working. What are you going to accomplish being there in person if the drywall paper does catch fire? And how many hours do you waste helicoptering during the 99% of the time when nothing happens? Hell, if I have to be at home on the days the maid comes, I might as well stay and do the cleaning myself, but I don't want to give her an anytime access code or key to get in. I do want to monitor when she arrives and when she leaves, and the activities she does while she's there.
I wouldn't go as high as "considerable"... it adds one hop to "push" attack methods - an attacker has to take over your router. I'd put that somewhere between trivial and substantial extra security (non-inclusive).
What, and miss an opportunity to telecommute?
This initial vulnerability was identified by Honeywell over 6 months ago and a patch was available and distributed shortly after. The recently reported vulnerability is also patched. http://www.tuxedotouchtoolkit....
It does call into serious question about the reasonable approach of making every aspect (security, appliances, climate control, entertainment, etc...) accessible, controlled, and vulnerable to network attacks. It is no longer just a concern of having a wireless access point in your home - it is now the home itself that is susceptible to attack. As was stated earlier - it's not a matter of IF something can be done but rather SHOULD it be done.
I can imagine a few good reasons *IF* security is tight enough. For example, many people don't know in advance when they will return home. It might be nice to bump the heat up or the AC down when they're on their way. Some people get 'lock anxiety' when they are out (OMG, did I forget to lock the door). Now they can be sure.
The key is to make sure it is secure. My preference would be a firewall rule on the router that allows me to ssh to a designated box that then allows me to control the home systems. Make it pubkey authentication only.
As for the intranet, given how many people fail to secure their WiFi, I wouldn't count on that keeping it secure either. Better if there is decenty authentication on the device itself.
I bought the domain localhost from a buddy. It works. The good news is that, for an extra $20, he configured it for me.
"So long and thanks for all the fish."
Not to mention the fact that even if locks were perfect, windows aren't that hard to break.
If you really thought NAT was secure, you'd give out your WAN IP.
Speaking of cameras in your bathrooms, the one in your master bathroom toilet bowl needs a new battery.
Doesn't everybody do this kind of thing? Or do you still actually wait for the Comcast guy between the hours 8 and 2?
I'm a cord cutter and tend be self sufficient. But I'm also lazy so if I got people coming over to do work, I let them know how to get in. I more or less would trust some of them with my life.
I like your solution too but if you think the people who don't implement or something like that are waiting at home ... coo coo coo coo - unless of course it is a dodge to avoid going to work that day.
And one more thing, you know god-damn well very, very few people do this sort of everything ("Doesn't everybody do this kind of thing?") - give me a fucking break asshole. Reality it, it isn't necessary. Learn how to fix shit. Learn how to buy stuff that isn't vulnerable (don't by laundry equipment with motherboards - unless you're commercial and juice is worth the squeeze).
Unfortunately almost every attempt to make security more convenient will inherently weaken the general security. Security is BY DEFINITION an inconvenience, sorry.