Honeywell Home Controllers Open To Any Hacker Who Can Find Them Online

Trailrunner7 writes: Security issues continue to crop up within the so-called "smart home." A pair of vulnerabilities have been reported for the Tuxedo Touch controller made by Honeywell, a device that's designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet. Researcher Maxim Rupp discovered that the vulnerabilities could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.

Why do you need this stuff on the internet at larg

At home, sure, using a tablet to access and program the temperatures on your AC is fine.

But that is your intranet, and securing that should be an obvious practice.

And I can barely guess why you would want your locks handled that way, though in terms of security, a mechanical key is hardly inherently better than a digital one.

Welcome to the Internet of Things

[sinij]

In the IoT world, the Internet browses you!

Amateur level fail

[Nuitari+The+Wiz]

"The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page."

You'd think that a company like Honeywell would know better about security, especially as they have a whole cyber security division...
This is like the pages that had a crappy javascript password which you could read by seeing view source, if you knew the keyboard shortcut (right click would be blocked on javascript).

Mistakes an amateur would make.

Re:Amateur level fail

[SeaFox]

"The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page."

You'd think that a company like Honeywell would know better about security, especially as they have a whole cyber security division...

I'm sure they don't see any reason to expend such resources on the consumer space.
That expertise is reserved for getting government contracts.

Need to start including USB keys

[gurps_npc]

Every secure wireless device - such as a router or NEST etc, should come with a cheap USB drive - 1 GB drives go for less than $2 now, in quantity.

When you get the device, plug the USB into the device and press a button. It would randomly generate a key and save it to that USB drive.

Now to connect anything to that device you have to plug the USB drive into it, transferring the password key,

this Internet of Things is getting old

[turkeydance]

how about the Internet of We Will Not Pay for, and obviously, do not care to have Robust Security for our Systems.

New meaning

[ArcadeMan]

This brings a new meaning to "Honey, I'm home".

As in, the hacker is in your home via the Honeywell Home Contr... yeah ok never mind.

Re:New meaning

[someone1234]

Also a new meaning to Homeowners :D

IoT?

[ArcadeMan]

More like Internet of Trash.

We've now advanced enough to consider X10 to be better than the new technology.

Common problem across industry

As someone "in charge" (Systems Architect) of how many of our product lines are secured on the network (obviously not Honeywell), most people in the field would not believe how much time I waste explaining to people over and over and over again that I will not "simplify" the authentication protocols by getting rid of (strong security practices) just because we use SSL. Its an ongoing fight to keep things strong against a thousand little pushbacks from developers, product management, marketing, sales, and legal. Posting anon as its still in progress, comes up at least once a week.

Re:Common problem across industry

[RobinH]

It's sad but I fight the same battle almost every day regarding safety systems in factory automation. There are specific regulations and best practices that we have to follow in order to determine that a machine is safe for an operator to use, and it falls under the heading of "big E" Engineering, as in the type you need to have a license to certify. We put a lot of effort into making the machine both provably safe, but we also have to make it recover nicely from an abrupt shutdown if someone opens a guard door, etc. Everyone from management, to the engineering staff, to the operators themselves who use the equipment constantly gripe about how much effort we have to put into the safety systems, even when it's their own life that's at risk. Almost every discussion involves someone saying, "why can't we just tell people not to stick their hand in the machine?" The answer, of course, is that the rules are different for a machine that starts and stops automatically, than it would be, e.g., for a table saw or a drill press with an on/off switch. The rules are different precisely because people do stick their hands into machines that are stopped. Engineers are professionals who accept people as they are, not as we wish they could be.

Really we could solve the security problems in "IoT" devices by applying the same strict Engineering principles that we do to safety systems in factory automation. You would do this by functionally separating the part of the system responsible for security from the rest of the system, having certified parts that you can purchase that are rated to various industry best practice security standards, and then having a licensed professional engineer review and sign off on the design. Guess what though... it would cost more money. However, I believe there are certain products, where there's a risk to the public, that should be legislated to require this kind of certification.

BSG had it right: Safe Network = No Network

[millertym]

I have a hard time thinking of anything more obvious than the fact that "smart " are technology security disasters waiting to happen. With the current architecture of the internet and networking from the top down there is nothing truly safe. Especially consumer grade at home tech built with technology plebeians in mind.

Call me old fashioned but I see enough at work and stories online every day to commit to keeping my home, appliances, vehicles, and anything else possible off the internet.

Hack or feature?

[guruevi]

The thing has an entire API unauthenticated to whoever is able to connect to it (https:///system_http_api/).

It's well documented that the point is not to have these things port-forwarded on your router but to be controlled through their proprietary gateway which comes with a monthly fee. Sure you can surf to it on your local network but that's more of a convenience and a lot of features the API exposes are not in the GUI.

Re:Why do you need this stuff on the internet at l

[bjwest]

No, but it adds an considerable element of security. If you disagree with me then feel free to attack my PC via the internet, it's IP address is 192.168.1.60

Hey! How dare you use my printer as your PC. No wonder it takes forever to process and print a PDF file.