Slashdot Mirror

← Back to Stories (view on slashdot.org)

Honeywell Home Controllers Open To Any Hacker Who Can Find Them Online

Posted by Soulskill on from the unlocked-door-vulnerable-to-anyone-who-can-open-doors dept.

Trailrunner7 writes: Security issues continue to crop up within the so-called "smart home." A pair of vulnerabilities have been reported for the Tuxedo Touch controller made by Honeywell, a device that's designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet. Researcher Maxim Rupp discovered that the vulnerabilities could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.

6 of 85 comments (clear)

  1. Why do you need this stuff on the internet at larg by Anonymous Coward · · Score: 5, Insightful

    At home, sure, using a tablet to access and program the temperatures on your AC is fine.

    But that is your intranet, and securing that should be an obvious practice.

    And I can barely guess why you would want your locks handled that way, though in terms of security, a mechanical key is hardly inherently better than a digital one.

  2. Amateur level fail by Nuitari+The+Wiz · · Score: 4, Interesting

    "The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page."

    You'd think that a company like Honeywell would know better about security, especially as they have a whole cyber security division...
    This is like the pages that had a crappy javascript password which you could read by seeing view source, if you knew the keyboard shortcut (right click would be blocked on javascript).

    Mistakes an amateur would make.

  3. Need to start including USB keys by gurps_npc · · Score: 4, Interesting
    Every secure wireless device - such as a router or NEST etc, should come with a cheap USB drive - 1 GB drives go for less than $2 now, in quantity.

    When you get the device, plug the USB into the device and press a button. It would randomly generate a key and save it to that USB drive.

    Now to connect anything to that device you have to plug the USB drive into it, transferring the password key,

    --
    excitingthingstodo.blogspot.com
  4. New meaning by ArcadeMan · · Score: 4, Funny

    This brings a new meaning to "Honey, I'm home".

    As in, the hacker is in your home via the Honeywell Home Contr... yeah ok never mind.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  5. Common problem across industry by Anonymous Coward · · Score: 5, Interesting

    As someone "in charge" (Systems Architect) of how many of our product lines are secured on the network (obviously not Honeywell), most people in the field would not believe how much time I waste explaining to people over and over and over again that I will not "simplify" the authentication protocols by getting rid of (strong security practices) just because we use SSL. Its an ongoing fight to keep things strong against a thousand little pushbacks from developers, product management, marketing, sales, and legal. Posting anon as its still in progress, comes up at least once a week.

  6. Re:Why do you need this stuff on the internet at l by bjwest · · Score: 5, Funny

    No, but it adds an considerable element of security. If you disagree with me then feel free to attack my PC via the internet, it's IP address is 192.168.1.60

    Hey! How dare you use my printer as your PC. No wonder it takes forever to process and print a PDF file.

    --

    --- Keep the choice with the user..