Some Home Automation Systems Are Rife with Holes, Security Experts Say
A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave.
Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights and other sensitive systems.
The Trustwave researchers plan to discuss vulnerabilities they discovered in several such products during a presentation Thursday at the Black Hat USA security conference in Las Vegas.
One product analyzed by the Trustwave researchers is called the Insteon Hub and is a network-enabled device that can control light bulbs, wall switches, outlets, thermostats, wireless Internet Protocol (IP) cameras and more.
"When you first set up the Insteon Hub, you're asked to set up port forwarding from the Internet to the device, so basically you're opening up access to it to anybody from the Internet," said David Bryan, a Trustwave researcher who reviewed the device after buying one to use in his house.
The Insteon Hub can be controlled from a smartphone application that sends commands to it over the local network or the Internet, he said.
When inspecting the traffic coming from his phone over the Internet and into the Insteon Hub, Bryan discovered that no authentication and no encryption was being used. Furthermore, there was no option to enable authentication for the Web service running on the Insteon Hub that receives commands, he said.
"This meant that anybody could have turned off my lights, turned on and off my thermostat, changed settings or [done] all sorts of things that I would expect to require some sort of authorization," Bryan said.
Attackers could use Google or the SHODAN search engine, or could perform port scans, to locate Insteon Hub devices connected to the Internet, Bryan said.
Insteon, the company in Irvine, California, that manufactures the device, was notified of the issue in December, according to the researcher. A new version of the product that uses basic authentication for the Web service was released in March, he said.
This post does not have any comments. Be the first to leave a comment below.
Post A Comment
You must be logged in before you can post a comment. Login now.