Some Home Automation Systems Are Rife with Holes, Security Experts Say

A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave.

Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights and other sensitive systems.

The Trustwave researchers plan to discuss vulnerabilities they discovered in several such products during a presentation Thursday at the Black Hat USA security conference in Las Vegas.

One product analyzed by the Trustwave researchers is called the Insteon Hub and is a network-enabled device that can control light bulbs, wall switches, outlets, thermostats, wireless Internet Protocol (IP) cameras and more.

"When you first set up the Insteon Hub, you're asked to set up port forwarding from the Internet to the device, so basically you're opening up access to it to anybody from the Internet," said David Bryan, a Trustwave researcher who reviewed the device after buying one to use in his house.

The Insteon Hub can be controlled from a smartphone application that sends commands to it over the local network or the Internet, he said.

When inspecting the traffic coming from his phone over the Internet and into the Insteon Hub, Bryan discovered that no authentication and no encryption was being used. Furthermore, there was no option to enable authentication for the Web service running on the Insteon Hub that receives commands, he said.

"This meant that anybody could have turned off my lights, turned on and off my thermostat, changed settings or [done] all sorts of things that I would expect to require some sort of authorization," Bryan said.

Attackers could use Google or the SHODAN search engine, or could perform port scans, to locate Insteon Hub devices connected to the Internet, Bryan said.

Insteon, the company in Irvine, California, that manufactures the device, was notified of the issue in December, according to the researcher. A new version of the product that uses basic authentication for the Web service was released in March, he said.

Comments (0)

This post does not have any comments. Be the first to leave a comment below.


Post A Comment

You must be logged in before you can post a comment. Login now.

Featured Product

Video Mount Products IWB-1B In-Wall Box

Video Mount Products IWB-1B In-Wall Box

As flat panels themselves become increasingly slimmer, customers are looking for even more ways to get these mounted TVs and monitors as flush with the wall as possible. The Video Mount Products IWB-1B is an in wall box that allows up to a 32-inch flat panel to fully collapse into a wall. It installs easily between two 16-inch on center wooden studs, has integrated cable and electrical knockouts, and a high load capacity. The IWB-1B works with the LCD-1B and LCD-2537B mounts. The IWB-1 is yet another option for discerning installers and customers who demand both aesthetic appeal as well as the famed VMP reliability. Whether in the office, commercial install, home, or any other application where a low-profile wall mounted flat panel option is desired, the VMP IWB-1B is the answer.