Written by Chriss W. Street
Google, Microsoft and Apple are supporting technologies that make your home “smart” enough to be managed from your smartphone. You can turn on the sprinklers, set the heat, close the garage or program what time to automatically make coffee. But with all these “cool” conveniences comes the real risk that high-tech criminals are able to hack into the software to break into your home and do what they wish to you and your family.
As was demonstrated at the recent Black Hat and DEF CON conferences, a reasonably proficient hacker can take control of home automation systems to disarm security sensors, unlock the doors, change the heat and air conditioning settings and cause various other kinds of harm. For the high-tech burglar, this will take the “breaking” part out of breaking and entering; just tell the door lock to open and walk right in.
Wired homes represent hundreds of thousands of end points that criminal organizations or governments can hack. Very few people understand that those endpoints if not regularly maintained and updated like a computer, will get compromised and stay that way for a long time.
Daniel Crowley and David Bryan of Trustwave SpiderLabs demonstrated at the most recent Black Hat how easy it is, to hack into VeraLite, a popular $180 home automation product sold by Mi Casa Verde. Crowley explained that VeraLite “has a web interface, but also UPnP (Universal Plug and Play Protocol) interface, which doesn’t take a user name and password. You can go on the network, ask if there are UPnP devices, it will respond and tell you all the things it can do. If I have access to your home network, then I have access to your home, shortly before using a couple of keystrokes to open a door lock sitting on the table in front of him.”
The VeraLite is not the only vulnerable program. Crowley and Bryan said they had tested 10 different products, “and only found one or two that we couldn’t manage to break. Most didn’t have any security controls at all.”
Mi Casa Verde’s founder and Chief Technology Officer Aaron Bergen did not respond to a request for comment. But Paul Roberts, writing in the Veracode blog, said Bergen told him by email that what Trustwave called vulnerabilities were “by design.” VeraLite is written so that the purchaser has “root access” to the software code so that “power users do all sorts of advanced things and want to have root access.” Consequently, once a hacker breaks into the system, he or she can also reprogram the software.
Bergen contended that Trustwave wanted Mi Casa Verde to, “block our users from accessing their own Veras. But this would cause a furor among our community.”
But Crowley emphasized: “Having security controls on a product does not prevent people from using it. It prevents unauthorized people from using it. The vulnerabilities we found allow unauthorized users to control the VeraLite, either by gaining access to their home network or by convincing any person on the home network to visit a malicious webpage.”
The bottom line is that home automation systems, most of which include security features, are not secure. Even Lockitron, which won praise at Black Hat for the security built into its Wi-Fi-enabled front-door lock, is not bullet proof. The New York Times, cited a company statement that while it built the lock with security in mind, “anyone claiming their system is ‘un-hackable’ is wrong.”
So far, these vulnerabilities do not seem to have prompted a rash of burglaries or other damage from hackers. In their video interview, Trustwave’s Crowley and Bryant said they were not aware of any home systems compromised by hackers yet.
But Kevin Mitnick, formerly described as the country’s “most-wanted hacker” and now head of Mitnick Security Consulting, said the risks of such systems are “nothing new, but there is new interest in them,” now that those systems are more common and increasingly connected to the Internet. He said the reality is that, “a lot of them aren’t built for security, and the consumer can’t really do anything but rely on the manufacturer.” He said he wouldn’t own anything that connects to the Internet, “unless I could unplug it.”
Roger Thornton, Chief Technology Officer of AlienVault, agrees that they are vulnerable, but said they can be useful if consumers take their own security precautions of their own. “If you can’t set up a virtual private network (VPN) and run a security operations center (SOC), best to think twice about a modern connected home of the future,” he said.
Since most homeowners know far less about technology than their teenage children, you should be aware that connecting your home to the Internet to enjoy all the cool conveniences, may also be an invitation to criminals, who often have superior knowledge of defeating the basic elements of network security.
Listen to Chriss Street and Paul Preston on “AGENDA 21 Radio” Streaming Monday through Friday at 6-9 AM Pacific Standard Time
Click Here To Listen: (RED STATE TALK RADIO)