Smart home hacks

July 16, 2019

Smart home technologies are designed to make life easier and more convenient. However, new conveniences also mean new problems. The dangers of automating anything and everything are a frequent topic of conversation and blogging around here. For starters, hooking up home appliances to the Internet makes you dependent on the connection quality and server operation. At the same time, cybercriminals can use those points of entry to seize control of vulnerable equipment and use it to their own advantage.

As recent studies have shown, numerous means still exist to take control of a smart home. One such trouble spot, for example, could be a vulnerability in the cloud server through which the owner controls the house remotely, or even something seemingly innocuous like a smart light switch.

Fibaro: Cloud threat

As revealed by Kaspersky, the Fibaro smart home allowed anyone to upload and download the smart hub’s backup data to and from the cloud server. A smart hub is the most important device in the smart home because it controls all of the others: thermostats, coffee makers, security systems, and so on.

The hub’s backup data contains many interesting details about the home and its owner, including the location of the home and the owner’s smartphone, the e-mail address to which the host account is registered in the Fibaro system, and a list of connected devices and passwords for them (all in plain text without encryption).

The password for the admin panel used for remote control of the home was also stored there. Unlike the other passwords stored in the backup, it was at least protected, or to be more precise, hashed. However, if the attacker were to download all the backup copies stored in the Fibaro cloud, it would be possible to guess the simplest and most frequently occurring passwords — such as “password1” — the hashes for them will be the same.

Having gotten inside the admin panel, a hacker is likely to exploit one of the vulnerabilities for executing code remotely and gain superuser rights in the system. Superusers can do whatever they please inside the home. Ironically, the actual home owner does not have superuser rights — the manufacturer decided it would be safer that way (and in many respects this is true).

Fibaro: Malicious update

Another attack scenario Kaspersky researchers uncovered required no password cracking at all. As we already mentioned, backup copies were not only downloadable from the Fibaro server without any authorization, but uploadable as well. What’s more, the cloud allowed texts or e-mails to be sent to the home owner.

In other words, all the attackers had to do was create a malicious backup copy, upload it to the server, and persuade the victim to install the “update.” This can be done by imitating a message from Fibaro (phishing). Even if the hacker got some details wrong, there was a good chance the unsuspecting victim would still download the malicious backup (giving the hacker, as in the first case, superuser rights). After all, the message came from an ******@fibaro.com address, which looks just fine.

We reported the vulnerabilities to Fibaro, which promptly fixed them, so those attack scenarios no longer work. Let’s hope that other smart device manufacturers avoid stepping on this virtual rake, and take these errors into account in developing their systems.

Nest: Smart camera switch

Another study by US researchers, at the College of William & Mary, looked at the security of two smart home platforms: Nest (from Nest Labs, owned by Google) and Hue (produced by Philips). Both platforms were vulnerable, each in its own way.

The Nest Labs developers paid special attention to the protection of security systems: Third-party apps and devices cannot change the settings of security cameras and other components responsible for home security, or turn them on or off. Or rather, they cannot do so directly.

However, the system uses some attributes that are common to security systems and devices that are far less protected. The values of such attributes are stored in a single storage space accessible to all devices that need them in order to operate. Moreover, some minor devices such as light switches and thermostats are in many cases able not only to read the values it requires, but also to change them.

On the one hand, this helps automate and simplify routine operations. For example, there is no need to give commands to each device separately when you leave for work in the morning. The app that controls the switch can use, say, geolocation to determine that you have left the home zone, then transmit this information to storage and assign the away value to the attribute that specifies whether the owner is present or absent.

This value is read not only by the switch itself (which then turns off the light, as intended), but by other devices too. And each performs a programmed action: The air conditioner slows down, the stereo system switches off, and the surveillance camera starts recording. However, if the system can be led to believe that the owner has returned, the cameras can be turned off and home security undermined.

There exist several Nest-compatible devices that have permission to manage the home/away modes. The researchers decided to test the security of the Kasa switch made by TP-Link. Besides the above-mentioned ability to read and toggle the home/away setting, their choice was influenced by the popularity of the Kasa Smart app for controlling the device remotely (more than a million downloads on Google Play). On closer inspection, it turned out that the program allows the attacker to hijack the connection to the server and send commands to it.

The issue was detected in the authorization procedure, more specifically in the app developers’ approach to its security. To prevent the owner’s account details from falling into the wrong hands, the app and server first establish an encrypted connection. To do so, the app sends a request to the server, which shows it an SSL certificate confirming that the server can be trusted.

The app checks the certificate for authenticity and, if it is genuine, secretly passes the server a token (data used to identify the owner). But an error crept into this check, and the Kasa app was shown to trust any certificate.

The researchers described a possible hack scenario:

  1. The cybercriminal tracks the owner of the target home, and waits for the latter to connect to public Wi-Fi, say, in a café.
  2. The Kasa app tries to connect to the server.
  3. Upon entering the same network, the attacker intercepts the connection and shows their own SSL certificate to the app.
  4. The app, mistaking the cybercriminal for the server, sends the token required for authentication.
  5. The cybercriminal in turn shows this token to the real server, which thinks it is dealing with the app.
  6. The hacker informs the switch, directly from the café, that the owner has returned.
  7. The attribute is changed from away to home.
  8. The objective is thus achieved — the camera reads the value and stops recording, after which the cybercriminal or an accomplice can enter the house unobserved.

Most worrying of all, according to the researchers, is that such an attack required no special skills. The good news, though, is that Kasa’s developers, like the creators of the Fibaro system, duly fixed the bug after learning of it from the research team.

Nest: Checking the many, not the few

In theory, the Nest system should be protected from such attacks by the built-in scan for third-party devices and apps. The website for developers provides an extensive list of requirements for products that interact with the platform. These requirements specify, among other things, that the app or device must have a correctly working and secure authorization system that prevents anyone from pretending to be you.

But in practice, verification of third-party apps and devices can be bypassed. The Nest system checks only those with more than 50 users, which means that a unique program created by hackers to attack a specific smart home could connect to it, circumventing the security controls. All the cyberthieves have to do is persuade the victim to download their particular app and grant it the necessary rights.

Besides, even popular apps that do not meet Nest’s requirements have a chance of bypassing the scan. A case in point is the above Kasa Smart, which allowed attackers to connect to the server on its behalf.

Additionally, it turned out that many apps for Nest devices give inaccurate information about the access rights required for their operation. For example, the description of a thermostat control app can say that access to the home/away attribute is needed for the sole purpose of controlling the thermostat itself, when in actual fact this attribute is common to the entire system and other devices will also react if it is changed. In other words, the description is misleading.

Hue: Third-party apps welcome

The problem of rights being granted to third-party apps is also relevant to the Philips Hue smart lighting system. It was developed so that each program requests permission from the owner to connect to the smart home.

This permission can be granted by pressing a physical button on the control unit through which the Hue devices interact. For that to work, the app and the control unit must be located in the same local network, meaning that neighbors and passers-by cannot connect to your smart home by guessing the right moment and sending a request. Generally speaking, it’s a great idea from a security perspective. But it was let down by the implementation.

As the researchers discovered, the hallowed button can be “pressed” not only by the user, but by any program already connected to Hue. This is because the system’s “brain” determines whether the button has been activated according to the value of one of the control unit settings. And this value can be modified by apps. That means one ill-minded program with access to the platform can freely grant access to others. Not only that, using the same setting, it can also deny access to legitimate devices connected by the owner.

It might seem that with the Hue platform being used for lighting control only, this bug is not as dangerous as the vulnerability in the Nest platform. However, Hue devices can connect to Nest too, which, as you know, not only has access to door locks and cameras, but in some cases allows third-party apps to disable them.

How to protect your smart home

Security holes, it turns out, are to be found in almost any home automation device. Should you be scared? A flashing light or out-of-control heating is inconvenient, but not too dangerous and of no particular interest to cybercriminals. A hacked smart lock or security camera, however, would be more unpleasant. Keep in mind though that it’s more likely that to overcome these, the vast majority of thieves would use a crowbar, not exploits.

In any case, the decision of whether to futurize your home belongs to you. If you do decide that you need a smart home, it will be wise to minimize the risk of hacking. Here’s how to do it:

  • Read reviews and research regarding devices’ security before buying. Note how the manufacturer reacts to discovered vulnerabilities. If it quickly resolves issues reported by researchers, that’s a good sign.
  • Having decided on a particular app or device, be sure to stay in the loop about updates and discovery of vulnerabilities. Install all updates released by the developers in a timely fashion.
  • Protect devices and control panels with a strong unique password. That way, the attacker will not be able to simply brute-force the “key” to your home.
  • Correctly configure your home Wi-Fi network.
  • Download programs from official sources only, and do not grant them unnecessary permissions.
  • When connecting to your smart home through public Wi-Fi, remember that third parties can intercept information sent by you and your apps online, including passwords and authorization tokens. To avoid this, use a VPN secure connection.