Smart home hacking is easier than you think
- 02 April, 2015 22:58
Last March, a very satisfied user of the Honeywell Wi-Fi Thermostat left a product review on Amazon.com that shed some light on an unexpected benefit of the smart home -- revenge.
The reviewer wrote that his wife had left him, and then moved her new lover into the home they once shared, which now featured the Honeywell Wi-Fi thermostat. The jilted ex-husband could still control the thermostat through the mobile app installed on his smartphone, so he used it to make the new couple's lives a little less happily ever after:
"Since this past Ohio winter has been so cold I've been messing with the temp while the new love birds are sleeping. Doesn't everyone want to wake up at 7 AM to a 40 degree house? When they are away on their weekend getaways, I crank the heat up to 80 degrees and back down to 40 before they arrive home. I can only imagine what their electricity bills might be. It makes me smile. I know this won't last forever, but I can't help but smile every time I log in and see that it still works. I also can't wait for warmer weather when I can crank the heat up to 80 degrees while the love birds are sleeping. After all, who doesn't want to wake up to an 80 degree home in the middle of June?"
In the past year, more than 8,200 of the 8,490 Amazon users who have read the review deemed it "useful."
Colby Moore, a security research engineer at security firm Synack who has tested smart home products for vulnerabilities, says some of these products still feature the kinds of inherent vulnerabilities similar to the one described in that Amazon.com review. And even some of the devices that are capable of resetting users or credentials fail to make it simple enough for the everyday consumer.
"I would say on leading products, you can reset users, you can reset credentials and things like that," Moore says. "The problem is that some of this stuff starts to get kind of technical, and I think that's where a lot of these vulnerabilities come down, at least currently. The manufacturers don't design them securely, and rely on the end user to secure them."
For example, many customers don't even think to change passwords on smart home devices because they may not even consider them technology products that can be hacked like a PC. That's how more than 73,000 internet-connected cameras were found to be streaming their footage on the web in November. Customers never changed the default passwords, many of which are available online as basic product information, and unwittingly allowed hackers to stream the private footage from cameras that they had initially purchased to feel safer.
Many companies in the Internet of Things and smart home market are taking security seriously, Moore says. Specifically, Moore says Nest products, including the connected thermostat and the Dropcam camera, are very difficult to hack outside of a lab setting.
A lot of the lower-end smart home products, however, make it to the market rife with vulnerabilities. One example Moore cited was the Foscam camera, which is one of the least expensive on the market and which Moore says is "super prevalent."
"There are oftentimes directory traversal vulnerabilities that let you read out kernel memory and dump passwords and things like that," Moore says. "So essentially what that's saying is you can go out there, find someone's camera [on the] internet, and have remote access to it without knowing the credentials."
In another case, Moore says Synack researchers tested a smart home security system, the kind typically for sale at a "do-it-yourself kind of home store," and were able to disable it, enter the home, then re-activate the system again once they left.
"The alarm would never go off, and when the user came back it would appear that nothing happened," Moore says.
Moore says there is potential for hackers to start packaging attacks targeted at smart home products and distributing them on a wide scale. Although he hasn't seen it in the market yet, Moore says it is "very plausible" that attackers could begin selling pre-packaged smart home attacks on the black market, similarly to how some PC malware attacks are sold, enabling even the less-skilled criminal to exploit cybersecurity vulnerabilities in the smart home.
"One thing I have seen or have heard about is people out there scanning their local IP space and finding IP cameras within people's homes, garages, or outside their house, and being able to watch the inhabitants and see when they're home and deduce their pattern of life -- if you know someone's pattern of life, you know when they're not going to be home -- and using these cameras and intel to rob someone's house intelligently," Moore says. "So I certainly can perceive that someone can package up a very nice utility to go out there and look for cameras local to you and use it as a robbery tool."
Another potential distribution method is by altering the products themselves. If attackers can access the devices before they are sold -- by tampering with inventory or even by purchasing a connected camera and returning it to the store with malware pre-loaded onto it -- they will be able to control them as soon as the user installs them.
To test this approach, Moore says Synack researchers purchased several popular IP cameras, altered the hardware, and re-packaged them with a shrink wrapper they purchased on eBay. When they asked their co-workers around the office to distinguish between a brand new product and the one they had altered and re-packaged, they found that no one could see a difference, Moore says.
"So I think that really is a true avenue that an intelligent hacker can use, especially in rich neighborhoods or rich areas where targets might exist," he adds.
Moore says that the higher-end smart home products are being designed with security in mind, and as the market matures, he expects the rest of the products to eventually follow suit. However, security standards for the Internet of Things are still a work in progress, so for the time being, consumers may still find themselves exposed to these vulnerabilities.
"A co-worker put it to me the other day, 'we have the technology for air bags, and we're mandated to put them in our cars,'" Moore says. "We have the technology for good security for these Internet of Things products, but no one is telling anyone or forcing them to put it in. So manufacturers, if they chose to, they could do these things right. The technology is available. They just aren't doing it yet."