Some home automation systems are rife with holes, security experts say

Trustwave researchers will reveal vulnerabilities in home automation gateways and other network-controlled products at Black Hat

A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave.

Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights and other sensitive systems.

The Trustwave researchers plan to discuss vulnerabilities they discovered in several such products during a presentation Thursday at the Black Hat USA security conference in Las Vegas.

One of the more interesting devices they tested was a home automation gateway system called VeraLite that's manufactured by a Hong Kong-based company called Mi Casa Verde.

The VeraLite is an embedded device that sits on a home network and can be used to control other systems connected to it. It can manage as many as 70 devices at once and is equipped to work with 750 smart systems, including lights, thermostats, surveillance cameras, alarm systems, door locks, window blinds and HVAC (heating, ventilation, and air conditioning) systems.

In its default configuration VeraLite doesn't require a username and password, so if the owner doesn't set one up intentionally, the device can be accessed and controlled by anyone from the local network, said Daniel Crowley, a security researcher at Trustwave.

Even if the device owner does create a username and password, the device can still be controlled using the Universal Plug and Play (UPnP) protocol, which doesn't have built-in support for authentication, Crowley said. You can write your own UPnP authentication feature or use an UPnP extension for it, but Mi Casa Verde didn't do this for VeraLite, he said.

VeraLite's UPnP functionality allows anyone located on the local network to execute arbitrary code on the device as root, the highest-privileged account type, giving them complete control over the system, the researcher said.

It is also possible to exploit this vulnerability from the Internet by launching a cross-protocol attack against a user who is on the same network as the device.

"If I know that someone has a VeraLite on their home network and they're at home, I can trick them into visiting a Web page that instructs their browser to set up a backdoor on their VeraLite device using UPnP," Crowley said.

Another thing that's concerning is a remote access feature in VeraLite that involves the device connecting via the Secure Shell (SSH) protocol to a remote forwarding server operated by the manufacturer, Crowley said. The user can then log in to the forwarding server via a remote Web interface and control their device, he said.

This architecture has security problems, because when the VeraLite connects to the forwarding server, the port is forwarded, Crowley said. "Connecting to a particular port on the forwarding server connects you to your VeraLite."

According to the researcher, this creates a single point of failure, because if an attacker managed to bypass the firewall protecting the forwarding server, he could get access to every VeraLite unit connected to it.

An attacker wouldn't necessarily need to compromise the forwarding server itself. Finding and exploiting a vulnerability in the Web interface or the Web server could be enough, Crowley said.

When these issues were reported to the manufacturer, the company responded that these are not vulnerabilities but intended features that exist by design, the researcher said.

It's an odd design to give users the option to create a log-in account and password and have different levels of access on the device, but then create a separate so-called feature that bypasses all of those security controls, he said.

Mi Casa Verde did not immediately respond to a request for comment sent via email.

Another product analyzed by the Trustwave researchers is called the Insteon Hub and is a network-enabled device that can control light bulbs, wall switches, outlets, thermostats, wireless Internet Protocol (IP) cameras and more.

"When you first set up the Insteon Hub, you're asked to set up port forwarding from the Internet to the device, so basically you're opening up access to it to anybody from the Internet," said David Bryan, a Trustwave researcher who reviewed the device after buying one to use in his house.

The Insteon Hub can be controlled from a smartphone application that sends commands to it over the local network or the Internet, he said.

When inspecting the traffic coming from his phone over the Internet and into the Insteon Hub, Bryan discovered that no authentication and no encryption was being used. Furthermore, there was no option to enable authentication for the Web service running on the Insteon Hub that receives commands, he said.

"This meant that anybody could have turned off my lights, turned on and off my thermostat, changed settings or [done] all sorts of things that I would expect to require some sort of authorization," Bryan said.

Attackers could use Google or the SHODAN search engine, or could perform port scans, to locate Insteon Hub devices connected to the Internet, Bryan said.

Insteon, the company in Irvine, California, that manufactures the device, was notified of the issue in December, according to the researcher. A new version of the product that uses basic authentication for the Web service was released in March, he said.

However, as far as Bryan knows, there is no method for users to update the firmware, so upgrading to the new version would involve getting a new device.

Insteon did not immediately respond to a request for comment sent via email.

The new version of Insteon Hub doesn't encrypt the traffic, and the password used for authentication can be easily decoded by an attacker who can intercept the traffic, Bryan said.

Furthermore, the password is based on a part of the device's MAC address. Getting a device's MAC address from the Internet is not possible, but it's easy to do from the local network, he said.

This means that if an attacker can break into a home's Wi-Fi network or into a local network computer, he can potentially gain access to an Insteon Hub device located on the same network.

Other devices that were found to have security issues included the Belkin WeMo Switch for power outlets, the Lixil Satis smart toilet, the Linksys Media Adapter, which is no longer being sold, and a radio thermostat.

Home automation systems are often connected to security devices, so they are part of the overall security of a home, Bryan said. Because of this, they should have security controls built into them, he said.

Companies that manufacture these systems are trying to get their products to market as fast as possible, and they often overlook security testing because it impedes that process, Bryan said. "I really hope that going forward, people will start to learn from these security issues, because it's very frustrating to me as a consumer to see products come out that aren't secure and I can easily break into, and then discover a large number of the same products on the Internet that have the same flaws."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityphysical securityintrusionconsumer electronicstrustwaveblack hatAccess control and authenticationMi Casa VerdeInsteon

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?