Your smart home is “wide open for a burglar to remotely open the door, turn off the lights, and steal your valuables,” PC Magazine‘s Neil Rubenking explains in his look at new research from Cognosec’s Tobias Zillner and Sebastian Strobl presented at this year’s Black Hat conference.
While Zillner and Strobl were impressed with much of what they saw in the ZigBee, which along with Z-Wave is the most common mesh radio protocol used for smart home devices today.
However, “their research found that only the fallback default key system was implemented, even for door locks. That gave them a way to connect to the automation system remotely to read data, send commands, and effectively own the system,” Rubenking notes, before adding that to pull this off attackers “needed to capture the wireless traffic during a pairing event, and they needed to use it really, really fast.”
Their research gives a great overview of ZigBee’s security architecture.
Is this really a surprise? As my colleague Mikko Hypponen has said all over the world, “Smart means exploitable.” (Mikko has also said, “You can’t spell idiot without IoT”.)
The security challenges inherent in smart home devices include the following:
1) Most of the devices are cheap and lack a screen and keyboard.
2) Ease-of-use, especially during setting up, is critical for these kinds of products.
3) Devices use wireless protocols to connect to the home, so that there is no need to install wires into the walls. Hence, they and their signals are likely also reachable from outside the walls of the house.
4) Some of these devices, like garden sprinklers or porch lamps, are located outside and hence can be accessed physically without breaking into your house.
5) There are many manufacturers and many ways to buy the device: Devices don’t come pre-installed with any secret code or certificate specifically for your home.
6) Many smart home devices use mesh networking where radios are low power and each device also acts as a relay station and thus devices need some way of communicating with all other devices in the network.
ZigBee, like all Wi-Fi protocols, offers basic encryption for the transportation layer. The default key-exchange is pretty weak and would expose the network key if someone is sniffing the network during pairing — though they may need to do a denial of service attack while they’re at it.
In order to create a secure communication channel the devices at home will have to exchange public keys or share symmetric keys. This is done over an insecure channel without expecting that the cheap plastic gadget in your garden has been compromised. It’s an obvious security weakness that the protocol uses a universal network encryption key — much like we see to encode DVDs. All the manufacturers get it and embed it. If it leaks once, it cannot really be changed.
While the standard does have some authentication mechanisms, it’s hardly surprising that device manufacturers don’t use them, as it complicates the out-of-box experience. This is not a problem that can be solved without complicating the user experience and increasing the cost of the devices by adding tamper resistance.
Is this a good thing? Absolutely not. But don’t expect this to change anytime soon.
While smart home security might almost seem like an oxymoron at the moment, there is no reason to throw down the gauntlet and either give up on security or having a smart home.
You will need to think about how you use IoT technology, though. As I explained this post about how to secure your smart home, you might want to consider if you really want to use smart locks. Disconnecting security and nanny cameras when you don’t want them on also makes sense.
Remember that attacks using a protocol like ZigBee or Bluetooth tend to only work from inside your home or very close to your home. This is also true for attacks where someone steals your garden sprinkler, opens it up, and sucks out the local ZigBee shared key.
Earlier in human history, proximity was required for attacks: Only people nearby could burglarize your house and thus if you lived in a safe neighborhood, you were pretty safe.
On the Internet, there are no safe neighborhoods; you can get attacked from anywhere in the World. Access to your home can be sold in dark markets. This means that, you’re smart home is more likely to get attacked by someone guessing passwords to your smart home cloud backend or by old-fashioned “brick through the window” attacks then by someone physically tampering with smart devices in your backyard or eavesdropping on new device pairing to get access. If someone can gain access into your smartphone, perhaps through your Facebook account, s/he could then get access to your sprinkler without having to stake out your front lawn.
So, yes, the cheap plastic things in your garden may be used to open your smart door. Worse yet, the attacker could open your front door lock by guessing your password and sell cheap access to local burglars in an underground forum.
Accessing your sprinklers remotely does have a potential for causing water damage or inflating your bill, but it’s not as concerning as someone hacking your car’s brakes, which has also only been done by security researchers.
[Image by Thangaraj Kumaravel | Flickr]
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018
There are some advantages to being around "forever," as Mikko Hypponen, F-Secure's Chief Research Officer,…
March 10, 2018