Your (not-so) smart home
The 'connected' home is technologically advanced and very convenient. Unfortunately, that also makes it an easy in for hackers, too
September 16, 2013 — Your home may be smart enough to take direction from you through your equally smartphone — tell it to close the garage door and turn the heat down from 1,000 miles away, and it does it.
Unfortunately, that magical convenience comes with big risks: Your home is probably not smart enough to tell if those directions are coming from you.
As was demonstrated at the recent Black Hat and DEF CON conferences, a reasonably adept hacker can take control of home automation systems and disarm security sensors, unlock the doors, change the heat and air conditioning settings and cause various other kinds of mischief. For a high-tech burglar, it can take the "breaking" part out of breaking and entering mdash; just tell the door lock to open, and walk right in.
Daniel Crowley and David Bryan, researchers with Trustwave SpiderLabs who presented at Black Hat, demonstrated the ease of hacking a home system in a video interview with SC magazine using VeraLite, a $180 home automation gateway sold by Mi Casa Verde.
As Crowley explained, the VeraLite, "has a web interface, but also UPnP (Universal Plug and Play Protocol) interface, which doesn't take a user name and password. You can go on the network, ask if there are UPnP devices, it will respond and tell you all the things it can do. If I have access to your home network, then I have access to your home," he said, shortly before using a couple of keystrokes to open a door lock sitting on the table in front of him.
VeraLite is not alone. Crowley and Bryan said they had tested 10 different products, "and only found one or two that we couldn't manage to break. Most didn't have any security controls at all."
Mi Casa Verde's founder and CTO Aaron Bergen apparently does not see that as a problem. Bergen did not respond to a request for comment from CSO, but Paul Roberts, writing in the Veracode blog, said Bergen told him by email that what Trustwave called vulnerabilities were "by design." The VeraLite, "allows the owner to SSH into his Vera with root access, and thus he has complete access to the system...because Vera has a lot of power users that do all sorts of advanced things and want to have root access."
Bergen contended that Trustwave wanted Mi Casa Verde to, "block our users from accessing their own Veras. But this would cause a furor among our community."