Your (not-so) smart home

Your home may be smart enough to take direction from you through your equally smartphone — tell it to close the garage door and turn the heat down from 1,000 miles away, and it does it.

Unfortunately, that magical convenience comes with big risks: Your home is probably not smart enough to tell if those directions are coming from you.

As was demonstrated at the recent Black Hat and DEF CON conferences, a reasonably adept hacker can take control of home automation systems and disarm security sensors, unlock the doors, change the heat and air conditioning settings and cause various other kinds of mischief. For a high-tech burglar, it can take the “breaking” part out of breaking and entering mdash; just tell the door lock to open, and walk right in.

[Social engineering: 5 security holes at the office]

Daniel Crowley and David Bryan, researchers with Trustwave SpiderLabs who presented at Black Hat, demonstrated the ease of hacking a home system in a video interview with SC magazine using VeraLite, a $180 home automation gateway sold by Mi Casa Verde.

As Crowley explained, the VeraLite, “has a web interface, but also UPnP (Universal Plug and Play Protocol) interface, which doesn’t take a user name and password. You can go on the network, ask if there are UPnP devices, it will respond and tell you all the things it can do. If I have access to your home network, then I have access to your home,” he said, shortly before using a couple of keystrokes to open a door lock sitting on the table in front of him.

VeraLite is not alone. Crowley and Bryan said they had tested 10 different products, “and only found one or two that we couldn’t manage to break. Most didn’t have any security controls at all.”

Mi Casa Verde’s founder and CTO Aaron Bergen apparently does not see that as a problem. Bergen did not respond to a request for comment from CSO, but Paul Roberts, writing in the Veracode blog, said Bergen told him by email that what Trustwave called vulnerabilities were “by design.” The VeraLite, “allows the owner to SSH into his Vera with root access, and thus he has complete access to the system…because Vera has a lot of power users that do all sorts of advanced things and want to have root access.”

Bergen contended that Trustwave wanted Mi Casa Verde to, “block our users from accessing their own Veras. But this would cause a furor among our community.”

Crowley emphatically disputed that to CSO. “Having security controls on a product does not prevent people from using it. It prevents unauthorized people from using it,” he said. “The vulnerabilities we found allow unauthorized users to control the VeraLite, either by gaining access to their home network or by convincing any person on the home network to visit a malicious webpage.”

The bottom line is that home automation systems, most of which include security features, are not secure. Even Lockitron, which won praise at Black Hat for the security built into its Wi-Fi-enabled front-door lock, is not bullet proof. The New York Times, cited a company statement that while it built the lock with security in mind, “anyone claiming their system is ‘unhackable’ is wrong.”

[Researchers show ways to bypass home and office security systems]

So far, this does not seem to have prompted a rash of burglaries or other damage from hackers. In their video interview, Trustwave’s Crowley and Bryan said they were not aware of any home systems compromised by hackers.

Still, experts say that homeowners should be wary of such systems. Kevin Mitnick, formerly described as the country’s “most-wanted hacker” and now head of Mitnick Security Consulting, said the risks of such systems are “nothing new, but there is new interest in them,” now that those systems are more common and increasingly connected to the Internet.

He said the reality is that, “a lot of them aren’t built for security, and the consumer can’t really do anything but rely on the manufacturer.” He said he wouldn’t own anything that connects to the Internet, “unless I could unplug it.”

Roger Thornton, CTO of AlienVault, agrees that they are vulnerable, but said they can be useful if consumers take their own security precautions of their own. “If you can’t set up a virtual private network (VPN) and run a security operations center (SOC), best to think twice about a modern connected home of the future,” he said.

Wired homes, he said, “represent hundreds of thousands of end points that criminal organizations or governments can hack. And those endpoints don’t get regularly maintained and updated like PCs and laptops. Once a home system is compromised, it’s going to stay compromised for a long, long time.”

Thornton said a major problem with such systems — any “connected” system — is that the desire for “cool features” tend to trump the need for security. He cited the case of 300 BMWs stolen in England last year because hackers were able to breach a technology port in the car that gave them access to each car’s key fob digital ID.

“There was no authentication required to program the fob,” he said. “BMW left this system ‘open’ to make life easier for its dealer networks, but unfortunately it only made their cars easier to steal.”

His advice to consumers? “Don’t connect your house to the Internet unless you have a solid handle on the basic elements of securing and monitoring a network. It’s really not hard to set up a VPN, and most people with a really smart teenage kid can set one up and the monitoring solutions used by corporations are getting easier and cheaper to deploy every day.”