Security holes in the 3 most popular smart home hubs and Honeywell Tuxedo Touch

At the 2015 Intelligent Defense European Technical Research Conference in June, Tripwire security researcher Craig Young presented Smart Home Invasion and revealed zero-day flaws in the “brains” of Internet of Things platform hubs such as SmartThings hubs, Wink hubs, and MiOS Vera. The Wink and Vera products “contained critical remotely exploitable flaws.” Young warned that “if not addressed, smart home flaws can give rise to a new type of ‘smart criminal’ able to case victims without being seen. Once a target is chosen, it is possible to unlock doors and disable security monitoring.”

According to Tripwire’s Smart Home Invasion video, Young performed a security assessment on the three best-selling smart hubs on Amazon; he found all three to have critical security flaws that could “lead to unlocked doors and unsolicited access into a person’s home network.”

Young explained:

Access to home hubs can not only let the burglar enter your home without tripping alarms, but it also gives them access to a wealth of information about when people are at home and where they might be in the house. Connected devices like motion sensors and cameras give a clear picture of what’s going on inside the house but even information like when the garage door is opened each day or when lights are turned on and off expose aspects of a target’s schedule. In effect, this opens the door for prospective thieves to case targets from the comfort of their secret lair.

The threats are not limited to local burglars and thieves either. Compromised Internet nodes have intrinsic value for hackers looking to disguise the source of attacks or simply steal bandwidth. As with the many other embedded devices that comprise the Internet of Things, attackers will naturally be looking to attack these systems and install backdoor software for use in spam and DDoS campaigns. These types of attacks can lead to increased Internet costs via bandwidth overage charges while also exposing internal devices to further attack.

“Vulnerable versions of Vera and Wink could be attacked through HTTP requests,” Young added. “These requests may come from a malicious web page (as demonstrated at IID on the Vera), a phone app on the LAN, or a malicious user on the LAN directly connecting to the vulnerable device. In the case of Vera, the attacker can directly supply commands to run on the Vera’s embedded operating system. In the case of Wink, the attacker would inject SQL commands to trick SQLite into creating a PHP script on the device. A subsequent request can then trigger execution of the PHP code with root permissions.”

The SmartThings hub had the least serious vulnerability, as it was vulnerable to improper certificate validation. The holes in both SmartThings and Wink were patched, but that means the user must apply the patches. In the case of SmartThings, a mandatory update was pushed out in February. A spokesperson said, “Any inactive hub that was not updated cannot connect to the SmartThings service and is automatically redirected to an update server.”

Keeping firmware up-to-date, connecting your devices to their own separate network, and removing HTTPS access were suggested by Tripwire as best practices to reduce vulnerability. “HTTP interfaces expose a very large attack surface and should be isolated from untrusted nodes or disabled if possible.”

CERT warns users to update Honeywell Tuxedo Touch controller firmware

Honeywell’s tagline for Tuxedo Touch is “Smart house. Safe home.” But if a product has “horrible” security holes then “safe” doesn’t seem true. Cure53 security researcher Maxim Rupp is warning how “remarkably simple” it is for anyone to access another person’s “Honeywell Tuxedo Touch web interfaces, used to control all connected parts of the home, including cameras, thermostats, lights, locks and shades.”

Last month, Rupp told the world that hundreds of solar lighting systems and wind turbines were vulnerable to hacking. ISC-CERT then released an advisory for Sinapsi eSolar light plaintext password vulnerabilities, for a cross-site request forgery (CSRF) vulnerability in XZERES 442SR wind turbines and an insecure credential vulnerability in RLE Nova-Wind turbine. On Friday, July 24, CERT warned Honeywell users, “Compromised Tuxedo Touch Controllers may be leveraged to operate home automation devices, such as unlocking or locking doors.”

Regarding Honeywell, Rupp told Forbes that attackers could exploit a CSRF vulnerability by sending a link to a Honeywell user that would allow the attacker to launch actions on Tuxedo Touch so long as the user was logged in.

“Slack authentication” is a more serious vulnerability in Honeywell, as Rupp warned that:

an attacker could send a request to a specific page on the Tuxedo Touch interface, such as the one used to lock the doors, and when the device asked for a username and password, the attacker could simply ignore the demand (by intercepting and dropping requests containing the string “USERACCT=USERNAME:_,PASSWORD:_,”) and access that page. As it’s possible to scan the web for Tuxedo Touch devices to find the related web interface, anyone could easily find and attack a Honeywell-powered home where patches haven’t been applied.

CERT advised users to patch these holes by updating to the latest version of Honeywell’s home automation kit. Honeywell told users to download the new software onto an SD card and then use the SD card to update Tuxedo Touch firmware.