A security researcher found zero-day holes in the "brains" of the three most popular smart hubs sold on Amazon. CERT also warned users to update Honeywell Tuxedo Touch controller firmware. Credit: ThinkStock At the 2015 Intelligent Defense European Technical Research Conference in June, Tripwire security researcher Craig Young presented Smart Home Invasion and revealed zero-day flaws in the “brains” of Internet of Things platform hubs such as SmartThings hubs, Wink hubs, and MiOS Vera. The Wink and Vera products “contained critical remotely exploitable flaws.” Young warned that “if not addressed, smart home flaws can give rise to a new type of ‘smart criminal’ able to case victims without being seen. Once a target is chosen, it is possible to unlock doors and disable security monitoring.”According to Tripwire’s Smart Home Invasion video, Young performed a security assessment on the three best-selling smart hubs on Amazon; he found all three to have critical security flaws that could “lead to unlocked doors and unsolicited access into a person’s home network.”Young explained:Access to home hubs can not only let the burglar enter your home without tripping alarms, but it also gives them access to a wealth of information about when people are at home and where they might be in the house. Connected devices like motion sensors and cameras give a clear picture of what’s going on inside the house but even information like when the garage door is opened each day or when lights are turned on and off expose aspects of a target’s schedule. In effect, this opens the door for prospective thieves to case targets from the comfort of their secret lair.The threats are not limited to local burglars and thieves either. Compromised Internet nodes have intrinsic value for hackers looking to disguise the source of attacks or simply steal bandwidth. As with the many other embedded devices that comprise the Internet of Things, attackers will naturally be looking to attack these systems and install backdoor software for use in spam and DDoS campaigns. These types of attacks can lead to increased Internet costs via bandwidth overage charges while also exposing internal devices to further attack. “Vulnerable versions of Vera and Wink could be attacked through HTTP requests,” Young added. “These requests may come from a malicious web page (as demonstrated at IID on the Vera), a phone app on the LAN, or a malicious user on the LAN directly connecting to the vulnerable device. In the case of Vera, the attacker can directly supply commands to run on the Vera’s embedded operating system. In the case of Wink, the attacker would inject SQL commands to trick SQLite into creating a PHP script on the device. A subsequent request can then trigger execution of the PHP code with root permissions.” The SmartThings hub had the least serious vulnerability, as it was vulnerable to improper certificate validation. The holes in both SmartThings and Wink were patched, but that means the user must apply the patches. In the case of SmartThings, a mandatory update was pushed out in February. A spokesperson said, “Any inactive hub that was not updated cannot connect to the SmartThings service and is automatically redirected to an update server.”Keeping firmware up-to-date, connecting your devices to their own separate network, and removing HTTPS access were suggested by Tripwire as best practices to reduce vulnerability. “HTTP interfaces expose a very large attack surface and should be isolated from untrusted nodes or disabled if possible.” CERT warns users to update Honeywell Tuxedo Touch controller firmwareHoneywell’s tagline for Tuxedo Touch is “Smart house. Safe home.” But if a product has “horrible” security holes then “safe” doesn’t seem true. Cure53 security researcher Maxim Rupp is warning how “remarkably simple” it is for anyone to access another person’s “Honeywell Tuxedo Touch web interfaces, used to control all connected parts of the home, including cameras, thermostats, lights, locks and shades.”Last month, Rupp told the world that hundreds of solar lighting systems and wind turbines were vulnerable to hacking. ISC-CERT then released an advisory for Sinapsi eSolar light plaintext password vulnerabilities, for a cross-site request forgery (CSRF) vulnerability in XZERES 442SR wind turbines and an insecure credential vulnerability in RLE Nova-Wind turbine. On Friday, July 24, CERT warned Honeywell users, “Compromised Tuxedo Touch Controllers may be leveraged to operate home automation devices, such as unlocking or locking doors.”Regarding Honeywell, Rupp told Forbes that attackers could exploit a CSRF vulnerability by sending a link to a Honeywell user that would allow the attacker to launch actions on Tuxedo Touch so long as the user was logged in.“Slack authentication” is a more serious vulnerability in Honeywell, as Rupp warned that:an attacker could send a request to a specific page on the Tuxedo Touch interface, such as the one used to lock the doors, and when the device asked for a username and password, the attacker could simply ignore the demand (by intercepting and dropping requests containing the string “USERACCT=USERNAME:_,PASSWORD:_,”) and access that page. As it’s possible to scan the web for Tuxedo Touch devices to find the related web interface, anyone could easily find and attack a Honeywell-powered home where patches haven’t been applied.CERT advised users to patch these holes by updating to the latest version of Honeywell’s home automation kit. Honeywell told users to download the new software onto an SD card and then use the SD card to update Tuxedo Touch firmware. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe