“I can see all of the devices in your home and I think I can control them,” I said to Thomas Hatley, a complete stranger in Oregon who I had rudely awoken with an early phone call on a Thursday morning.
He and his wife were still in bed. Expressing surprise, he asked me to try to turn the master bedroom lights on and off. Sitting in my living room in San Francisco, I flipped the light switch with a click, and resisted the Poltergeist-like temptation to turn the television on as well.
“They just came on and now they’re off,” he said. “I’ll be darned.”
The home automation market was worth $1.5 billion in 2012 according to Reuters; there’s been an explosion in products that promise to make our homes “smarter.” The best known is Nest, a thermostat that monitors inhabitants’ activity, learns their schedules and temperature preferences and heats or cools the house as it deems appropriate. Many of these products have smartphone apps and Web portals that let users operate devices, cameras, and locks from afar. Getting to live the Jetsons’ lifestyle has downsides though; as we bring the things in our homes onto the Internet, we run into the same kind of security concerns we have for any connected device: they could get hacked.
Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search engines – meaning they show up in search results — and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.
Thomas Hatley’s home was one of eight that I was able to access. Sensitive information was revealed – not just what appliances and devices people had, but their time zone (along with the closest major city to their home), IP addresses and even the name of a child; apparently, the parents wanted the ability to pull the plug on his television from afar. In at least three cases, there was enough information to link the homes on the Internet to their locations in the real world. The names for most of the systems were generic, but in one of those cases, it included a street address that I was able to track down to a house in Connecticut.
When I called, a “Craig” picked up the phone. He revealed that he has a side job as a consultant who helps install Insteon devices in people’s homes, and had been using the system himself for 10 years. I told him I could see (and probably control) his network and he became defensive.
“There’s a password, though,” he said testily. “I want potential customers to be able to see the system to know how it works. You can’t control them, you can just see them.”
I asked him if I could try to turn one of his devices on and off. He told me to turn off the light in the room he was in. After I did it, there was a pregnant pause. “Anything?,” I asked. He responded that nothing happened and rushed off the phone. I suspected he might be lying. The next day, Craig’s system was locked down, accessible only by username and password.
The Insteon vulnerability was one of many found in smarthome devices by David Bryan and Daniel Crowley, security researchers at Trustwave. Bryan got one of Insteon’s HUB devices in December, installed the app on his phone, and began monitoring how it worked.
“What I saw concerned me,” he said. “There was no authentication between the handheld and any of the control commands.”
“You could put someone’s electric bill through the roof by turning on a hot tub heater,” says Bryan. He contacted Insteon support by email and asked how to enable a username and password, and Trustwave recently sent the company a full advisory as to its vulnerabilities. The company later fixed the problem with HUB, issuing a recall for the devices in early 2013, though it did not inform customers that the security vulnerability was one of the reasons for that recall.
Insteon chief information officer Mike Nunes says the systems that I’m seeing online are from a product discontinued in the last year. He blamed user error for the appearance in search results, saying the older product was not originally intended for remote access, and to set this up required some savvy on the users’ part. The devices had come with an instruction manual telling users how to put the devices online which strongly advised them to add a username and password to the system. (But, really, who reads instruction manuals closely?)
“This would require the user to have chosen to publish a link (IP address) to the Internet AND for them to have not set a username and password,” says Nunes. I told Nunes that requiring a username/password by default is good security-by-design to protect people from making a mistake like this. “It did not require it by default, but it supported it and encouraged it,” he replied.
In Thomas Hatley’s case, he created a website that acted as the gateway for a number of services for his home. There is a password on his website, but you can circumvent that by going straight to the Insteon port, which was not password protected. “I would say that some of the responsibility would be mine, because of how I have my internal router configured,” says Hatley who describes himself as a home automation enthusiast. “But it’s coming from that port, and I didn’t realize that port was accessible from the outside.”
The company’s current product automatically assigns a username and password, but it did not during the first few months of release — which is one of the products that Trustwave’s Bryan got. If you have one of those early products, you should really go through with that recall. Bryan rated the new authentication as “poor” saying that cracking it would “be a trivial task for most security professionals.”
The problem with Insteon products that don’t have password protection by default is similar to one found with Trendnet IP cameras a few years ago; a lack of authentication meant that anyone who figured out the IP address for a particular camera could watch the camera’s stream—some streams were rather intimate. Even without a public-facing website, a vulnerability like this means that anyone who figures out how to identify the addresses for vulnerable systems – as happened with the Trendnet cameras — could get access to and control of people’s homes.
“I’m excited these technologies exist but am heart-broken that these security flaws exist,” says Trustwave’s Crowley.
He and his colleague found security flaws that would allow a digital intruder to take control of a number of sensitive devices beyond the Insteon systems, from the Belkin WeMo Switch to the Satis Smart Toilet. Yes, they found that a toilet was hackable. You only have to have the Android app for the $5,000 toilet on your phone and be close enough to the toilet to communicate with it.
“It connects through Bluetooth, with no username or password using the pin ‘0000’,” said Crowley. “So anyone who has the application on their phone and was connected to the network could control anyone else’s toilet. You could turn the bidet on while someone’s in there.”
They will present their findings – Home Invasion 2.0 — at Black Hat and Defcon in the next two weeks, along with security engineer Jennifer Savage. Trustwave points out vulnerabilities like this in hopes of convincing companies of the importance of security testing before releasing products (security testing that Trustwave offers).
Another problem with some of the devices, such as the Mi Casa Verde MIOS VeraLite, is that once they’re connected to a Wi-Fi network, they assume that anyone using that network is an authorized user. So if you can manage to get on someone’s Wi-Fi network – which is easy if they have no password on it – you could take control of their home.
“These companies are considering the home network as a fortress,” says Crowley. “In most cases, it’s anything but.”
Insteon’s flaw was worse in that it allowed access to any one via the Internet. The researchers could see the exposed systems online but weren’t comfortable poking around further. I was — but I was definitely nervous about it and made sure I had Insteon users’ permission before flickering their lights. Weighing on my mind was the CFAA/”unauthorized access” to computer systems charges used to prosecute Aaron Swartz and to convict Andrew “weev” Auernheimer, a hacker who exposed a vulnerability in AT&T’s servers that leaked the email addresses of the company’s iPad 3G users.
“This type of issue is very much like the one presented in the ‘weev’ case,” said Marcia Hofmann, a lawyer who specializes in Internet law and security matters. She is part of a team of lawyers appealing Auernheimer’s criminal conviction and 41-month prison sentence, a sentence that has had a chilling effect on other researchers who seek to expose security flaws in company’s products. Hofmann says the Trustwave researchers’ reluctance (as well as my own wariness) to poke around in something publicly available on the Internet to alert the users affected “shows why that case is such a dangerous precedent.”
“The people who discovered this and reported it to the company so it can fix the problem shouldn’t have to worry that they somehow ran afoul of the law,” says Hofmann.
“Hopefully, our talk will highlight that these kinds of devices don’t have very good security, and that they need to improve,” says Trustwave’s Crowley. “Most of these flaws were obvious from just a couple of hours of looking at it.”