A year ago, cybersecurity researchers at Trend Micro who were tinkering with home-automation systems in their spare time decided to make a formal project out of it. One of the researchers invited the others to hack his smart home in Germany and see what they could find out about the underlying protocols used in it.
They quickly discovered that not only was the system susceptible to manipulation, but it was also ill-equipped to detect it. The owner of the home found himself moving from room to room, trying to figure out why his lights and window blinds weren’t working.
Stephen Hilt, a senior threat researcher at Trend Micro, had inadvertently carried out a denial-of-service attack on devices running on a popular building-automation protocol in the house. The researchers knew where the attack was coming from — Hilt was using a software-defined radio to jam the devices, flooding them with noise — but they didn’t realize how effective it would be.
“That was really all it took to take down a smart home — was accidentally getting stuck in a replay loop” of sending radio-frequency packets to the devices, Hilt said in an interview at the RSA Conference in San Francisco. After Hilt unplugged his radio, the disruption to the house stopped.
Hilt and his colleague Numaan Huq will present their research on Tuesday at RSA. A key finding: they were able to attack the programmable logic layer used in open-source automation servers to change the rules for interacting with the servers. In other words, an attacker could inject a “logic bug” into these automation rules to, for example, disable motion sensors used to secure the home. Given the amount of code in the system, detecting changes to it can be difficult.
“In 1,700 lines of code, are you really going to spot some changes?” Hilt said. “How often do people review their logic rules for alterations that were unauthorized?”
The researchers also used Shodan, the search engine for internet-connected devices, to find home-automation servers exposed online with easily-accessible login information.
“A lot of times we found configuration files with the passwords and keys … embedded,” Huq, a Trend Micro senior threat researcher, told CyberScoop. “And in some cases, even the latitude and the longitude of the house were embedded into the files.” Those coordinates can be used to locate a home on Google Maps.
The takeaway of the project is not that home automation is inexorably insecure. The researchers themselves are proponents of networked homes. Their point is that shoring up some of the sector’s protocols and security practices can go a long way in making smart homes, which are a part of modern life, less prone to snooping and tampering.
The Trend Micro analysts offer several security recommendations based on their findings. They advise users to update their devices’ firmware while acknowledging that tracking firmware updates for home-automation devices can be challenging. Enabling disk encryption on those devices also helps seal them off from attackers, the researchers said.
The research points to longstanding security challenges in both internet-of-things (IoT) devices and in the building-automation sector. A report issued last May by the departments of Commerce and Homeland Security warned that IoT vendors do not have the cost incentives to build more security into their products.
As Hilt put it, the vendors “care about security, but they care about usability more.”
One goal of the research is to get designers of home-automation platforms to reconsider that approach. “That’s where we’re really trying to … change people’s thinking about how they’re designing these systems,” Hilt said.