We have moved at community.getvera.com

Author Topic: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems  (Read 57765 times)

Offline Tony G

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« on: June 26, 2013, 02:41:27 pm »


http://it.slashdot.org/story/13/06/26/1339253/black-hat-talks-to-outline-attacks-on-home-automation-systems

"If you use the Z-Wave wireless protocol for home automation then you might prepare to have your warm, fuzzy, happiness bubble burst; there will be several presentations about attacking the automated house at the upcoming Las Vegas hackers' conferences Black Hat USA 2013 and Def Con 21. For example, CEDIA IT Task force member Bjorn Jensen said, 'Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody's home. I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse.' Among other things, the hacking Z-Wave synopsis adds, 'Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems...An open source implementation of the Z-wave protocol stack, openzwave, is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.'"
Vera Lite, Intermatic HA07 (x2), GE 45601, Wayne-Dalton HA18 (10x), Intermatic CA600 (4x), Aeon Labs Micro Illuminator (3x), Everspring SM103 (6x), Intermatic CA9000 (x2), Wayne Dalton WDTC-20 (x2), Kwikset Deadbolt, GE45603, Hawking HRAM1,

Offline Tony G

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #1 on: June 26, 2013, 02:47:03 pm »
The nameless system they mention with open ports is homeseer, according to some folks in the comments.   Interesting stuff.   I believe this will force all vendors of HA equipment as well as Sigma to strengthen security!
Vera Lite, Intermatic HA07 (x2), GE 45601, Wayne-Dalton HA18 (10x), Intermatic CA600 (4x), Aeon Labs Micro Illuminator (3x), Everspring SM103 (6x), Intermatic CA9000 (x2), Wayne Dalton WDTC-20 (x2), Kwikset Deadbolt, GE45603, Hawking HRAM1,

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #2 on: June 26, 2013, 02:51:09 pm »
This does not seem to be about z-wave hacking, but web server security issue. 

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #3 on: June 26, 2013, 08:21:04 pm »
Z-Wave and, more specifically, Vera have security issues. It is clear that security was an afterthought for both.

But, if you have opened ports in your firewall to allow direct access to your home automation system, or do not strongly guard LAN and WiFi access to your Vera, you are virtually leaving your front door unlocked.

Offline Piwtorak

  • Hero Member
  • *****
  • Posts: 988
  • Karma: +4/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #4 on: June 26, 2013, 08:57:53 pm »
If using vera always thru micasaverde.com when out of home and no ports forwarding created to direct access, how the level of exposition and security of ours veras ?
Vera3 (1), Airport Extreme (2), Apple TV (3), Sqblaster (1), GE Switch (3), GE Dimmer (1), Leviton VRCSZ2 (2), GE 45601 (1), Intermatic HA03 (2), GE Zwave Outlet (1), Remote Control Curtain (1) and growing.

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #5 on: June 26, 2013, 09:20:39 pm »
If the only entry through your router from the internet is through a VPN or SSH tunnel (i.e. NO port forwarding) ... and you use WPA2 for your Wifi ... you are pretty safe.

Note: IP Cameras often encourage port forwarding to access the camera outside your home. This is a bad idea ... as most IP cameras are running a Web server on a linux engine ... and can be exploited.

Accessing the IP cameras thru Vera is much safer.

Note: Vera opens a tunnel in the opposite direction ... from your LAN to the MCV servers.


Offline Piwtorak

  • Hero Member
  • *****
  • Posts: 988
  • Karma: +4/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #6 on: June 26, 2013, 09:37:02 pm »
Thanks Richard, I am easy because I am inside that pattern.
Vera3 (1), Airport Extreme (2), Apple TV (3), Sqblaster (1), GE Switch (3), GE Dimmer (1), Leviton VRCSZ2 (2), GE 45601 (1), Intermatic HA03 (2), GE Zwave Outlet (1), Remote Control Curtain (1) and growing.

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #7 on: June 27, 2013, 03:40:02 am »
Note: Vera opens a tunnel in the opposite direction ... from your LAN to the MCV servers.
... and that's the weak link.  It effectively means that access to your LAN is as weak as a user's cp.mios.com password, and any controls/service sharing used by the MiOS folks on their servers.

There are some previous threads on the use of RunLua & os.execute, over that link (once hacked), to gain full and total control of not just Vera.

Basically use those two to open a new outbound tunnel to wherever, and then use Vera as the jumping off point into a CT's broader LAN env.

Offline Piwtorak

  • Hero Member
  • *****
  • Posts: 988
  • Karma: +4/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #8 on: June 27, 2013, 09:41:26 am »
MCV could be better your security showing images with numbers to confirm access like banks does. or creating a previous authorization for each new computer or system wanting have access to a vera unit.

Vera3 (1), Airport Extreme (2), Apple TV (3), Sqblaster (1), GE Switch (3), GE Dimmer (1), Leviton VRCSZ2 (2), GE 45601 (1), Intermatic HA03 (2), GE Zwave Outlet (1), Remote Control Curtain (1) and growing.

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #9 on: June 27, 2013, 01:16:12 pm »
MCV could be better your security showing images with numbers to confirm access like banks does. or creating a previous authorization for each new computer or system wanting have access to a vera unit.
Yes, but that would break the existing Control Points, since they [currently] rely upon UN/PW. 

The easiest, short-term, "fix" for this situation would be to add account lockout, based upon bad entries, and password reset for when you get in the hole.

Longer term, there are way better technologies that can be looped in but they'll trigger the control points to rework their AuthN models to match.... so it would need to be "an option" so that people who were concerned could opt in (at the sacrifice of older Control Points that didn't support it)

Offline SocketFail

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #10 on: August 04, 2013, 01:59:02 pm »
The nameless system they mention with open ports is homeseer, according to some folks in the comments.   Interesting stuff.   I believe this will force all vendors of HA equipment as well as Sigma to strengthen security!
Here's another article from a few days ago where the Vera Lite specifically is hacked: http://money.cnn.com/news/newsfeeds/gigaom/articles/2013_07_26_breaking_into_the_smart_home_of_the_future.html

Looks like everybody needs to tighten up!

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #11 on: August 04, 2013, 06:15:30 pm »
@SocketFail - Read the article again. The hack in the article relies on compromising the WiFi network. This gives the attacker local network access to the VeraLite. Just as the way you have access when your at home. There are security issues to be addressed, but as stated earlier in this thread, a properly secured WPA2 WiFi network pretty effectively mitigates against this "hack".

Offline capjay

  • Hero Member
  • *****
  • Posts: 675
  • Karma: +9/-3
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #12 on: August 05, 2013, 08:34:15 am »
If the only entry through your router from the internet is through a VPN or SSH tunnel (i.e. NO port forwarding) ... and you use WPA2 for your Wifi ... you are pretty safe.

*Assuming* the MCV servers/cloud are secure and locked down properly.

Offline MiPolloMole

  • Sr. Newbie
  • *
  • Posts: 47
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #13 on: August 05, 2013, 04:08:07 pm »
To be clear, there are three sets of vulnerabilities being discussed here:

HOME INVASION V2.0 - ATTACKING NETWORK-CONTROLLED HARDWARE
https://www.blackhat.com/us-13/briefings.html#Crowley

Defeating wifi security gives an attacker access to everything on your local network, including Z-Wave devices. As RichardTSchaefer and Z-Waver mentioned, using WPA2 for your wifi network mitigates these vulnerabilities pretty well.

Also, allowing access to your MCV hardware by MCVs servers creates another avenue for attack, regardless of how secure your wifi network is.

HONEY, I?M HOME!! - HACKING Z-WAVE HOME AUTOMATION SYSTEMS
https://www.blackhat.com/us-13/briefings.html#Fouladi

These attacks are carried out directly against the Z-Wave wireless network. These are the ones that worry me the most. A co-worker who attended this talk tells me that they demonstrated remote unlocking of a Z-Wave deadbolt. That should be disconcerting for anyone who owns such hardware.

I'm very curious about the direct Z-Wave attacks. Web searches only gave me links to the page above, and articles about the presentation which do not contain anything more than the what's on the page above. If anyone has more details, I'd love to hear them.
« Last Edit: August 05, 2013, 04:55:18 pm by MiPolloMole »

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #14 on: August 05, 2013, 04:18:35 pm »
A co-worker who attended this talk tells me that they demonstrated remote unlocking of a Z-Wave deadbolt

If true, this is a very big deal. It would mean that they have figured out a way to break or inject their commands into the AES-128 encrypted channel, which seems highly unlikely, or they have discovered some other vulnerability that bypasses the encrypted control channel completely. The latter seems more likely than breaking AES-128, but I'm still dubious.

Can you press your co-worker for greater detail and a citation? At least what kind of deadbolt was used. I'm not ready to accept that the sky is falling based on 'he said; she said' assertions.