We have moved at community.getvera.com

Author Topic: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems  (Read 56156 times)

Offline MiPolloMole

  • Sr. Newbie
  • *
  • Posts: 47
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #15 on: August 05, 2013, 05:00:38 pm »
If true, this is a very big deal.

I couldn't agree more. I just bought one on Saturday, then heard about all of this today, and I'm trying to get to the bottom of this before the return-for-a-refund window ends. :-) I don't have enough information right now, but I'll update this thread when that changes.

Offline redwood

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #16 on: August 05, 2013, 08:02:21 pm »
Hi All,

I'm one of the researchers who presented the Z-Wave security talk in Las Vegas last week and was informed about this forum thread via an email message. I'd like to give you some update about our research. During our talk :

a) We demonstrated the un-encrypted devices (the ones that do not implement SECURITY_CLASS) such as motion sensors could be disabled remotely by using our Z-Wave packet injector (Z-Force)
 
b) We also demonstrated an attack against Z-Wave security protocol implementation in an AES door lock that could reset the network key to a known value remotely and enable the attacker to take full control of device (unlock, set PIN, etc)

 Due to BlackHat conference's content embargo, we would not be able to publish our research paper and slides until August 15th, after which those will be available on the following URLs:

https://code.google.com/p/z-force/
http://research.sensepost.com/

Thank you

Offline MiPolloMole

  • Sr. Newbie
  • *
  • Posts: 47
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #17 on: August 05, 2013, 08:08:16 pm »
I'm one of the researchers who presented the Z-Wave security talk in Las Vegas last week and was informed about this forum thread via an email message. [...]

That was me, I suspect. But I am sure that a lot of us are looking forward to the expiration of that embargo now.  :)

Thanks for stopping by!

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #18 on: August 06, 2013, 08:33:04 am »
b) We also demonstrated an attack against Z-Wave security protocol implementation in an AES door lock that could reset the network key to a known value remotely and enable the attacker to take full control of device (unlock, set PIN, etc)

Thanks, very much for coming in and clarifying the situation. My remaining uncertainty is whether the lock compromise was a vulnerability in the Z-Wave protocol or in a particular lock's implementation. If the latter, which one and have you contacted the manufacturer about the vulnerability?

Offline redwood

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #19 on: August 06, 2013, 11:42:42 am »

We discovered this issue in a European Z-Wave door lock , but as there was an strong evidence that the root cause of the vulnerability (a protocol implementation error) could be present in other door lock brands, we decided to report the vulnerability directly to the Z-Wave vendor (Sigma Designs) and they should have communicated it to the device manufacturers to make sure their products are not affected.

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #20 on: August 06, 2013, 07:05:38 pm »
Thanks for the information! Let's hope that Sigma Designs acts responsibly on this.

Eagerly anticipating your presentation's release on August 15th.

Offline MiPolloMole

  • Sr. Newbie
  • *
  • Posts: 47
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #21 on: August 07, 2013, 06:43:11 pm »
The first post in this thread links to an article about three BlackHat talks. Redwood's is one of them, and we'll have to wait for the details, but another is already available online at BlackHat's own web site:

https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf

A section of that paper describes some vulnerabilities in MiCasaVerde's Vera system. Most of the vulnerabilities are of the form "if an attacker has access to your local wireless network, they can..." and/or "if an attacker has control of MiCasaVerde's servers, they can..."

The key concern, in my opinion, is that MCV's servers effectively have root access to the Vera devices. (The paper describes how an attacker with access to MCV's servers can use the UPnP interface to create root-privileged accounts on the Vera.) Thus if an attacker acquires control of MCV's servers, the attacker has full control of our Vera devices as well.
« Last Edit: August 09, 2013, 01:35:36 pm by MiPolloMole »

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #22 on: August 08, 2013, 08:35:23 am »
@MiPolloMole - Forgive my lack of vision, but I'm not perceiving any personal risk in such an attack. I'm not saying that there is not a vulnerability or that it should not be addressed, but it seems to me that the MCV take over vector is less of a threat than a local exploit.

Assuming that an attacker manages to take over MCV's servers, they would indeed have root on my Vera and tens of thousands of others. Now what will they do? Will they make my lights flash? Will they run up my electric bill? Will they watch my cameras? I just don't see any likelihood of them identifying a single house and then leveraging their MCV access to open doors or do me "harm".

The other attack exploiting Z-Wave for locally opening a lock bothers me far more.

Edit: Thinking about it some more; I suppose with MCV access they could open ALL locks globally in order to open the door they happen to be standing in front of without having to identify a specific house/node on the MCV servers. OK, I see greater risk now, but the local exploit still bothers me more.
« Last Edit: August 08, 2013, 08:39:26 am by Z-Waver »

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #23 on: August 08, 2013, 09:36:12 am »
Assuming that an attacker manages to take over MCV's servers, they would indeed have root on my Vera and tens of thousands of others. Now what will they do? Will they make my lights flash? Will they run up my electric bill? Will they watch my cameras?
They'll open a new Network Tunnel from your LAN (the part that's accessible to Vera), to a nice comfy location of their choice where they can take their time to break into more stuff on your LAN as they'll effectively "see" anything on that Network.

Vera just becomes the Gateway to a more interesting attack.

From an access standpoint, this is the equivalent of removing your LAN's Internet Firewall... at least for their use (unless they decide to make that access more widely available to others)

Do you have your SSN, or other PII, stored anywhere on a LAN-based file share?  Any unsecured Financial documents, Check account#, Credit card#'s (etc) floating around on your home machines?

Bottom line, it comes down to how comfortable you'd be running your LAN without an Internet Firewall.

Offline MiPolloMole

  • Sr. Newbie
  • *
  • Posts: 47
  • Karma: +0/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #24 on: August 08, 2013, 03:48:52 pm »
Assuming that an attacker manages to take over MCV's servers, they would indeed have root on my Vera and tens of thousands of others. Now what will they do? Will they make my lights flash? Will they run up my electric bill? Will they watch my cameras? I just don't see any likelihood of them identifying a single house and then leveraging their MCV access to open doors or do me "harm".

I'm not worried about a targeted attack.

But if the sort of person who breaks into other people's computers for fun breaks into MCVs servers, how long would it be until every MCV customer finds their deadbolts mysteriously unlocked?

I just configured my network so that my Vera can only be access from one specific IP address (a PC on my home network). That mitigates the risk for me.

Offline legend99

  • Full Member
  • ***
  • Posts: 178
  • Karma: +3/-1
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #25 on: August 10, 2013, 02:04:33 pm »

Problem is that viewing ip cam through Vera is too put it lightly garbage. My foscam (maybe the fault lays there) work for 30 seconds and then stop transmitting until I closed the windows and open it again.




If the only entry through your router from the internet is through a VPN or SSH tunnel (i.e. NO port forwarding) ... and you use WPA2 for your Wifi ... you are pretty safe.

Note: IP Cameras often encourage port forwarding to access the camera outside your home. This is a bad idea ... as most IP cameras are running a Web server on a linux engine ... and can be exploited.

Accessing the IP cameras thru Vera is much safer.

Note: Vera opens a tunnel in the opposite direction ... from your LAN to the MCV servers.

Offline Cor

  • Hero Member
  • *****
  • Posts: 1249
  • Karma: +8/-4
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #26 on: August 11, 2013, 06:41:10 am »
Interesting reading.

For myself I am not too woried , if someone really wants , he/she may switch some lights on or off..... or open my gate. Not nice and I prefer it won't happen.

I do have a question concerning opening ports on my router.

In and arround my house I have installed about 8 Ip camera's, and I use the blue iris programm to watch them ( also remotely) , for blue iris (webcast)  I have opened port 20 . I sometimes also want direct feed from the camera's and for that reason I also opened port 50 till 58 .   

With these ports open , can someone now (easlily) acces my network ?

I can understand if someone would be able to take over controll of the camera's( so be it) , but I am a bit worried about for example my NAS ( which is connected to my LAN , but I no port forwarded for it).

Thanks,
Cor 

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #27 on: August 11, 2013, 07:53:23 am »
I would not open up cameras with port forwards though the router ...
I use an SSH tunnel.  This makes all of my cameras, and any other home network resource I wish to make available on my phone look like a local IP port to the phone ... and all communications is secured through the SSH tunnel.

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #28 on: August 11, 2013, 09:22:58 am »
@Cor - IP cameras are usually Linux based System on a Chip(SoC) devices that are notorious for having network security vulnerabilities in them. Here's the the first search item that came up. They are also notorious for never having their firmware updated, so the vulnerabilities are never fixed. The issue is that the camera's vulnerabilities are exploited and then the camera(computer) is used as a jumping off point to the rest of your network, as @guessed reminded me earlier in this thread. They gain access to the camera and then us it as a gateway to compromised other devices on the network including your NAS. This is why you are seeing people strongly recommend against forwarding ports, especially to cameras.

On another note, you state that you have forwarded ports 20 and 50-58. These are called reserved ports because they are used and reserved for very specific services. For instance port 20 is used for the data channel in FTP and port 53 is used for DNS. By forwarding these ports to specific devices, I would expect unusual and problematic behavior, especially with DNS resolution. Other forms of this type of non-standard, if not just plain wrong, network configuration could possibly be causing the unexplained issues of your other posts. When forwarding ports to non-standard services it is proper to forward ports higher than 1024(the reserved ports).

Offline Cor

  • Hero Member
  • *****
  • Posts: 1249
  • Karma: +8/-4
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #29 on: August 11, 2013, 09:53:57 am »
@ RichardTschaefer & Zwaver,

Many thanks for your explanations.

I will close the ports to my camera's, although I use 1 camera with audio in and out as a sort of intercom.... maybe leave 1 port open :-s  ( that SSH tunneling is going way too far for me).

I had no clue that  I couldn't use specific ports  for any application ,  My idea was to have it all neatly ordered.

Blue iris for example is on the computer with 10.0.0.20 and I opened port 2000  for the webcast ( wrongly  thought I opened port 20).

For the cameras I opened port 2050 till 2062  Local IP adresses for the cameras are 10.0.0.50 untill 10.0.0.62

Is this a list I can use for the ports? or rather not use:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers, I see port 2000 is officially used as well , it means it is a bad idea to use it for my blue iris?

many thanks,
Cor