Author Topic: Black Hat Talks To Outline Attacks On Home Automation Systems  (Read 30648 times)

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 10091
  • Karma: +764/-142
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #15 on: July 30, 2013, 11:05:15 pm »
@Screamhouse

Learn how to setup a SSH tunnel ... or do not be surprised if the boys on the West coast do not start manipulating devices in your home remotely as well.

Offline Pestus

  • Full Member
  • ***
  • Posts: 122
  • Karma: +2/-0
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #16 on: August 01, 2013, 10:10:00 pm »
Now that the cat's out of the bag, what do we all do about this?

In the PDF that outlines all the quite shocking vulnerabilities, the author states;

"As the vendor has refused to fix or even acknowledge these
vulnerabilities, the authors consider it highly likely that this product has additional undiscovered
vulnerabilities."

If this is the case, we need to get Micasaverde's attention!

I'm going to bet that in the next few days, someone makes a play at cp.mios.com... 

Online Brientim

  • Sr. Hero Member
  • ******
  • Posts: 2497
  • Karma: +78/-7
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #17 on: August 01, 2013, 10:14:42 pm »
There is a corresponding thread running in parallel see:
http://forum.micasaverde.com/index.php/topic,15892.msg121185.html#msg121185

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #18 on: August 02, 2013, 09:38:30 pm »
So this got me to try out vpn on a ddwrt router tonight.  My current setup is everything through an AirPort Extreme, Vera doing it's thing, a windows pc running blue iris dvr with a static forwarded, my dsc alarm with en eyez on, sonos, a synology nas, and many other devices. 

My Comcast business smcd3 has 4 ports.  The airport is using one.  I also have a dlink upnp on port 2 used only for Xbox live.

I set up vpn in the ddwrt and connected with my iPhone on wifi.  It seemed to work.

If I add the ddwrt router to port 3 of the smcd3, connect the Vera, blue iris PC, and dsc, they'll all be on a different subnet isolated frommy normal home stuff.  I can vpn to access these devices which need to get outside my LAN.  I will lose the convenience of viewing my cameras and vera locally.  I will have to vpn or hit them through mios or the Internet.

Is this a good idea?  Am I missing anything?

Offline guessed

  • Master Member
  • *******
  • Posts: 5300
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #19 on: August 02, 2013, 10:31:17 pm »
It's a little hard to tell from the description, but it sounds more like you protected your Vera from your Home network, than your Home Network from Vera.

...it depends on which router/gateways products are running in which modes. 

eg. What is NAT, what is Bridged

For a more acid test, plug a PC into you WRT box and see if you can connect to your home network.

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #20 on: August 03, 2013, 09:23:07 pm »
It's a little hard to tell from the description, but it sounds more like you protected your Vera from your Home network, than your Home Network from Vera.

...it depends on which router/gateways products are running in which modes. 

eg. What is NAT, what is Bridged

For a more acid test, plug a PC into you WRT box and see if you can connect to your home network.

Two isolated subnets.  One for camera dvr server, Vera, DSC (Vera communication with the dsc it critical).  One for everyday use.  And actually a third for Xbox live.   :)

I wish I were better at networking because I know I'll want to have my Vera control my sonos, but I like my sonos on my 'everyday' network.  But I now have the risky stuff isolated so I feel better until I can understand all this better.

Offline guessed

  • Master Member
  • *******
  • Posts: 5300
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #21 on: August 04, 2013, 12:05:23 am »
Two isolated subnets.  One for camera dvr server, Vera, DSC (Vera communication with the dsc it critical).  One for everyday use.  And actually a third for Xbox live.   :)

I wish I were better at networking because I know I'll want to have my Vera control my sonos, but I like my sonos on my 'everyday' network.  But I now have the risky stuff isolated so I feel better until I can understand all this better.
Fair enough.  If both are NAT'd, then a slightly more "connected", but slightly less secure, model might be to daisy-chain the NAT'd routers.

You currently have [NAT'd] Networks "A" (Vera, DSC et-al) and "B" (Home/Everyday Network) as peers, so traffic cannot go between them.

If you sling "B" below "A", and retain the NAT on both, then "B" stuff can see the "A" machines without any magic, but not the other way around.  It would depend upon whether you have components sensitive to Double-NAT, and whether you needed sort sort of [VPN] access into "B" (and the resulting double-forward to the VPN entity).

Not a panacea, by any means...

Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #22 on: August 04, 2013, 01:22:35 am »
Disabled UPnP, but I have 2 cameras which I want to access remotely, is there another way then opening a port?

Building on what is already being said in this topic, if you really want to have remote access to your stuff without having your network open to the world, there are a few things you can do:

-Invest in a business grade firewall.  If you look around, you can find hardware from the big name players that are on sale or, if you scan through ebay, you can find older stuff that is still good just EOL -- just make sure you have a copy of the latest released supposed firmware/IOS and re-flash the devices you buy.  Block the Vera from making it's call home.  Set it up to act as an end point for VPN access into your network.  Then you can remotely access your system after you have passed this gatekeeper. 

-Get a firewall like above, but instead of having it handle VPN, learn how to setup an OpenVPN server (dedicated box that is all it does), and then use that to access your network and items remotely.  There are clients for Android and, if you jailbreak your IPhone/IPad, there is one for that as well.

-If you really are serious about network security, and don't mind doing some work, then take at look at this:  http://www.sans.org/critical-security-controls/  It is meant for organizations to implement to help get a better handle on networks, and by implementing the top 5, you can realize an increase in security.  Anyways, read this and learn what is being done here, then learn how to adapt this to your home network.  (You could implement this on your home network, just be prepared to manage your home like a corporate network and have your "users" upset that they can't do anything.)




« Last Edit: August 04, 2013, 01:32:28 am by SOlivas »
Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #23 on: August 04, 2013, 04:53:43 am »
You currently have [NAT'd] Networks "A" (Vera, DSC et-al) and "B" (Home/Everyday Network) as peers, so traffic cannot go between them.

If you sling "B" below "A", and retain the NAT on both, then "B" stuff can see the "A" machines without any magic, but not the other way around.  It would depend upon whether you have components sensitive to Double-NAT, and whether you needed sort sort of [VPN] access into "B" (and the resulting double-forward to the VPN entity).

Not a panacea, by any means...

It is what I tried yesterday, meaning Sonos and Vera in different subnets. Vera can control the Sonos but Sonos feedback is probably blocked by the intermediary router, meaning Vera cannot update data coming from the Sonos units.
I suppose it is possible to add a rule in the router to allow traffic coming from specific IPs (Sonos IPs) ?

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3258
  • Karma: +191/-9
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #24 on: August 04, 2013, 05:09:02 am »
I suppose it is possible to add a rule in the router to allow traffic coming from specific IPs (Sonos IPs) ?

Of course. This is called punching holes in the firewall. Try to make the hole as specific as possible. Give the from-address, to-address, protocol and (if appropriate) port.

For the Belkin WeMo, which uses UPnP, the firewall holes are UDP port 1900 and TCP ports 49152-49167.  Sonos will be something similar. You can use a tool like Wireshark to get the protocols and ports that a given appliance uses.

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #25 on: August 04, 2013, 07:05:00 am »
I suppose it is possible to add a rule in the router to allow traffic coming from specific IPs (Sonos IPs) ?

Of course. This is called punching holes in the firewall. Try to make the hole as specific as possible. Give the from-address, to-address, protocol and (if appropriate) port.

For the Belkin WeMo, which uses UPnP, the firewall holes are UDP port 1900 and TCP ports 49152-49167.  Sonos will be something similar. You can use a tool like Wireshark to get the protocols and ports that a given appliance uses.

Finally, the Sonos plugin is working well (except album art, I have to investiguate why) while in "normal" mode, meaning using calls on port 1400.
As soon as I switch to your UPnP event plugin (event notification), I have no more feedback, I assume events are no more reaching your plugin ?

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #26 on: August 04, 2013, 08:41:05 am »
Thanks guessed, futzle, solivas, and everyone else. 

What firewall/switch would be a good home/business choice to give me some additional control and flexibility?  The ZyXEL ZyWALL USG50 is around $225 and looks interesting.

Does anyone have a setup they could share?  specific brands, models, topology?




Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #27 on: August 04, 2013, 01:02:06 pm »
Thanks guessed, futzle, solivas, and everyone else. 

What firewall/switch would be a good home/business choice to give me some additional control and flexibility?  The ZyXEL ZyWALL USG50 is around $225 and looks interesting.

Does anyone have a setup they could share?  specific brands, models, topology?

The firewall you use all depends on what you want out of such a device.  Just remember, no matter what you get, the two biggest factors to consider are time and learning curve for setting up and maintaining it. 

That unit comes with a standard license of 10 users. 

Also realize that an IDS will need to be tuned to be effective, and no matter what, you will still get false positives.  Plus, if you do go the route with an integrated IDS, you will need to make it a habit to watch the logs and know what they are telling you.  Not all IDS systems are created equal.

If you are looking for an IDS, there are open source solutions.  Two that come to mind are Snort and Suricata.

http://www.snort.org/

http://suricata-ids.org/

For spam filters, I use Postfix with its Postscreen feature to filter out the spammers/spambots and use a few freely available black/block lists.  As an additional measure, once the sender gets through the Postscreen layer, I have e-mail subjected to greylisting using Postgrey.  This eliminates about 98% of all spam that I get on my system.

I personally use a Cisco firewall on my network.

If you are going to buy a business grade firewall, don't let price alone be the determining factor.  Do quite a bit of research and see what others are saying about the device you are looking at.  Find the online support forums and mailing lists that are out there, and look through them to see what sorts of problems and quirks people encounter.

And if you do settle on a unit, make sure that you understand how to set it up. Unlike the consumer grade firewalls that are normally found integrated into routers, etc.  These are typically not plug and play devices that you can add into your system and forget about.

And realize that firewalls are not the magic bullet to all network security problems you will face.  Security in depth for your network, just like in the physical world, is the best way to protect yourself.  A firewall will only give you a means to help control access to and from your network, and give you insight into what is really going on.
« Last Edit: August 04, 2013, 01:50:39 pm by SOlivas »
Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #28 on: August 04, 2013, 01:07:18 pm »
In the interview with Crowley, he says that allowing local access over the LAN to control the Vera is a security risk because then if someone gets a virus or other malicious software on your computer, then they can remotely control your home.  True, BUT, (a) the hacker will also be able to log your keystrokes and get all your passwords and logins for everything, including online banking, and can do bill pay or payment transfers to take the money out of your bank account, and he'll have access to all your files, NAS devices, etc.  (b) there's nothing we can do about this anyway because if someone has a virus installed on your computer giving them remote control, even if there were no local access, the hacker would still log your password when you logged on remotely.  The only way around this is to have hardware authentication--one of those token/fobs that generates a number each time you press the button using a special algorithm, and which number is required every time you want to log in.  This is how banks handle the problem for things like commercial wire transfers.  But this means every family member would need to carry a fob with them at all times and go through a complex login process every time he wanted to just turn on the lights.  I discussed with Crowley months ago that we HAVE gone through security audits, and we implemented it the way we did for a reason because we had to balance usability with security.  And, we do allow the power users who understand all these tech issues to lock down the system, such as installing self-signed certs and modifying the browser settings to accept them.  He never disputed any of this.  I also pointed out that we've thought many times about whether we should allow local access over the home network, since, it's impossible to secure connections over the local network since most browsers by default will reject self-signed certs for local devices.  But in the end, we've always concluded that if someone is physically inside your home already, and plugged into your home network, there's no reason why he'd want to hack into the Vera to unlock the door since he could just reach over and turn the door knob by hand anyway.  And allowing direct access to Vera over the home network has a lot of benefits; it's faster with less latency, it works even when the internet is down or in remote locations without internet, it allows the security-conscious homeowner to be disconnected from our servers, and it means we don't need to charge a monthly fee since we don't need to provide server infrastructure to facilitate everyone's day-to-day usage of the system.  So, none of the points TrustWave brought up were new; they were all things we've debated for years anyway.  And none of the "flaws" were accidental oversights, like he implied.  But, his goal is to get his name in the papers, and his story has a lot less intrigue once all the facts are revealed.  So, he took features, like upnp access, that are fully documented in our wiki anyway, and spun them as "discoveries" he made while doing his extensive research on the product.  And he took design decisions we made, and explained to him, and presented them as though these were hidden flaws we weren't aware of, which TrustWave managed to uncover, presumably because he wants the exposure and thinks he'll get companies to hire him to do security audits.  When he reached out to us several months ago, offering his services, and we declined, my assumption is he probably made similar offers to the other HA providers as well, since the issues are ubiquitous to every HA system, and that the others simply agreed to retain his firm and thus buy his silence, and the products he chose to bash are the ones that refused to pay up.

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #29 on: August 04, 2013, 07:20:36 pm »
I personally use a Cisco firewall on my network.

Thanks.

Does your firewall allow you to protect against (block) the SSH tunnel mios-phone-home issue that everyone is concerned about?  And Vera can't be the only device that does this port 80 SSH-thingy, is it?  What makes this device so concerning regarding mios hacks?  The fact that it's a router and can be used to tunnel to other things on the LAN?