Author Topic: Black Hat Talks To Outline Attacks On Home Automation Systems  (Read 31367 times)

Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #30 on: August 04, 2013, 09:16:22 pm »
Yes it does.  However, I am not currently blocking my Vera 3 from phoning home, sometime in the future I may, but for now I'm willing to accept the risk that the MiOS servers may be compromised and my HA controller becomes a springboard for something else.  I'm fairly confident that I would catch such an event happening though.


However, there looks to be an easier way than using a firewall to isolate the Vera.  Reading through the /usr/bin/cmh-ra-daemon.sh file (the file that initiates the "phone home" SSH tunnel connection to the MiOS servers), there are two settings in the /etc/cmh-ra/cmh-ra.conf file that are checked:

Code: [Select]
#user disabled MiOS remote service
if [[ "$RA_DISABLED" == "1" ]]; then log "MiOS Remote Control Service is disabled. We won't start RC tunnels..."; exit 1; fi
if [[ "$RA_DISALLOWED" == "1" ]]; then log "We don't have access to MiOS Remote Control Service..."; exit 1; fi

If either RA_DISABLED or RA_DISALLOWED is true, then the script stops and the remote tunnel should not be setup.


If you look at your file (at least on my Vera 3 with the latest firmware), you should see something similar to:

Code: [Select]
#!/bin/bash
RA_DISABLED=0
RA_DISALLOWED=0
PORT=31665

Change the 0's on either line to 1 and you should effectively kill the phone home feature.

You could also change the port to 0 as well if you really wanted to make sure that the system wouldn't connect to anything, since the script also checks for a port less than 1024, and if it finds such a value, terminates.


Hmm, I wonder how hard it would be to create a plugin that lets you toggle this behavior on and off, making it simple for the user who is afraid to poke under the hood?

 
« Last Edit: August 04, 2013, 09:21:54 pm by SOlivas »
Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #31 on: August 04, 2013, 09:56:08 pm »
@SOlivas,
Here's @futzle's original discussion thread showing how it's disabled:
    http://forum.micasaverde.com/index.php?topic=4782.10

We should probably keep the discussions centralized there, and any adaptations needed per-release, since it'll be easier to "pin" a single security thread for others to find.

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #32 on: August 04, 2013, 11:04:17 pm »
And Vera can't be the only device that does this port 80 SSH-thingy, is it?  What makes this device so concerning regarding mios hacks?  The fact that it's a router and can be used to tunnel to other things on the LAN?
Each programmable "thing" on your Network has the potential to be abused, and ultimately turned into something you didn't plan for.

For PC's (etc) we're all used to the normal "causes" for this stuff, and the typically starter-access comes from inside your own network (often, but not always)

Most devices connect your home to cloud services via some form of controlled Protocol and, barring bugs, there's a limit to what can be done over that protocol.  In the case of devices that use Operating systems at the core, and then layer open access protocols (eg. SSH), there's increased scope for something "bad" to be initiated at the "other end", and for the potential exploit to result in much greater damage.

It's been discussed before (aka using "RunLua" to launch a new Tunnel), but the potential damage isn't about loss of house access, or making your lights blink and/or garage open.  The potential in these cases is for any information you keep on your LAN to be exposed (Financial Records, PII, etc)

Of course, that would require breaking into a user's account via cp.mios.com and the fwd*.mios.com servers.

If someone wanted to do that, they'd likely write a password scanner, using the usual suspects, and then scrape usernames from the Forums.  The combination, whilst slow, would (in theory) eventually net some accounts/passwords, and then it's only a step away before they'd use the resulting SSH Tunnel to gain full access to that user's LAN.

Last time I checked, passwords on cp.mios.com were forced to be simpler than normal, and there was nothing that would lockout a user, or force secondary authentication, when they failed account access repeatedly...  If that's still the case, then it's simpler to write a bot.... that and you know there's a great concentration of people with "interesting stuff" all centralized behind those addresses, which makes it a great target if not well locked.

(broken into paragraphs for easier reading  8) )

Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #33 on: August 04, 2013, 11:51:26 pm »
@SOlivas,
Here's @futzle's original discussion thread showing how it's disabled:
    http://forum.micasaverde.com/index.php?topic=4782.10

We should probably keep the discussions centralized there, and any adaptations needed per-release, since it'll be easier to "pin" a single security thread for others to find.

Doh!

Sorry, I forgot to do a search before posting this.  Sorry. :)
Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor

Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #34 on: August 04, 2013, 11:58:01 pm »
And Vera can't be the only device that does this port 80 SSH-thingy, is it?  What makes this device so concerning regarding mios hacks?  The fact that it's a router and can be used to tunnel to other things on the LAN?
... someone wanted to do that, they'd likely write a password scanner, using the usual suspects, and then scrape usernames from the Forums.  The combination, whilst slow, would (in theory) eventually net some accounts/passwords, and then it's only a step away before they'd use the resulting SSH Tunnel to gain full access to that user's LAN.

Last time I checked, passwords on cp.mios.com were forced to be simpler than normal, and there was nothing that would lockout a user, or force secondary authentication, when they failed account access repeatedly...  If that's still the case, then it's simpler to write a bot.... that and you know there's a great concentration of people with "interesting stuff" all centralized behind those addresses, which makes it a great target if not well locked...


This brings two things to mind that every user should (or should not do):

1.  Do not have your forum username and same as your Vera login.  Also, don't try using a variation of your username either -- use something different that is unique and only you know
2.  Don't use the same password (or groups of passwords) on the sites you use (groups meaning, you have like 3 or 4 passwords that you use between all the sites you access, safer than 1 password for all, but still not as good as 1 password=1 site).  The "keys to the kingdom" threat is very real, if someone breaks one, knows some of the sites you visit, and then tries it on other sites.......



Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #35 on: August 05, 2013, 06:29:24 am »
Each programmable "thing" on your Network has the potential to be abused, and ultimately turned into something you didn't plan for.

For PC's (etc) we're all used to the normal "causes" for this stuff, and the typically starter-access comes from inside your own network (often, but not always)

Most devices connect your home to cloud services via some form of controlled Protocol and, barring bugs, there's a limit to what can be done over that protocol.  In the case of devices that use Operating systems at the core, and then layer open access protocols (eg. SSH), there's increased scope for something "bad" to be initiated at the "other end", and for the potential exploit to result in much greater damage.

It's been discussed before (aka using "RunLua" to launch a new Tunnel), but the potential damage isn't about loss of house access, or making your lights blink and/or garage open.  The potential in these cases is for any information you keep on your LAN to be exposed (Financial Records, PII, etc)


Excellent explanation.  Thanks. 


Offline capjay

  • Hero Member
  • *****
  • Posts: 675
  • Karma: +9/-3
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #36 on: August 05, 2013, 08:39:30 am »
@micasaverde

thanks for the clarification. I hope Mios servers have tightened security to prevent intrusions via that route..

Offline FireBird

  • Jr. Member
  • **
  • Posts: 94
  • Karma: +2/-0
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #37 on: August 05, 2013, 11:31:58 am »
I'm hoping the https://cp.mios.com page has a policy that doesn't allow more than 3-5 failed logins in 30-60 minute time frame this would help with any brute force attacks to the web portal.

Offline oTi@

  • Community Beta
  • Master Member
  • ******
  • Posts: 4041
  • Karma: +32/-6
  • UI what ?!
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #38 on: August 05, 2013, 11:55:42 am »
Thanks @micasaverde.

Now quoted with friendly white space added:
In the interview with Crowley, he says that allowing local access over the LAN to control the Vera is a security risk because then if someone gets a virus or other malicious software on your computer, then they can remotely control your home.

True, BUT, (a) the hacker will also be able to log your keystrokes and get all your passwords and logins for everything, including online banking, and can do bill pay or payment transfers to take the money out of your bank account, and he'll have access to all your files, NAS devices, etc.  (b) there's nothing we can do about this anyway because if someone has a virus installed on your computer giving them remote control, even if there were no local access, the hacker would still log your password when you logged on remotely.

The only way around this is to have hardware authentication--one of those token/fobs that generates a number each time you press the button using a special algorithm, and which number is required every time you want to log in.  This is how banks handle the problem for things like commercial wire transfers.  But this means every family member would need to carry a fob with them at all times and go through a complex login process every time he wanted to just turn on the lights.

I discussed with Crowley months ago that we HAVE gone through security audits, and we implemented it the way we did for a reason because we had to balance usability with security.  And, we do allow the power users who understand all these tech issues to lock down the system, such as installing self-signed certs and modifying the browser settings to accept them.  He never disputed any of this.

I also pointed out that we've thought many times about whether we should allow local access over the home network, since, it's impossible to secure connections over the local network since most browsers by default will reject self-signed certs for local devices.

But in the end, we've always concluded that if someone is physically inside your home already, and plugged into your home network, there's no reason why he'd want to hack into the Vera to unlock the door since he could just reach over and turn the door knob by hand anyway.

And allowing direct access to Vera over the home network has a lot of benefits; it's faster with less latency, it works even when the internet is down or in remote locations without internet, it allows the security-conscious homeowner to be disconnected from our servers, and it means we don't need to charge a monthly fee since we don't need to provide server infrastructure to facilitate everyone's day-to-day usage of the system.

So, none of the points TrustWave brought up were new; they were all things we've debated for years anyway.  And none of the "flaws" were accidental oversights, like he implied.

But, his goal is to get his name in the papers, and his story has a lot less intrigue once all the facts are revealed.  So, he took features, like upnp access, that are fully documented in our wiki anyway, and spun them as "discoveries" he made while doing his extensive research on the product.

And he took design decisions we made, and explained to him, and presented them as though these were hidden flaws we weren't aware of, which TrustWave managed to uncover, presumably because he wants the exposure and thinks he'll get companies to hire him to do security audits.

When he reached out to us several months ago, offering his services, and we declined, my assumption is he probably made similar offers to the other HA providers as well, since the issues are ubiquitous to every HA system, and that the others simply agreed to retain his firm and thus buy his silence, and the products he chose to bash are the ones that refused to pay up.
Dezwaved at the moment...

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #39 on: August 05, 2013, 01:19:29 pm »
I wanted to add that along with vlans to separate your network, I make sure I apply firewall rules on my computers and servers in my house. Especially my main server. For all of the services the box hosts (nfs, samba, squeezebox server, etc). I apply firewall rules to only allow certain computers that need access on my network to those services. Same goes for all of my virtual machines. I also run network scans to see what devices have what open and secure what I can from there. It might sound like over kill, but better safe than sorry.

So if someone were to gain access to MCV's fwd servers and try and open a rogue port into my network, they would have a hard time gaining access to my internal boxes because of the firewall restrictions. I also disable upnp at the firewall to prevent  unauthorized devices punching a hole into my firewall.

If you want to go even further my linux boxes all have a service to block any ip after so many failed attempts. There are also firewall's that allow for this as well.

- Garrett

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #40 on: August 05, 2013, 01:23:29 pm »
Quote
I hope Mios servers have tightened security to prevent intrusions via that route..

Actually this is what we've been working on the past 9 months.  We've re-written the whole back-end server infrastructure ourselves, from scratch in C++, and will no longer be using .php.  We now have an OpenID (like facebook's) authentication mechanism, with various permission tokens.  And we have 3 different data centers now in the US, Europe and Asia, with DNS regional routing/load balancing so users will get faster access.  This new version has been in our internal beta testing for a couple months, but there are so many changes it's taking us longer than we wanted to get it out (it required re-writing all the scripts on the Vera, plus a lot of changes to the engine).  With the new servers we've changed the way everything works and data is stored to provide more security, redundancy and speed.

However, even with the current servers, to my knowledge they have never been compromised.  We have gone through 3rd party security audits already.

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #41 on: August 05, 2013, 01:37:29 pm »
Thanks Aaron for the info.

- Garrett

Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #42 on: August 05, 2013, 11:43:50 pm »
If you want to go even further my linux boxes all have a service to block any ip after so many failed attempts. There are also firewall's that allow for this as well.

I personally like sshguard for blocking anyone from trying to hit my SSH server too hard, with a really long block period and really touchy trigger.  Down side is, if I am remote and screw up, I'm toast for a while (unless I come in from somewhere else).

Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #43 on: August 06, 2013, 12:55:41 am »
If you want to go even further my linux boxes all have a service to block any ip after so many failed attempts. There are also firewall's that allow for this as well.

I personally like sshguard for blocking anyone from trying to hit my SSH server too hard, with a really long block period and really touchy trigger.  Down side is, if I am remote and screw up, I'm toast for a while (unless I come in from somewhere else).

I use fail2ban and configure it for most of my services that require a port open on the server itself. I ban failed attempts for at least 24 hours.

- Garrett

Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #44 on: August 06, 2013, 02:35:43 pm »
Hi, this is Mr. Crowley, the researcher who discovered and presented on vulnerabilities in the VeraLite. I wanted to respond to the post from MiCasaVerde to present my side and to clarify the vulnerabilities discovered a bit, so here it is with comments in-line marked with >>>

"""
In the interview with Crowley, he says that allowing local access over the LAN to control the Vera is a security risk because then if someone gets a virus or other malicious software on your computer, then they can remotely control your home.

True, BUT, (a) the hacker will also be able to log your keystrokes and get all your passwords and logins for everything, including online banking, and can do bill pay or payment transfers to take the money out of your bank account, and he'll have access to all your files, NAS devices, etc.  (b) there's nothing we can do about this anyway because if someone has a virus installed on your computer giving them remote control, even if there were no local access, the hacker would still log your password when you logged on remotely.

>>> While having malware on your computer is bad, having malware on your computer which can open your door or disable your alarm system is REALLY bad. There's no need for MiCasaVerde to ignore the additional risk. Additionally, if you have an open wireless router, weak passphrase, or weak wireless security (WEP) an attacker could access and exploit the VeraLite. More than that, since UPnP allows cross-protocol exploitation, a malicious web site could instruct your browser to set up a backdoor on the VeraLite to allow remote control without exploiting any flaw in your browser or requiring any user interaction.

The only way around this is to have hardware authentication--one of those token/fobs that generates a number each time you press the button using a special algorithm, and which number is required every time you want to log in.  This is how banks handle the problem for things like commercial wire transfers.  But this means every family member would need to carry a fob with them at all times and go through a complex login process every time he wanted to just turn on the lights.

>>> The way around this is to require a username and password to control the VeraLite, even from the LAN, even on the UPnP interface.

I discussed with Crowley months ago that we HAVE gone through security audits, and we implemented it the way we did for a reason because we had to balance usability with security.  And, we do allow the power users who understand all these tech issues to lock down the system, such as installing self-signed certs and modifying the browser settings to accept them.  He never disputed any of this.

>>> MiCasaVerde did not have a conversation with me directly, but with the advisories team at Trustwave. I do not dispute that it's possible to close all the holes in the VeraLite if you have the skills and time and tools to perform a comprehensive security audit and patch all the security flaws. I disagree with the decision to ship it in a condition that allows only highly technical users to have a system which isn't easy to attack.

I also pointed out that we've thought many times about whether we should allow local access over the home network, since, it's impossible to secure connections over the local network since most browsers by default will reject self-signed certs for local devices.

>>> If you use a CA signed cert, this should be no issue.

But in the end, we've always concluded that if someone is physically inside your home already, and plugged into your home network, there's no reason why he'd want to hack into the Vera to unlock the door since he could just reach over and turn the door knob by hand anyway.

>>> WiFi networking, malware, and cross-protocol exploitation make it unnecessary to be physically inside a target home.

And allowing direct access to Vera over the home network has a lot of benefits; it's faster with less latency, it works even when the internet is down or in remote locations without internet, it allows the security-conscious homeowner to be disconnected from our servers, and it means we don't need to charge a monthly fee since we don't need to provide server infrastructure to facilitate everyone's day-to-day usage of the system.

So, none of the points TrustWave brought up were new; they were all things we've debated for years anyway.  And none of the "flaws" were accidental oversights, like he implied.

>>> The flaws allow an attacker to bypass authentication and separation of privileges implemented by MiCasaVerde. It's a very odd feature that I can get root code execution with one UPnP request, as it directly conflicts with the security features available on the VeraLite.

But, his goal is to get his name in the papers, and his story has a lot less intrigue once all the facts are revealed.  So, he took features, like upnp access, that are fully documented in our wiki anyway, and spun them as "discoveries" he made while doing his extensive research on the product.

>>> I do not deny that media attention benefits both myself and my company. While media attention was part of the motivation behind this research, improving the security of devices which control our homes was a large part of it as well.

And he took design decisions we made, and explained to him, and presented them as though these were hidden flaws we weren't aware of, which TrustWave managed to uncover, presumably because he wants the exposure and thinks he'll get companies to hire him to do security audits.

>>> My only communication with MiCasaVerde about the VeraLite was after the research. MiCasaVerde responded by saying that the vulnerabilities discovered (several of which allow for root level compromise of the VeraLite unit, some without any prior information or credentials) were all features and the explanation of these features went no further than saying that these were considered features.

When he reached out to us several months ago, offering his services, and we declined, my assumption is he probably made similar offers to the other HA providers as well, since the issues are ubiquitous to every HA system, and that the others simply agreed to retain his firm and thus buy his silence, and the products he chose to bash are the ones that refused to pay up.

>>> Neither myself nor Trustwave offered services to you, we offered to discuss the vulnerabilities and help you design and deploy fixes at no cost, as it is irresponsible for us to disclose vulnerabilities without attempting to coordinate a patch with the vendor selling the vulnerable product. In our communication with you, you asked which of your competitors paid us to do this, and if we were asking for hush money. Trustwave told you that we are researching this on our own dime, that we would publish the report regardless of any action by MiCasaVerde, and that we were not interested in money. My research suggests that you're right about home automation gear being vulnerable in general. This doesn't make it any better to have a vulnerable product. If people continue to buy and deploy home automation gear and connect their door locks, security cameras and alarm systems to this gear, it should undergo security review.
"""

I'd also like to state that after all the media attention, MiCasaVerde has reached out to me asking to discuss the vulnerabilities. Despite this post stating that Trustwave is in the business of extortion and email communications from MiCasaVerde stating that they would be looking closely for any slander or libel, I will be working with MiCasaVerde to try to get these issues patched up and improve the security of MiCasaVerde's products at no cost.

For those who want technical details of the vulnerabilities so they can decide for themselves what the severity of the issues are, look here: https://www.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt

EDIT: Clarified details on how VeraLite can be compromised from afar
« Last Edit: August 06, 2013, 02:38:05 pm by dcrowley »