We have moved at community.getvera.com

Author Topic: Black Hat Talks To Outline Attacks On Home Automation Systems  (Read 31672 times)

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #45 on: August 06, 2013, 02:46:58 pm »
Mr. Crowley,

Thank you for posting a response and providing the details.

- Garrett

Offline oTi@

  • Community Beta
  • Master Member
  • ******
  • Posts: 4041
  • Karma: +32/-6
  • UI what ?!
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #46 on: August 06, 2013, 03:52:10 pm »
Thanks @dcrowley.

Quote from: @micasaverde
In the interview with Crowley, he says that allowing local access over the LAN to control the Vera is a security risk because then if someone gets a virus or other malicious software on your computer, then they can remotely control your home.

True, BUT, (a) the hacker will also be able to log your keystrokes and get all your passwords and logins for everything, including online banking, and can do bill pay or payment transfers to take the money out of your bank account, and he'll have access to all your files, NAS devices, etc.  (b) there's nothing we can do about this anyway because if someone has a virus installed on your computer giving them remote control, even if there were no local access, the hacker would still log your password when you logged on remotely.
>>> While having malware on your computer is bad, having malware on your computer which can open your door or disable your alarm system is REALLY bad. There's no need for MiCasaVerde to ignore the additional risk. Additionally, if you have an open wireless router, weak passphrase, or weak wireless security (WEP) an attacker could access and exploit the VeraLite. More than that, since UPnP allows cross-protocol exploitation, a malicious web site could instruct your browser to set up a backdoor on the VeraLite to allow remote control without exploiting any flaw in your browser or requiring any user interaction.

Quote from: @micasaverde
The only way around this is to have hardware authentication--one of those token/fobs that generates a number each time you press the button using a special algorithm, and which number is required every time you want to log in.  This is how banks handle the problem for things like commercial wire transfers.  But this means every family member would need to carry a fob with them at all times and go through a complex login process every time he wanted to just turn on the lights.
>>> The way around this is to require a username and password to control the VeraLite, even from the LAN, even on the UPnP interface.

Quote from: @micasaverde
I discussed with Crowley months ago that we HAVE gone through security audits, and we implemented it the way we did for a reason because we had to balance usability with security.  And, we do allow the power users who understand all these tech issues to lock down the system, such as installing self-signed certs and modifying the browser settings to accept them.  He never disputed any of this.
>>> MiCasaVerde did not have a conversation with me directly, but with the advisories team at Trustwave. I do not dispute that it's possible to close all the holes in the VeraLite if you have the skills and time and tools to perform a comprehensive security audit and patch all the security flaws. I disagree with the decision to ship it in a condition that allows only highly technical users to have a system which isn't easy to attack.

Quote from: @micasaverde
I also pointed out that we've thought many times about whether we should allow local access over the home network, since, it's impossible to secure connections over the local network since most browsers by default will reject self-signed certs for local devices.
>>> If you use a CA signed cert, this should be no issue.

Quote from: @micasaverde
But in the end, we've always concluded that if someone is physically inside your home already, and plugged into your home network, there's no reason why he'd want to hack into the Vera to unlock the door since he could just reach over and turn the door knob by hand anyway.
>>> WiFi networking, malware, and cross-protocol exploitation make it unnecessary to be physically inside a target home.

Quote from: @micasaverde
And allowing direct access to Vera over the home network has a lot of benefits; it's faster with less latency, it works even when the internet is down or in remote locations without internet, it allows the security-conscious homeowner to be disconnected from our servers, and it means we don't need to charge a monthly fee since we don't need to provide server infrastructure to facilitate everyone's day-to-day usage of the system.

So, none of the points TrustWave brought up were new; they were all things we've debated for years anyway.  And none of the "flaws" were accidental oversights, like he implied.
>>> The flaws allow an attacker to bypass authentication and separation of privileges implemented by MiCasaVerde. It's a very odd feature that I can get root code execution with one UPnP request, as it directly conflicts with the security features available on the VeraLite.

Quote from: @micasaverde
But, his goal is to get his name in the papers, and his story has a lot less intrigue once all the facts are revealed.  So, he took features, like upnp access, that are fully documented in our wiki anyway, and spun them as "discoveries" he made while doing his extensive research on the product.
>>> I do not deny that media attention benefits both myself and my company. While media attention was part of the motivation behind this research, improving the security of devices which control our homes was a large part of it as well.

Quote from: @micasaverde
And he took design decisions we made, and explained to him, and presented them as though these were hidden flaws we weren't aware of, which TrustWave managed to uncover, presumably because he wants the exposure and thinks he'll get companies to hire him to do security audits.
>>> My only communication with MiCasaVerde about the VeraLite was after the research. MiCasaVerde responded by saying that the vulnerabilities discovered (several of which allow for root level compromise of the VeraLite unit, some without any prior information or credentials) were all features and the explanation of these features went no further than saying that these were considered features.

Quote from: @micasaverde
When he reached out to us several months ago, offering his services, and we declined, my assumption is he probably made similar offers to the other HA providers as well, since the issues are ubiquitous to every HA system, and that the others simply agreed to retain his firm and thus buy his silence, and the products he chose to bash are the ones that refused to pay up.
>>> Neither myself nor Trustwave offered services to you, we offered to discuss the vulnerabilities and help you design and deploy fixes at no cost, as it is irresponsible for us to disclose vulnerabilities without attempting to coordinate a patch with the vendor selling the vulnerable product. In our communication with you, you asked which of your competitors paid us to do this, and if we were asking for hush money. Trustwave told you that we are researching this on our own dime, that we would publish the report regardless of any action by MiCasaVerde, and that we were not interested in money. My research suggests that you're right about home automation gear being vulnerable in general. This doesn't make it any better to have a vulnerable product. If people continue to buy and deploy home automation gear and connect their door locks, security cameras and alarm systems to this gear, it should undergo security review.
« Last Edit: August 06, 2013, 03:53:54 pm by oTi@ »
Dezwaved at the moment...

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #47 on: August 19, 2013, 02:18:15 pm »
Crowley,

First, there are some technical inaccuracies in your claim, but most significantly is the gross way you misrepresent the product.  For example, in this interview: http://edition.cnn.com/video/?/video/us/2013/08/14/pkg-laurie-segall-hack-your-house.cnn&iref=obnetwork

They say that you, as a hacker, are able to lock and unlock the door.  What they don't say is that you are doing it using the software and tools that we provide in the user's manual, and that ANYBODY, even with no technical skills, could do what you're doing because the whole point of the system is to allow someone to remotely control the system.  It's like saying "A hacker identified a serious security flaw in Ford automobiles.  If the hacker is inside the car, he can actually unlock the doors and open the trunk by using these hidden buttons (door unlock and trunk open).  Worse yet, if the hacker has the keys to the car, he can actually unlock the car from the OUTSIDE!  This is a major security flaw."

>>> The way around this is to require a username and password to control the VeraLite, even from the LAN, even on the UPnP interface.

I'm not sure whether you're technically unfamiliar with network protocols or deliberately being naive.  However you understand that HTTP authentication is NOT encrypted.  When a device on the local network prompts for a username/password, like a wifi router, that password is broadcast UNENCRYPTED over the network, so any hacker that has access to the network will have access to the password.  So, we deliberately, therefore, do not ask the user to enter his password over the local network because then we would be exposing his password to anybody on his network, and there's a likelihood that could be the same password he uses for email, banking, etc.  The passwords on local network devices if anything give a false sense of confidence because people think that means it's secure, when in fact it's not, and the password is broadcast for anyone to see.

The fact that you would suggest that we introduce such a glaring security flaw as a "fix" is shocking.

Regarding a password over UPNP, well, then it would no longer be standard UPNP now would it.  You make it sound like having UPNP control is a "flaw" that we somehow overlooked, when it's the opposite, it's a feature we advertise which we spent countless hours implementing.  The whole point is to have an open platform so that more advanced users can control the system using a plethora of commonly available UPNP clients.  We have users controlling the system with picture frame viewers, TV apps, etc.  If we put a password on UPNP, none of those clients would work.

>>>  I do not dispute that it's possible to close all the holes in the VeraLite if you have the skills and time and tools to perform a comprehensive security audit and patch all the security flaws.

We HAVE gone through comprehensive, third party security audits.  Understand that our software engine is licensed by utility companies, telephone companies, cable TV operators, and our clients have collectively hundreds of millions of clients.  And these licensors, many of which are huge companies with tens of thousands of employees and security teams, have hired third party security companies to do a full audit of the system.  They obviously have not, and would not, hire you, because anybody who suggests you fix the vulnerability by broadcasting the users password unencrypted would never be trusted by those kinds of clients.

>>> If you use a CA signed cert, this should be no issue.

Again, I'm not sure if you're clueless about the technology or what.  But you should lookup how SSL works.  When a CA signs an SSL certificate, that certificate is bound to a static IP and a domain name.  So, like I said already, to use https on the local network the user would have to have a static IP, a resolvable domain with DNS, and pay money to a third party SSL signer to issue a cert.  Or configure his browser to accept self-signed certs.  Either way, it's beyond the skill set of anyone but an IT developer and, although Vera is the "techy" version of our product, we're trying to simplify setup and telling users to get a commercial T1 and buy an SSL cert to use the system is a big step in the other direction.

I'll give you the benefit of the doubt and assume that you're proposed "fixes", which, in fact would only introduce security flaws, are due to ignorance of the technology rather than deliberate misinformation.  However, what is inexcusable is that I explained all these issues to TrustWave months ago, and you just chose to ignore them (unless they're just too technical and went over your head), and run silly pieces like that one on CNN where you take a Vera, follow the instructions in the user's manual, and demonstrate that the product works as advertised (namely that you can control the door over the network), and preface it by saying "a hacker demonstrates how you can unlock a door".

Lastly, we have for years offered an alternative solution, which is what the service providers use, which turns off all local access (UPNP and otherwise), and only allows the user to access his system through our servers over https.  This is a secure system that has never been compromised.  But, naturally, it requires an ongoing service commitment since we provide server infrastructure that is used every time a user wants to turn off a light.  So, there's always a monthly fee.  And, it doesn't allow third party upnp clients to control the system.  The VeraLite is marketed as an alternative with no monthly-fee, that does NOT require the use of our servers, and does NOT even require
internet access so it can be used in remote locations, and which is open for power users to do what they want with.  And we put right in the docs that because of this it's imperative the user secures his wi-fi network because everyone on the local network is assumed to be a trusted user.  You take what is a marketable feature and claim it's some security flaw even after we explained it to you.
« Last Edit: August 19, 2013, 07:09:21 pm by micasaverde »

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #48 on: August 19, 2013, 02:27:29 pm »
Crowley,

Regarding your statement: "Trustwave told you that we are researching this on our own dime, that we would publish the report regardless of any action by MiCasaVerde, and that we were not interested in money"

That's a flat-out lie.  Please, post here publicly on the forum a copy/paste of whatever communication you claim TrustWave sent us that says anything remotely to this effect.  I never saw it.  The only communication I got from Trustwave was from Robert Foggia, who appears to be in your sales side, and was offering services to us.  Here is a direct quote of his email:

"Our organization performs network and application penetration services for clients who hire us to identify weaknesses in their own business environments. The main goal in these engagements is to assess the security of the network by allowing the "good guys" to attempt to break-in to a business network before the "bad guys" have the opportunity to do so."

Unless you can provide any communication that you were "not interested in money", I stand by my assessment that you engaged in some kind of shakedown, threatening to spread laughable claims about our product, unless we paid you money.

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #49 on: August 22, 2013, 11:50:29 am »
Crowley,

All our communication with trust wave was over email, so if you really did tell us 'you were not interested in money' you would have accepted my challenge to copy/paste this.  The fact is, as I said before, it's a total lie.  Trust wave has the exact same business model as a patent troll.  You contribute absolutely nothing, you produce nothing, and are parasites that make a living trying to figure out how to get people to give you money.

The fact is that, as I copied/pasted, your sales person contacted us explaining that you were going to do a security review of VeraLite.  At the same time he offered us your services to be the "good guys" and play on our team.   Since we've already gone through several 3rd party security reviews, I declined.  Then he says they've uncovered some 'defects' and wants to work with us to get them resolved.  So I asked for the defects, and he sends me 6 items--all of which were features documented in our user's manual, like the fact that we allow control over UPnP, and that user's are exposed if they don't secure their wi-fi.  I refused to pay trust wave for an 'audit' that consists of just reading to us what is already in our user's manual, including the warnings that we ourselves already published.  And I asked if trust wave had any proposed solutions, in other words, if trust wave could actually contribute anything of value at all or if it was purely a shakedown.  But you were unable to propose any solutions.  So, then trust wave tells us that you're going to publicly report this "research".  And then you go on cnn and anybody else who will listen to you, and you say "I'm a hacker, look how I can unlock this door lock.", not telling everybody that you are unlocking YOUR OWN door lock with YOUR OWN Vera using the tools we provide and the API's we document in the user's manual.  In other words, all you do is demonstrate that the product works as advertised, and it's immaterial whether you're a hacker or a nurse.  But because these claims are prefaced with the "I'm a hacker" claim, you know that viewers will wrongly assume that you were able to control someone else's door lock.

You operate exactly the same way as patent trolls, like Pangea Intellectual Properties, who claimed they patented the very concept of e-commerce, and then went threatening small companies with law suits if they didn't pay up, and their rational was always that it would cost less to pay them off than to fight a law suit.  Similarly, trust wave, like PanIP, offered absolutely nothing of value, and made it clear that it would cost us less to pay you guys off than to deal with the fallout from your lies and slander.  But, since, according to Boston University, you trolls cost the economy an estimated $29 billion, we figured it would be unethical to pay you parasites because you would just use the money to go after other innocent companies and keep perpetuating the problem that puts a drag on the economy.

Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #50 on: August 28, 2013, 01:49:09 am »
@micasaverde: I don't have time to argue this endlessly and as such this will be my last post on the matter.

If you want to claim that my company and I are engaged in extortion, please post the entire email thread so that people can make their own determinations about what happened. On a related note, Robert Foggia is on our advisories team. When an employee of Trustwave discovers a vulnerability, it is the job of the advisories team to try to work with the vendor to communicate the details and help figure out a strategy for producing and distributing a fix, then inform the public once the vendor confirms (either through communication or refusal to communicate) that no fix is forthcoming or that a fix has been distributed. This is known as "responsible disclosure". http://en.wikipedia.org/wiki/Responsible_disclosure

The vulnerabilities in the VeraLite allow, among other things, for any person who can directly contact it on the network (or trick someone on the same network to visit an attacker-controlled webpage) to instruct the VeraLite to run arbitrary code under the highest privilege level account on the system. This may have been by design, but if this were a part of any operating system or piece of software, it would be considered a glaring security hole. It is, in fact, a glaring security hole in the VeraLite, despite its potential usefulness to your customers. If I build a product that allows anyone full control without verifying that they should have it, that is a vulnerable product. Period.

The technical report on the flaws is available at https://www.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt and those interested can draw their own conclusions on whether your product as-is poses a risk to its users.

Offline RexBeckett

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3891
  • Karma: +483/-12
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #51 on: August 28, 2013, 07:19:59 am »
@micasaverde,

I'm a VeraLite owner with a vested interest in potential security vulnerabilities. Regardless of the rights and wrongs of the process, details of these have now been published. Are you able to tell me what steps MCV are taking to reduce the potential for unauthorized access to my system?
 

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #52 on: August 28, 2013, 11:03:00 am »
@dcrowley, nobody is asking you to "argue endlessly".  There is one simple, glaring, obvious, black & white issue which you keep avoiding.  I will even word it as a simple 'yes' or 'no' question, so all you need to do is post a simple reply with 'yes' or' no'.

Now you have had time to verify my claims that (a) we cannot use https (secure) with a device on the local network because browsers by default will only accept certs that are verifiable by a 3rd party CA and bound to a specific domain/IP, and (b) if we put a password on a local network device using standard HTTP authentication, as you recommended, that password is transmitted across the network unencrypted, so that a hacker who access to the network will be able to see the password and thus will STILL have access just as he does now, but will ALSO now know the user's password, which might be shared with other sites, like email and online banking.

So the simple question is: Do you acknowledge that the claims made above are correct?

YES OR NO.  All you need to do is say YES or NO.

The reason why you keep running from this simple issue is that if you answer 'No' and deny those claims, then anybody with rudimentary networking knowledge will realize that you have no clue what you are talking about, since the claims are basic knowledge that, if you were a legitimate security consultant and not some troll, you would have known.  If you answer 'Yes', then you have admitted that the "fix" which you have proposed would not only fix nothing, it would actually introduce a much, much bigger glaring security problem.

I dare you to answer that question.  But I can safely predict that you will run from that challenge, just like you ran from my challenge to copy/paste the email you claimed to have sent saying that TrustWave wasn't trying to get money from us.  Since I'm not looking for a debate, just a simple 'yes' or 'no', do you seriously think anybody can't see through the fact that you're just a pathetic troll trying to extort money without actually contributing anything of value?


Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #53 on: August 28, 2013, 11:14:06 am »
@RexBeckett, we are still discussing how to address the issues TrustWave has brought up.

We are debating about putting a 'security' tab in the UI that gives the user the following options:

1.  Leave local network access open.  The advantage is you can use the system even if your internet is down.  But the drawback is that you must ensure your wi-fi is secure because anyone on the local network will have access to the device.

2.  Accept the recommendations that TrustWave has proposed of using HTTP authentication with a local password.  TrustWave has gone on many major media outlets recommending this.  However we do not recommend this since any hacker on your local network will be able to see the password anyway and thus will not only have access to the system, but will also know your password.  We have hired a credible, neutral third-party security agency to review TrustWave's recommendations, and their conclusion about TrustWave is __HERE__.

3.  Install a self-signed certificate.  This requires configuration changes to your browser, but it is secure.  Instructions are __HERE__.

4.  Turn off local network access completely, and require you to only access the system through our servers.  This is secure, however it means you cannot use the system if you do not have internet access, other devices on the network will not be able to control the system, and there is a monthly fee associated.  To sign up, click __HERE__

@RexBeckett, if the UI presents you with those 4 options, would that satisfy you?  Or can you think of another 5th option that you would prefer?  Given the choices, which option would you choose?

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #54 on: August 28, 2013, 11:53:38 am »
While you are at it you should consider also requiring a password on:
   /sta1.mios.com/locator_json.php
When it is NOT on the LAN.
This will effect 3rd party Apps that try to locate the proper connection server when on the internet.

When not on a LAN with Vera try:
http://sta1.mios.com/locator_json.php?username=Richard
http://sta1.mios.com/locator_json.php?username=John

I find it a problem that you can guess some names and find they have a Vera ... Then presumably try a password cracker to gain access through your servers.

They should only get valid information with a Proper Username and Password.
Otherwise they should get the same result as NO Vera found on LAN.



Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #55 on: August 28, 2013, 12:19:07 pm »
@RichardTSchaefer, we have a new back-end server system, MMS, which uses OpenID authentication and a standard, secure RESTful API, and it has gone through an external security audit.  We have already modified our mobile apps to use the new backend and are working with 3rd parties as well to get the apps updated.  We're hoping to push this new firmware to our Beta Testers next month.

That will address the issue that information like the firmware version and serial number is exposed, although those are not particularly useful to a hacker anyway.  However the concern you bring up in your post seems to be that this URL allows a hacker to determine if a username is valid or not.  I can see why a hacker would want to know if a username was in use before spending the time trying to crack the password.  But I don't see any way around this.  Even though MMS doesn't have the locator service, any hacker could simply choose 'register an account' and try to create an account with the username he wants to target.  If the username exists and is valid, the system will tell the user to pick another username, since it has to be unique.  I've not seen any system that is able to keep whether or not a username is valid a secret.  Even with google, facebook, yahoo, amazon, banking sites, etc. they are all exposed the same way--it's very easy to determine if a username is already in use.

Have you ever seen a system where they are able to keep it a secret whether a username already exists or not?  If so, how did they accomplish it?  Since a username is universally considered to be unique, how do they keep from notifying you if a username is already in use if you try to register it?

Offline RexBeckett

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3891
  • Karma: +483/-12
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #56 on: August 28, 2013, 12:25:44 pm »
@micasaverde,

Many thanks for your detailed response to my question. I like the idea of giving users the option as to how they would like local access to be secured. I have not been able to follow your references, though. None of the __HERE__ links contain any url.

I would want to maintain local access both with and without internet availability. I am attracted by the use of a self-signed certificate - subject to my better understanding of the process.
 

Offline OtisPresley

  • Full Member
  • ***
  • Posts: 146
  • Karma: +2/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #57 on: August 28, 2013, 12:32:24 pm »
You can also use hashed passwords over HTTP for local access, but it will require JavaScript to hash it on the client side before the form is submitted and this could potentially cause some problems for app developers.

A self-signed cert over HTTPS is certainly the better way to go for local access, and you could even create a script that downloads onto the Vera that creates and installs the cert for you when you click __HERE__, maybe using information from an account on the MCV servers, that requires the user to log in after after clicking __HERE__, for the cert.

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #58 on: August 28, 2013, 12:58:36 pm »
@RichardTSchaefer, we have a new back-end server system, MMS, which uses OpenID authentication and a standard, secure RESTful API, and it has gone through an external security audit.  We have already modified our mobile apps to use the new backend and are working with 3rd parties as well to get the apps updated.  We're hoping to push this new firmware to our Beta Testers next month.

That will address the issue that information like the firmware version and serial number is exposed, although those are not particularly useful to a hacker anyway.  However the concern you bring up in your post seems to be that this URL allows a hacker to determine if a username is valid or not.  I can see why a hacker would want to know if a username was in use before spending the time trying to crack the password.  But I don't see any way around this.  Even though MMS doesn't have the locator service, any hacker could simply choose 'register an account' and try to create an account with the username he wants to target.  If the username exists and is valid, the system will tell the user to pick another username, since it has to be unique.  I've not seen any system that is able to keep whether or not a username is valid a secret.  Even with google, facebook, yahoo, amazon, banking sites, etc. they are all exposed the same way--it's very easy to determine if a username is already in use.

Have you ever seen a system where they are able to keep it a secret whether a username already exists or not?  If so, how did they accomplish it?  Since a username is universally considered to be unique, how do they keep from notifying you if a username is already in use if you try to register it?

I have not been contacted by anyone at MCV regarding these new changes that are needed for my app. I am sure that others like RichardTSchaefer, Automator.app, intveltr and others would like to be contacted as they also have apps that are used by a large user base for vera. So please have someone from MCV contact each of us and discuss the needed changes to support the new system.

- Garrett

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #59 on: August 28, 2013, 01:38:34 pm »
@OtisPreslsy, the problem is that a hashed password doesn't help with the security issue.  Even if the password is transmited as, say, an SHA1 hash, it's still transmitted unencrypted so a hacker can still see it and re-use it to have access to the system.  The only away around this that I know of is to use salt (a random number added to the password before encryption), but this (a) becomes non-standard http, and (b) requires a 2 stage process to access the site (get the salt, then submit the password), and (c) unless the salt is good for ONE and only ONE request, it still allows the hacker to use the same hash for access, until the time when the salt becomes invalidated.

We've discussed this at length over the past year with real security auditors, and the conclusion has always been that there's no way to secure access on the local network using accepted protocols, so we're left with either turning local access off, or using something that is not widely accepted, like self-signed certs.  If there was, then other network devices would use it.  But the fact is that every device with a local web ui (your router, nas device, etc.) has the same vulnerability and nobody has solved this, other than to turn off local access.

Further, an underlying philosophy is that if a hacker gains access to a homeowner's network, the hacker can do all kinds of damage that is more severe than just sending Z-Wave commands through his Vera.  All devices I've seen which have a web UI that is accessible directly on the local network (like NAS, routers, etc.) either have no password, or use http authentication where the password is transmitted unencrypted.  So if a hacker is on your network, he will be able to access your router and setup whatever port forwards he wants, he can view your ip cameras (none of the commonly available commercial ones use encryption), he can control most any device on your network, like your Nest thermostat, or your Philips Hue lighting system, and he might be able to use vulnerabilities in Microsoft Windows to take over your PC and do keystroke logging, so that he can get even your secure passwords for online banking, etc.

In most of the interviews I've seen with Crowley, all he did was demonstrate that a user could control his own Vera to unlock his own door from his own network, and he never mentioned that there was no way for a remote hacker to do this so that his demo was simply that the product worked as advertised.  The only time I saw him address how this would benefit a remote hacker was when he said that _IF_ a hacker was able to install malicious code on your computer to give him remote access to your network, THEN he would be able to remotely control the Vera system.  And that is true.  But if he has malicious code on your computer, he'll also be logging all your keystrokes and passwords, and he'll be able to do things like banking bill pays and transfers, he'll have access to all the files on your computer and your email, and all your personal data, and he can take your money and do identify theft remotely.  So, why would a hacker who had that access want to expose himself by coming to your home in person and unlocking your door to physically rob you, when he can anonymously, from a remote country, take your money and identity anyway?  Besides, what Crowley didn't mention anyway, is that once the hacker has control over your computer, even IF we turned off local access and only allowed access through a secure web portal, the hacker will still capture that password anyway.  In other words, when a hacker takes over your computer you have a lot more to worry about than your home automation system, and there's nothing we can really do to stop him from accessing your home automation system unless we use external authentication, like the keyfobs that banks give commercial customers to initiate wire transfers.  But, this means that when you want you to turn on a light using your iphone, the app will prompt you to hit the button on your fob and enter the unique 6 digit code that appears.  And then the system would be so cumbersome that nobody would use it.

So, we're going to try to offer customers solutions besides "secure your home network" because of the FUD that TrustWave has caused because we refused to pay them off.  But, no matter what we do, if you don't secure your network and a hacker is able to run malicious code on your computer, or get on your local network, you're in serious trouble and getting access to Vera is minor compared to the other problems that creates.