We have moved at community.getvera.com

Author Topic: Black Hat Talks To Outline Attacks On Home Automation Systems  (Read 32861 times)

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #60 on: August 28, 2013, 01:39:10 pm »
Since you need the Serial# - UserName  - and Password to access the Server.
The Serial# and UserName should be the key for access.
An attacker would have to launch a separate attack for each Vera.

I.e.  User Marc with Serial #123  should be different than User Marc with Serial #234
You can still group devices, So that users of #123 are in the same scope as #124

I look forward to more details about changes with OpenID.
I have two APPS that access Vera Remotely - Vera Alerts and HAL.  I would like to know what is required to support this. I do not see how this addresses any of the security access from the LAN.

You Should allow an option for Vera to "Import" and require certificates for access.  You should have an option to require certificates for LAN access. I personally would like to secure all Remote access for Vera to certificates.  Including Access from MCV Support, and Users via MCV.

If I enable MCV remote access ... then it should only accept connections on my behalf that were locally imported by my Vera.

I know this can cause problem if people loose their certificate ... but you can still allow SSH with PASSWORD from LAN without a certificate. And of course you can have the option (probably defaulted to enabled) to import the MCV Support Certificate to allow MCV support to remote login.

Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #61 on: August 28, 2013, 01:47:27 pm »
@dcrowley, nobody is asking you to "argue endlessly".  There is one simple, glaring, obvious, black & white issue which you keep avoiding.  I will even word it as a simple 'yes' or 'no' question, so all you need to do is post a simple reply with 'yes' or' no'.

Now you have had time to verify my claims that (a) we cannot use https (secure) with a device on the local network because browsers by default will only accept certs that are verifiable by a 3rd party CA and bound to a specific domain/IP, and (b) if we put a password on a local network device using standard HTTP authentication, as you recommended, that password is transmitted across the network unencrypted, so that a hacker who access to the network will be able to see the password and thus will STILL have access just as he does now, but will ALSO now know the user's password, which might be shared with other sites, like email and online banking.

So the simple question is: Do you acknowledge that the claims made above are correct?

YES OR NO.  All you need to do is say YES or NO.

No. The claims made above are incorrect because you have misrepresented my suggestions.

I agree that an SSL certificate would cause a browser warning due to the mismatch between any domain name you might use and the IP address of the local VeraLite unit. This is a limitation of SSL, and unfortunately there is no "good" solution here. Much has been written about the limitations of SSL and the need for a different solution. I recommend reading Moxie Marlinspike's work on the topic. However, there are different warnings for domain mismatch and self-signed certificates. This is enough to enable users to determine when a man in the middle attack is occurring, and is enough to thwart passive eavesdropping attacks.

I did not recommend using Basic HTTP Authentication. I recommended using SSL. You're already using Digest authentication if someone enables authentication on the web interface of the VeraLite unit.

Quote
The reason why you keep running from this simple issue is that if you answer 'No' and deny those claims, then anybody with rudimentary networking knowledge will realize that you have no clue what you are talking about, since the claims are basic knowledge that, if you were a legitimate security consultant and not some troll, you would have known.  If you answer 'Yes', then you have admitted that the "fix" which you have proposed would not only fix nothing, it would actually introduce a much, much bigger glaring security problem.

If you were to implement the change you claim I suggested, it would not fix anything. However, the ability to run arbitrary code as root on the Veralite by getting someone to click a link in an email is a much bigger security problem than one that requires an attacker to have local network access and the ability to eavesdrop on traffic. But as I said, I did not suggest that "fix".

Quote
I dare you to answer that question.  But I can safely predict that you will run from that challenge, just like you ran from my challenge to copy/paste the email you claimed to have sent saying that TrustWave wasn't trying to get money from us.  Since I'm not looking for a debate, just a simple 'yes' or 'no', do you seriously think anybody can't see through the fact that you're just a pathetic troll trying to extort money without actually contributing anything of value?

As I said in the past, you did not communicate with me. By your own admission, you communicated with one of the people on our advisories team. Why would I have access to his email? You are the one who claims I am a troll and an extortionist, so why should I be the one to prove myself innocent? If you want to prove that I am a troll and an extortionist, you have access to the email thread. You can post the emails and let people see for themselves what happened.

Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #62 on: August 28, 2013, 11:49:15 pm »
@RichardTSchaefer, we have a new back-end server system, MMS, which uses OpenID authentication and a standard, secure RESTful API, and it has gone through an external security audit.  We have already modified our mobile apps to use the new backend and are working with 3rd parties as well to get the apps updated.  We're hoping to push this new firmware to our Beta Testers next month.

So, now the question is.  For those of us who have invested some time and effort into the Vera platform and have an interest, how do we become a Beta Tester?  Not to see the newest features, but also to give some feedback.  (I'm fairly confident I can backup my system before applying a firmware that my cause unwanted/undocumented features to manifest themselves.)

Have you ever seen a system where they are able to keep it a secret whether a username already exists or not?  If so, how did they accomplish it?  Since a username is universally considered to be unique, how do they keep from notifying you if a username is already in use if you try to register it?

While you can't keep the username secret, you can use generic messages that state username or password don't match when a user is authenticating.  Don't be too specific, since errors that specifically tell you something is wrong makes it easier for a brute force attack.

I do have one suggestion.  Why not add in API hooks so that third party authentication modules can be made for the Vera?  Then, if someone implements, say Google's two factor authentication, you refer them to the one who created the plugin for support. 
Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #63 on: August 29, 2013, 12:44:43 am »
@RichardTSchaefer, we have a new back-end server system, MMS, which uses OpenID authentication and a standard, secure RESTful API, and it has gone through an external security audit.  We have already modified our mobile apps to use the new backend and are working with 3rd parties as well to get the apps updated.  We're hoping to push this new firmware to our Beta Testers next month.

So, now the question is.  For those of us who have invested some time and effort into the Vera platform and have an interest, how do we become a Beta Tester?  Not to see the newest features, but also to give some feedback.  (I'm fairly confident I can backup my system before applying a firmware that my cause unwanted/undocumented features to manifest themselves.)

To get added to the beta testing group, the beta testes would have to vote. There are a few factors that we take into consideration.

1. How long you have been active on the forum.
2. Your contributions to the forum.
3. Technical knowledge.
4. ...

Have you ever seen a system where they are able to keep it a secret whether a username already exists or not?  If so, how did they accomplish it?  Since a username is universally considered to be unique, how do they keep from notifying you if a username is already in use if you try to register it?

While you can't keep the username secret, you can use generic messages that state username or password don't match when a user is authenticating.  Don't be too specific, since errors that specifically tell you something is wrong makes it easier for a brute force attack.

I do have one suggestion.  Why not add in API hooks so that third party authentication modules can be made for the Vera?  Then, if someone implements, say Google's two factor authentication, you refer them to the one who created the plugin for support.

Not a bad idea, but then it would get very complicated for third party developers to support all of the authentication methods in there apps. I would rather see one good secure method to support, than to support multiple methods.

- Garrett

Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #64 on: August 29, 2013, 01:18:29 am »
Have you ever seen a system where they are able to keep it a secret whether a username already exists or not?  If so, how did they accomplish it?  Since a username is universally considered to be unique, how do they keep from notifying you if a username is already in use if you try to register it?

While you can't keep the username secret, you can use generic messages that state username or password don't match when a user is authenticating.  Don't be too specific, since errors that specifically tell you something is wrong makes it easier for a brute force attack.

I do have one suggestion.  Why not add in API hooks so that third party authentication modules can be made for the Vera?  Then, if someone implements, say Google's two factor authentication, you refer them to the one who created the plugin for support.

Not a bad idea, but then it would get very complicated for third party developers to support all of the authentication methods in there apps. I would rather see one good secure method to support, than to support multiple methods.

- Garrett
[/quote]

True, it could be a pain to support multiple authentication methods.  A happy middle ground would need to be reached.  You could do that in one of two ways:

1.  MCV controls the access to the API and granting who can write an authentication layer. 
2.  Some sort of community controlled system is put into place that would decide.

If an API did exist, there would have to be more than just the hooks to make the modules available to make it feasible.  A standard would have to be implemented (homegrown or adapted from elsewhere) that would make it easier to manage this for application developers (think similar/along the lines of PAM, but without the limitations it has).

Personally, I would like to see a two factor authentication scheme implemented for the Vera -- something that would be optional and one of the choices MCV gives in that list we saw earlier.  While not a cure all, it would go a long way to making the Vera a lot harder to break into.

Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #65 on: August 29, 2013, 09:03:50 pm »
@dcrowley,

You previously wrote:

"Trustwave told you that we are researching this on our own dime, that we would publish the report regardless of any action by MiCasaVerde, and that we were not interested in money."

When I said that's a lie and challenged you to paste whatever correspondence you sent to this effect, you reply:

"As I said in the past, you did not communicate with me. By your own admission, you communicated with one of the people on our advisories team. Why would I have access to his email?"

So, in other words, you're now saying that you were lying when you made the first claim, since you really had no evidence that TrustWave was not interested in money and were just making it up.  You then say: "You are the one who claims I am a troll and an extortionist, so why should I be the one to prove myself innocent?... You can post the emails and let people see for themselves what happened."  FACT: I did already post the email proving that Trustwave WAS hitting us up for money to be "good guys".

Lastly, you're latest post is backpeddling.  When I first challenged you to post your recommended fix you said: "The way around this is to require a username and password to control the VeraLite".  I pointed out that an http password is not encrypted, and therefore makes a bigger security hole, and only SSL certs work, but there's no practical way to deploy them on Vera since browsers by default won't accept them.  Now, you claim to have taken my position all along and say "I did not recommend using Basic HTTP Authentication. I recommended using SSL."  Again, I challenge you to copy/paste anything that you said on the forum or to the media or in your vulnerability reports that recommended using SSL certs, before I pointed out to you that an SSL cert was required to protect the password.  From my vantage point, you only started "recommending using SSL" certs AFTER I already told you that was necessary.  And then you never acknowledged that SSL certs aren't practical and that "This is a limitation of SSL, and unfortunately there is no "good" solution here. Much has been written about the limitations of SSL and the need for a different solution."  So, finally, you've come around 180 degrees and are actually taking the position I have taken all along, which is that the "vulnerabilities" you pointed out are NOT specific to Vera, but they are general problems with current networking technology and that there is no good solution until the network technology allows for some secure http communication over a local network.

Like I said all along, the "vulnerabilities" you've pointed out are nothing we haven't been aware of for years, they're not specific to Vera, and we've tried using both self-signed and CA-signed certs on Vera but many browsers won't accept them, so there is no user-friendly solution other than to turn off local access altogether, which is actually a main selling point of Vera.  So, like I said in the beginning, there is no good solution.

Now you finally admit the exact same thing...  "there is no good solution" to this issue.  So then why were you going on CNN and every news outlet reporting that you found some glaring hole in our product and that they were "easy to fix" but we were negligent, when the fact is the vulnerability has nothing to do with our product, it's common to all networking devices, and "there is no good solution".  This just proves that you were deliberately misleading people, trying to peddle fear, uncertainty and doubt amongst customers.

I also want to point out that you don't dispute that when you got on CNN and said "I am a hacker, I am controlling this door lock", that the fact is you were controlling YOUR door lock with YOUR Vera using the API and tools we provided and documented in our user's manual.  In other words, all you did was demonstrate the product worked as advertised, you did NOT hack into anybody else's system, but you deliberately mislead viewers into thinking you did.

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #66 on: August 29, 2013, 11:44:04 pm »
@dcrowley

If you were a legit security company performing a public service, you would have been warning people that ALL devices on their home network (NAS, router, VeraLite, etc.) have the exact same vulnerability.  All routers and access points from all major networking vendors do, like Vera, treat all devices on the local network as 'trusted', allowing you to setup port forwards using both unencrypted HTTP POST's, as well as UPnP calls.  Just like Vera.  So the cross-site exploit you reference could just as easily be used by a hacker to setup port forwards on a router, and thus give him access to all the devices on your network.

We've never disputed that this is a vulnerability of Vera AND every other network device.  LEGITIMATE security advisers, like Moxie Marlinspike, DO perform a public service and warn people that the https/SSL technology developed over 20 years ago to validate servers only should be updated to allow secure communication over the local area network too since there are so many devices on the home LAN these days.

But, note that Moxie doesn't do what you do.  He doesn't pick one company out, like say, Cisco, to sensationalize and go on CNN with a self-promoting rant saying "This is a horrible security flaw in Cisco routers that would be easy to fix but Cisco is negligent and refuses to do a security audit."  If he did, it would be dishonest, and an unjustified attack on Cisco.  And probably a good indication he either had a bone to grind with Cisco or was trying to extort money out of them.  Rather, Moxie performs a legitimate public service providing an HONEST discussion of a fundamental, ubiquitous weakness in home networking technology.  There is no comparison between his serious work, and the activity of a troll like TrustWave.  If you were actually doing a public service, why did you deliberately mislead viewers on CNN, attacking us with some smoke and mirrors demonstration after we refused to pay you off?

Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #67 on: August 30, 2013, 01:01:30 am »
@micasaverde I will let the users of your products decide whether the flaws disclosed by Trustwave are legitimate. What you think of me does not matter to your customers. What matters to your customers is whether or not an action as simple as clicking a link in an email could put them at risk. I have shown that it can. You could change this and you refuse to, saying that you have decided your products should be this way.

Your customers can view our report at https://www.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt and decide for themselves whether or not your product poses a risk to them.

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #68 on: August 30, 2013, 11:23:17 am »
Now you've flip-flopped again.  In your original claims you said we could fix this by simply putting a password on it, but that we negligently failed to do so.  Then, after I pointed out that your ?fix? solved nothing and created a much bigger security problem, you back-peddled and said that by 'password' what you really meant to say was an SSL cert.  Then, after I pointed out that this won't work on devices on the local area network, you finally conceded it was a fundamental networking issue and that "there is no good solution".  Finally we were in agreement.  But then you apparently realized that this confession simply proves that everything you've done has been a deceitful con because these vulnerabilities are ubiquitous to ALL devices in the home that allow web/upnp access over the home network, and your advisory report tricks users into thinking this is some flaw with Vera.

So, now you flip-flop again and say ?You could change this and you refuse to...?.  But you've refused to ever state what this ?change? is to fix the issue.  Why can't you specifically state if you are recommending:

1. HTTP authentication, which is what you initially recommended until I explained the technical issues that this solved nothing and just opened a much more serious security hole.

2. CA-signed certs.  After I pointed out your flaw with #1, you wrote: ?If you use a CA signed cert, this should be no issue.?  However, I then pointed out this requires a commercial internet connection, a domain, reverse DNS, and the user has to go through a costly identity verification process with a 3rd party CA signer.  After I pointed out this, yet again, you simply failed to understand the technology, then, as far as I can tell, you edited your previous post and removed this comment, since it obviously showed how little you know about security.

3. Self-signed certs.  I explained this to you in the very beginning, but explained it's not a user-friendly solution since many browsers by default will reject the cert.

4. Turning off all local access.  This is secure, but means the user has to do everything through our server, which requires a monthly fee, and he can't use his system without internet access.

So be specific.  Which of those 4 ?fixes? are you actually proposing?  You keep waffling and flip-flopping.

Lastly, if there was a good solution to this issue, then why is it that nobody else uses it?  You haven't disputed that this vulnerability exists with every access point and router from all the major companies, like Cisco, Netgear, D-Link, all the network storage devices, and every other device on the home network with a local UI.  Yet, your advisory singles out our product and claims that we're to blame for this vulnerability that effects every network device.  How can you possibly claim your advisory is anything other than a vindictive hatchet job as revenge for us not giving into your extortion scheme?  If you genuinely were providing some public service, why do you single out our product instead of reporting that this is a fundamental issue with the way networking works?  And why get on CNN and do a deliberately deceitful piece where you simply unlock your door with your Vera, using the user interface we provide and document, which shows nothing but that the product works, but preface it with the misleading claim that you're a hacker to trick viewers?

Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #69 on: August 30, 2013, 12:17:38 pm »
@micasaverde: If you're interested in improving the security of your product, I can discuss recommendations with your Director of Product Development, Colin, who has already reached out to me to get more information. I am STILL willing to work with you AT NO COST to improve the security of your product.

My paper is available at https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf. If you read it, you will see that your product was not the sole focus of my research; it simply was the most interesting to the media as compromising the VeraLite potentially means physical access to a building or covert surveillance. In fact, the flaws I found in a "smart" toilet were more interesting to the media than unlocking doors. Go figure. My research set out to prove what you yourself alluded to: "smart home" technologies as they exist today are full of security flaws.

I also have also discussed the UPnP protocol by itself in a separate presentation you can view at http://www.slideshare.net/BaronZor/why-upnp-is-awesome-and-terrifying . In your words as quoted below, this means I am genuinely providing a public service:

Quote
You haven't disputed that this vulnerability exists with every access point and router from all the major companies, like Cisco, Netgear, D-Link, all the network storage devices, and every other device on the home network with a local UI.  Yet, your advisory singles out our product and claims that we're to blame for this vulnerability that effects every network device.  How can you possibly claim your advisory is anything other than a vindictive hatchet job as revenge for us not giving into your extortion scheme?  If you genuinely were providing some public service, why do you single out our product instead of reporting that this is a fundamental issue with the way networking works?

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #70 on: August 30, 2013, 12:54:17 pm »
>> I can discuss recommendations with ... Colin

Fine.  Since our company culture is focused on being transparent and honest with our users and not withholding anything, I, of course, prefer that any discussions about recommended solutions be done publicly, in the forum, for everyone to read and comment.  I still feel the reason why you're refusing to discuss your "solution" publicly is simply that "there is no good solution", which is something you conceded at one point, and now have backed away from and edited your prior posts discussing a solution.

Regarding the public service, I will leave it up to the viewer.  The interview is below.  The viewer can decide if you were honestly discussing a vulnerability in the networking protocol which we discuss openly in our docs and that effects every device in the home, and if your demonstration was honest and let viewers know that you were simply unlocking your own door lock from within your own network using the user interface that we provide and document.  My opinion is still that you deceived users by suggesting this was a vulnerability specific to our product and that you tricked users into thinking you were demonstrating hacking someone else's door lock.  If the viewer concurs with my analysis that it was all a scam, then the obvious question is to ask what your motivation was for going on tv and deliberately deceiving users about our product.  There had to be a reason, be it 1) trying to get your 15 minutes of fame at someone else's expense, 2) trying to capitalize on our success to promote TrustWave, and 3) as payback for us not giving into your shakedown for money.  I've explained in detail why I believe the answer is all 3.  Once the viewer decides if the interview was honest, then they can decide if they buy your explanation that your motive was an altruistic desire to perform a public service.

http://edition.cnn.com/video/?/video/us/2013/08/14/pkg-laurie-segall-hack-your-house.cnn&iref=obnetwork

Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #71 on: August 30, 2013, 07:47:00 pm »
@micasaverde: Actually, that's a good idea. I'll start a new thread to discuss the flaws and potential fixes.

Offline micasaverde

  • Hero Member
  • *****
  • Posts: 1666
  • Karma: +15/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #72 on: August 30, 2013, 08:21:02 pm »
@dcrowley, I certainly would welcome a new thread that discussed fixes and solutions.  Everybody who understands networking technology understands the flaws in the technology and the vulnerabilities.  The challenge is finding a solution that is actually secure, but is also feasible for novice user's who won't be able to do things like change browser settings to support self-signed certs, or buy CA-signed certs.  And, since the main selling point of Vera vs. our other managed solutions (which are secure) is that the Vera does not require the user to use our servers, have internet access, or pay a monthly fee, it must still allow local access.  Further, to please the techie users, it needs to include a standard, ubiquitous control protocol that is supported by with standard devices like TV's, DVR's, music players, etc.

As I explained to TrustWave months ago, we do not know of a solution that fits all the criteria--and we HAVE hired professional security consultants to work with us.  Therefore, like I already said, in our next rev UI, we are planning on putting a security tab which gives the user 4 options:

We are debating about putting a 'security' tab in the UI that gives the user the following options:

1.  Leave local network access open like it is now.  The advantage is you can use the system even if your internet is down.  But the drawback is that you must ensure your wi-fi is secure because anyone on the local network will have access to the device.

2.  Add HTTP authentication with a local password.  It's universally accepted by all browsers, but it's not secure and the password will be exposed.  So it wouldn't thwart hackers.

3.  Install a self-signed certificate.  This requires configuration changes to your browser, but it is secure. 

4.  Turn off local network access completely, and require you to only access the system through our servers.  This is secure, however it means you cannot use the system if you do not have internet access, other devices on the network will not be able to control the system, and there is a monthly fee associated.

Additionally, we would add a check-box to enable UPnP or turn it off.  Adding the option of secure UPnP is at this point useless since no clients support it, so you might as well just turn it off.

If you have some other idea beyond those 4 choices that is commercially viable, I would love to hear of it.  And, since you don't dispute that the vulnerabilities you attribute to Vera effect EVERY network device in the home with a local web UI, there are no doubt hundreds of other companies that would love to hear what fix you have for the problem.


Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #73 on: August 30, 2013, 10:09:31 pm »
MCV, let's put this discussion in the other thread.

Offline dcrowley

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-1
Re: Black Hat Talks To Outline Attacks On Home Automation Systems
« Reply #74 on: August 31, 2013, 11:13:02 am »
@MCV: In response to your comment about the misrepresentation from the media in the technical thread:

I said that lack of authentication and encryption are basic security problems that should be addressed in any product, especially when people can control door locks and alarm systems from that system. I never said MCV was incompetent. The VeraLite is a wonderful product and I like it a lot. I said in multiple interviews: "I love the VeraLite, it's an awesome product, but I'm heartbroken that it has these vulnerabilities." Unfortunately, many media outlets misquoted me to make it more generic. Misrepresentation is something media outlets are prone to do.

You see, the media is interested in producing a compelling story so that their ratings go up and they can charge more for advertising. This is exactly why we've seen so much coverage of Miley Cyrus and not Syria. If you want to blame someone for misleading stories, blame the media. I interviewed with CNN for over an hour, and the piece you linked to is less than five minutes long. The part of it devoted to discussion from myself and my co-researchers was less than one minute long in total. Additionally, most of CNN's viewers are non-technical. Even if the media weren't financially motivated to care more about showmanship than accuracy, CNN must still try to condense over an hour of very technical material into a few minutes of non-technical, compelling material. That's a difficult task and even major media outlets do it wrong.

If people are looking for technical accuracy, though, they can read my paper or watch my talk (it will be available to the public once DEF CON uploads it) and get the real story. I still maintain that an attacker can use the SSRF flaw and the RunLua UPnP action in conjuction with each other to trick a user into giving control of their VeraLite to the attacker. In my DEF CON talk, I show the audience the UPnP request used to open the lock and note the lack of any authenticating information. I also showed this to the media outlets with which I interviewed, but they neglected to include the footage because it was too technical.

As far as demonstrating control over someone else's home, it is illegal under the Computer Fraud and Abuse Act for me to do that without getting permission from another user. I don't know any VeraLite users nearby, but if you'd like I would be willing to demonstrate for a willing party within driving distance of me.