Defcon blackhats look at Home Automation targets

[hightop32]

http://www.wired.com/threatlevel/2011/08/hacking-home-automation

i noticed the small mention about z-wave... does anyone know more about this.. could it be the schlage lock they are talking about? 

[Henk]

@hightop32

Since mainly X10 is mentioned

The tools, which they’re releasing to the public, include the X10 Sniffer to determine what’s connected to the power network and monitor what the devices are doing, and the X10 Blackout, which can jam signals to interfere with the operation of lights, alarms, security cameras and other devices.

And the mentioning of ethernet over existing power lines in buildings, this seems to be a hack on earlier X10 based home automation.

Since Z-wave radiowave technology has been introduced things are a bit different. Especially with the communication from and to locks that is encrypted.

Hope that answers your question a bit.

Henk

--edit--

Kennedy, aka Rel1k, and Rob Simon, aka Kc57, spent two months researching and designing their open-source tools to conduct the hacks. The tools focus on home-automation systems that are based on the X10 protocol, which doesn’t support encryption. They also looked at the ZWave protocol, which does support AES encryption, but the one device they found that was using it, implemented the encryption incorrectly – the key exchange was done in the clear so an attacker could intercept the keys and decrypt all of the communication.

Does mention zwave technology but not the device in question.
Maybe someone else can elaborate on that!

http://www.wired.com/threatlevel/2011/08/hacking-home-automation

i noticed the small mention about z-wave... does anyone know more about this.. could it be the schlage lock they are talking about?  

[hightop32]

understood.  that is why i asked.  i can only assume its the schlage since it uses AES encryption.  they mention the communication being encrypted, but the initial pairing shares the key that could be used to decipher the messages sent between the vera and the locks.  god forbid these guys ever get a hold of a vera, the thing would be blown wide open!  we know how fragile and insecure it is on the local lan.  much easier to attack the controller than the module communications!

[shady]

I saw the link posted here:

http://hackaday.com/2011/08/08/home-automation-systems-easily-hacked-via-the-power-grid/

I find it funny as some of the commenters do that they are worked on proving X10 was insecure, well it was developed before security was an issue and it doesn't have any AFAIK.  Stupid waste of time as we all know it is possible for you to turn on your neighbors X10 lights if the conditions are right, and this is easily fixed with a filter in the panel (exterior electrical outlets may be an issue, though).

The Z-Wave information is the interesting part and they don't tell you anything, or at least Wired doesn't.  Is this device passing the key in the clear during inclusion (who cares then) or during every communication?  I am still not worried about this kind of thing because I am a firm believer that any thief will take the path of least resistance (break or jimmy window or sliding door... easy) and not the most technologically advanced path (let me wait for my laptop to boot, darn USB cable always in the way, damn I lost my signal... difficult).

[DA INFERNO]

http://www.cepro.com/article/home_automation_systems_easily_hacked_via_power_lines/

This does not look good!

[hightop32]

http://www.cepro.com/article/home_automation_systems_easily_hacked_via_power_lines/

This does not look good!

No it really doesnt.  it looks like the 'author' of this 'article' Jason Knott, just basically copy and pasted everything from the wired article (less actually), including the image.  DAYS after the fact even.

edit: merged thread

[guessed]

@hightop32,
I merged the conversations together, since they were basically posting about the same 'event'...

[hightop32]

The Z-Wave information is the interesting part and they don't tell you anything, or at least Wired doesn't.  Is this device passing the key in the clear during inclusion (who cares then) or during every communication?  I am still not worried about this kind of thing because I am a firm believer that any thief will take the path of least resistance (break or jimmy window or sliding door... easy) and not the most technologically advanced path (let me wait for my laptop to boot, darn USB cable always in the way, damn I lost my signal... difficult).

I hope its only during pairing!  Thats the only thing that makes any sense.  The real issue here isnt whether they could throw a rock into your window, but imagine owning/having access to a 'botnet' of homes at your control remotely.  a scripted/automated attack scanning for the already known limitations and bugs/workarounds in vera (again particularly its weak security on the local lan) could lead to some serious problems.  I mean we've already learned there are people/machines targeting the vera central servers.  some [profanity redacted] out there just want to cause disruption, not necessarily physically steal your stuff.

[hightop32]

@hightop32,
I merged the conversations together, since they were basically posting about the same 'event'...

word.  that jason knott guy still sucks though.   

[hightop32]

soooo how vulnerable are these zwave devices to having commands sent to them from a 'spoofed' vera?  i understand the inclusion process, but could someone with the proper equipment fool a device into thinking the command came from its primary controller?  what stops this?

[JOD]

soooo how vulnerable are these zwave devices to having commands sent to them from a 'spoofed' vera?

Depends on what you mean by vulnerable.
By happenstance?
As an example, what are the chances that someone has the same front door key as you? Probability ~1 in 1,000,000
Chances of someone having the same Z-Wave home ID as you? 1 in 2,821,109,907,456

could someone with the proper equipment fool a device into thinking the command came from its primary controller?

Yes.

JOD.