The Vera Community forums have moved!

Advanced => Security => Topic started by: Tony G on June 26, 2013, 02:41:27 pm

Title: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Tony G on June 26, 2013, 02:41:27 pm


http://it.slashdot.org/story/13/06/26/1339253/black-hat-talks-to-outline-attacks-on-home-automation-systems

"If you use the Z-Wave wireless protocol for home automation then you might prepare to have your warm, fuzzy, happiness bubble burst; there will be several presentations about attacking the automated house at the upcoming Las Vegas hackers' conferences Black Hat USA 2013 and Def Con 21. For example, CEDIA IT Task force member Bjorn Jensen said, 'Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody's home. I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse.' Among other things, the hacking Z-Wave synopsis adds, 'Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems...An open source implementation of the Z-wave protocol stack, openzwave, is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.'"
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Tony G on June 26, 2013, 02:47:03 pm
The nameless system they mention with open ports is homeseer, according to some folks in the comments.   Interesting stuff.   I believe this will force all vendors of HA equipment as well as Sigma to strengthen security!
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Intrepid on June 26, 2013, 02:51:09 pm
This does not seem to be about z-wave hacking, but web server security issue. 
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Z-Waver on June 26, 2013, 08:21:04 pm
Z-Wave and, more specifically, Vera have security issues. It is clear that security was an afterthought for both.

But, if you have opened ports in your firewall to allow direct access to your home automation system, or do not strongly guard LAN and WiFi access to your Vera, you are virtually leaving your front door unlocked.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Piwtorak on June 26, 2013, 08:57:53 pm
If using vera always thru micasaverde.com when out of home and no ports forwarding created to direct access, how the level of exposition and security of ours veras ?
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: RichardTSchaefer on June 26, 2013, 09:20:39 pm
If the only entry through your router from the internet is through a VPN or SSH tunnel (i.e. NO port forwarding) ... and you use WPA2 for your Wifi ... you are pretty safe.

Note: IP Cameras often encourage port forwarding to access the camera outside your home. This is a bad idea ... as most IP cameras are running a Web server on a linux engine ... and can be exploited.

Accessing the IP cameras thru Vera is much safer.

Note: Vera opens a tunnel in the opposite direction ... from your LAN to the MCV servers.

Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Piwtorak on June 26, 2013, 09:37:02 pm
Thanks Richard, I am easy because I am inside that pattern.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: guessed on June 27, 2013, 03:40:02 am
Note: Vera opens a tunnel in the opposite direction ... from your LAN to the MCV servers.
... and that's the weak link.  It effectively means that access to your LAN is as weak as a user's cp.mios.com password, and any controls/service sharing used by the MiOS folks on their servers.

There are some previous threads on the use of RunLua & os.execute, over that link (once hacked), to gain full and total control of not just Vera.

Basically use those two to open a new outbound tunnel to wherever, and then use Vera as the jumping off point into a CT's broader LAN env.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Piwtorak on June 27, 2013, 09:41:26 am
MCV could be better your security showing images with numbers to confirm access like banks does. or creating a previous authorization for each new computer or system wanting have access to a vera unit.

Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: guessed on June 27, 2013, 01:16:12 pm
MCV could be better your security showing images with numbers to confirm access like banks does. or creating a previous authorization for each new computer or system wanting have access to a vera unit.
Yes, but that would break the existing Control Points, since they [currently] rely upon UN/PW. 

The easiest, short-term, "fix" for this situation would be to add account lockout, based upon bad entries, and password reset for when you get in the hole.

Longer term, there are way better technologies that can be looped in but they'll trigger the control points to rework their AuthN models to match.... so it would need to be "an option" so that people who were concerned could opt in (at the sacrifice of older Control Points that didn't support it)
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: SocketFail on August 04, 2013, 01:59:02 pm
The nameless system they mention with open ports is homeseer, according to some folks in the comments.   Interesting stuff.   I believe this will force all vendors of HA equipment as well as Sigma to strengthen security!
Here's another article from a few days ago where the Vera Lite specifically is hacked: http://money.cnn.com/news/newsfeeds/gigaom/articles/2013_07_26_breaking_into_the_smart_home_of_the_future.html

Looks like everybody needs to tighten up!
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Z-Waver on August 04, 2013, 06:15:30 pm
@SocketFail - Read the article again. The hack in the article relies on compromising the WiFi network. This gives the attacker local network access to the VeraLite. Just as the way you have access when your at home. There are security issues to be addressed, but as stated earlier in this thread, a properly secured WPA2 WiFi network pretty effectively mitigates against this "hack".
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: capjay on August 05, 2013, 08:34:15 am
If the only entry through your router from the internet is through a VPN or SSH tunnel (i.e. NO port forwarding) ... and you use WPA2 for your Wifi ... you are pretty safe.

*Assuming* the MCV servers/cloud are secure and locked down properly.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: MiPolloMole on August 05, 2013, 04:08:07 pm
To be clear, there are three sets of vulnerabilities being discussed here:

HOME INVASION V2.0 - ATTACKING NETWORK-CONTROLLED HARDWARE
https://www.blackhat.com/us-13/briefings.html#Crowley

Defeating wifi security gives an attacker access to everything on your local network, including Z-Wave devices. As RichardTSchaefer and Z-Waver mentioned, using WPA2 for your wifi network mitigates these vulnerabilities pretty well.

Also, allowing access to your MCV hardware by MCVs servers creates another avenue for attack, regardless of how secure your wifi network is.

HONEY, I?M HOME!! - HACKING Z-WAVE HOME AUTOMATION SYSTEMS
https://www.blackhat.com/us-13/briefings.html#Fouladi

These attacks are carried out directly against the Z-Wave wireless network. These are the ones that worry me the most. A co-worker who attended this talk tells me that they demonstrated remote unlocking of a Z-Wave deadbolt. That should be disconcerting for anyone who owns such hardware.

I'm very curious about the direct Z-Wave attacks. Web searches only gave me links to the page above, and articles about the presentation which do not contain anything more than the what's on the page above. If anyone has more details, I'd love to hear them.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Z-Waver on August 05, 2013, 04:18:35 pm
A co-worker who attended this talk tells me that they demonstrated remote unlocking of a Z-Wave deadbolt

If true, this is a very big deal. It would mean that they have figured out a way to break or inject their commands into the AES-128 encrypted channel, which seems highly unlikely, or they have discovered some other vulnerability that bypasses the encrypted control channel completely. The latter seems more likely than breaking AES-128, but I'm still dubious.

Can you press your co-worker for greater detail and a citation? At least what kind of deadbolt was used. I'm not ready to accept that the sky is falling based on 'he said; she said' assertions.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: MiPolloMole on August 05, 2013, 05:00:38 pm
If true, this is a very big deal.

I couldn't agree more. I just bought one on Saturday, then heard about all of this today, and I'm trying to get to the bottom of this before the return-for-a-refund window ends. :-) I don't have enough information right now, but I'll update this thread when that changes.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: redwood on August 05, 2013, 08:02:21 pm
Hi All,

I'm one of the researchers who presented the Z-Wave security talk in Las Vegas last week and was informed about this forum thread via an email message. I'd like to give you some update about our research. During our talk :

a) We demonstrated the un-encrypted devices (the ones that do not implement SECURITY_CLASS) such as motion sensors could be disabled remotely by using our Z-Wave packet injector (Z-Force)
 
b) We also demonstrated an attack against Z-Wave security protocol implementation in an AES door lock that could reset the network key to a known value remotely and enable the attacker to take full control of device (unlock, set PIN, etc)

 Due to BlackHat conference's content embargo, we would not be able to publish our research paper and slides until August 15th, after which those will be available on the following URLs:

https://code.google.com/p/z-force/
http://research.sensepost.com/

Thank you
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: MiPolloMole on August 05, 2013, 08:08:16 pm
I'm one of the researchers who presented the Z-Wave security talk in Las Vegas last week and was informed about this forum thread via an email message. [...]

That was me, I suspect. But I am sure that a lot of us are looking forward to the expiration of that embargo now.  :)

Thanks for stopping by!
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Z-Waver on August 06, 2013, 08:33:04 am
b) We also demonstrated an attack against Z-Wave security protocol implementation in an AES door lock that could reset the network key to a known value remotely and enable the attacker to take full control of device (unlock, set PIN, etc)

Thanks, very much for coming in and clarifying the situation. My remaining uncertainty is whether the lock compromise was a vulnerability in the Z-Wave protocol or in a particular lock's implementation. If the latter, which one and have you contacted the manufacturer about the vulnerability?
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: redwood on August 06, 2013, 11:42:42 am

We discovered this issue in a European Z-Wave door lock , but as there was an strong evidence that the root cause of the vulnerability (a protocol implementation error) could be present in other door lock brands, we decided to report the vulnerability directly to the Z-Wave vendor (Sigma Designs) and they should have communicated it to the device manufacturers to make sure their products are not affected.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Z-Waver on August 06, 2013, 07:05:38 pm
Thanks for the information! Let's hope that Sigma Designs acts responsibly on this.

Eagerly anticipating your presentation's release on August 15th.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: MiPolloMole on August 07, 2013, 06:43:11 pm
The first post in this thread links to an article about three BlackHat talks. Redwood's is one of them, and we'll have to wait for the details, but another is already available online at BlackHat's own web site:

https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf

A section of that paper describes some vulnerabilities in MiCasaVerde's Vera system. Most of the vulnerabilities are of the form "if an attacker has access to your local wireless network, they can..." and/or "if an attacker has control of MiCasaVerde's servers, they can..."

The key concern, in my opinion, is that MCV's servers effectively have root access to the Vera devices. (The paper describes how an attacker with access to MCV's servers can use the UPnP interface to create root-privileged accounts on the Vera.) Thus if an attacker acquires control of MCV's servers, the attacker has full control of our Vera devices as well.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Z-Waver on August 08, 2013, 08:35:23 am
@MiPolloMole - Forgive my lack of vision, but I'm not perceiving any personal risk in such an attack. I'm not saying that there is not a vulnerability or that it should not be addressed, but it seems to me that the MCV take over vector is less of a threat than a local exploit.

Assuming that an attacker manages to take over MCV's servers, they would indeed have root on my Vera and tens of thousands of others. Now what will they do? Will they make my lights flash? Will they run up my electric bill? Will they watch my cameras? I just don't see any likelihood of them identifying a single house and then leveraging their MCV access to open doors or do me "harm".

The other attack exploiting Z-Wave for locally opening a lock bothers me far more.

Edit: Thinking about it some more; I suppose with MCV access they could open ALL locks globally in order to open the door they happen to be standing in front of without having to identify a specific house/node on the MCV servers. OK, I see greater risk now, but the local exploit still bothers me more.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: guessed on August 08, 2013, 09:36:12 am
Assuming that an attacker manages to take over MCV's servers, they would indeed have root on my Vera and tens of thousands of others. Now what will they do? Will they make my lights flash? Will they run up my electric bill? Will they watch my cameras?
They'll open a new Network Tunnel from your LAN (the part that's accessible to Vera), to a nice comfy location of their choice where they can take their time to break into more stuff on your LAN as they'll effectively "see" anything on that Network.

Vera just becomes the Gateway to a more interesting attack.

From an access standpoint, this is the equivalent of removing your LAN's Internet Firewall... at least for their use (unless they decide to make that access more widely available to others)

Do you have your SSN, or other PII, stored anywhere on a LAN-based file share?  Any unsecured Financial documents, Check account#, Credit card#'s (etc) floating around on your home machines?

Bottom line, it comes down to how comfortable you'd be running your LAN without an Internet Firewall.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: MiPolloMole on August 08, 2013, 03:48:52 pm
Assuming that an attacker manages to take over MCV's servers, they would indeed have root on my Vera and tens of thousands of others. Now what will they do? Will they make my lights flash? Will they run up my electric bill? Will they watch my cameras? I just don't see any likelihood of them identifying a single house and then leveraging their MCV access to open doors or do me "harm".

I'm not worried about a targeted attack.

But if the sort of person who breaks into other people's computers for fun breaks into MCVs servers, how long would it be until every MCV customer finds their deadbolts mysteriously unlocked?

I just configured my network so that my Vera can only be access from one specific IP address (a PC on my home network). That mitigates the risk for me.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: legend99 on August 10, 2013, 02:04:33 pm

Problem is that viewing ip cam through Vera is too put it lightly garbage. My foscam (maybe the fault lays there) work for 30 seconds and then stop transmitting until I closed the windows and open it again.




If the only entry through your router from the internet is through a VPN or SSH tunnel (i.e. NO port forwarding) ... and you use WPA2 for your Wifi ... you are pretty safe.

Note: IP Cameras often encourage port forwarding to access the camera outside your home. This is a bad idea ... as most IP cameras are running a Web server on a linux engine ... and can be exploited.

Accessing the IP cameras thru Vera is much safer.

Note: Vera opens a tunnel in the opposite direction ... from your LAN to the MCV servers.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Cor on August 11, 2013, 06:41:10 am
Interesting reading.

For myself I am not too woried , if someone really wants , he/she may switch some lights on or off..... or open my gate. Not nice and I prefer it won't happen.

I do have a question concerning opening ports on my router.

In and arround my house I have installed about 8 Ip camera's, and I use the blue iris programm to watch them ( also remotely) , for blue iris (webcast)  I have opened port 20 . I sometimes also want direct feed from the camera's and for that reason I also opened port 50 till 58 .   

With these ports open , can someone now (easlily) acces my network ?

I can understand if someone would be able to take over controll of the camera's( so be it) , but I am a bit worried about for example my NAS ( which is connected to my LAN , but I no port forwarded for it).

Thanks,
Cor 
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: RichardTSchaefer on August 11, 2013, 07:53:23 am
I would not open up cameras with port forwards though the router ...
I use an SSH tunnel.  This makes all of my cameras, and any other home network resource I wish to make available on my phone look like a local IP port to the phone ... and all communications is secured through the SSH tunnel.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Z-Waver on August 11, 2013, 09:22:58 am
@Cor - IP cameras are usually Linux based System on a Chip(SoC) devices that are notorious for having network security vulnerabilities in them. Here's the the first search item that came up (http://www.informationweek.com/security/vulnerabilities/wireless-camera-flaws-allow-remote-explo/240153001). They are also notorious for never having their firmware updated, so the vulnerabilities are never fixed. The issue is that the camera's vulnerabilities are exploited and then the camera(computer) is used as a jumping off point to the rest of your network, as @guessed reminded me earlier in this thread. They gain access to the camera and then us it as a gateway to compromised other devices on the network including your NAS. This is why you are seeing people strongly recommend against forwarding ports, especially to cameras.

On another note, you state that you have forwarded ports 20 and 50-58. These are called reserved ports because they are used and reserved for very specific services. For instance port 20 is used for the data channel in FTP and port 53 is used for DNS. By forwarding these ports to specific devices, I would expect unusual and problematic behavior, especially with DNS resolution. Other forms of this type of non-standard, if not just plain wrong, network configuration could possibly be causing the unexplained issues of your other posts (http://forum.micasaverde.com/index.php/topic,16021.0.html). When forwarding ports to non-standard services it is proper to forward ports higher than 1024(the reserved ports).
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Cor on August 11, 2013, 09:53:57 am
@ RichardTschaefer & Zwaver,

Many thanks for your explanations.

I will close the ports to my camera's, although I use 1 camera with audio in and out as a sort of intercom.... maybe leave 1 port open :-s  ( that SSH tunneling is going way too far for me).

I had no clue that  I couldn't use specific ports  for any application ,  My idea was to have it all neatly ordered.

Blue iris for example is on the computer with 10.0.0.20 and I opened port 2000  for the webcast ( wrongly  thought I opened port 20).

For the cameras I opened port 2050 till 2062  Local IP adresses for the cameras are 10.0.0.50 untill 10.0.0.62

Is this a list I can use for the ports? or rather not use:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers (http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers), I see port 2000 is officially used as well , it means it is a bad idea to use it for my blue iris?

many thanks,
Cor





Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Intrepid on August 11, 2013, 10:29:12 am

In blue iris you can set any port for the web server. 

What I do for blue iris:
- run BI PC as a standard user (not admin).
- use a high, non-standard port for the web server.
- port forward to BI.
- keep BI PC off any workgroups, no sharing.

- use LAN2 for my 'risky' stuff, including blue iris, cams, vera, DSC.  Things that need to access the WAN and/or work closely together.
- use LAN1 for everything else, including my NAS and wifi.  LAN1 is stealth to the outside, LAN2 has one visible port to the outside.
- LAN1 can access LAN2, but LAN2 cannot see LAN1.  From my laptop on LAN1 I can use local addresses to hit vera, BI on LAN2.
- check router logs & alerts regularly


Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Intrepid on August 11, 2013, 10:46:27 am
Also, long, strong passwords.

I personally use lastpass to generate long, unique passwords and store them for me.  I have to have my phone's authenticator to log into to my lastpass account from a new device, so it's protected. 

And per GRC:  https://www.grc.com/%5Chaystack.htm (https://www.grc.com/%5Chaystack.htm)

D0g.....................
PrXyc.N(n4k77#L!eVdAfp9

...the first password above is 95 times more secure more difficult to brute force than the second because it is one character longer.  I sometimes use this padding technique by adding 10 or 20 of the same character to the end of a password.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Cor on August 11, 2013, 05:54:22 pm
@ Intrepid: Thanks for your advice.

 What is a good port for blue iris?, I guess the 2000 I am using is pretty crap :-s

Cor
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Z-Waver on August 11, 2013, 06:10:57 pm
@Cor - Port 2000 is OK, so long as you don't put a Cisco IP phone or PBX on your home network. Cisco's IP phone protocol Skinny Call Control Protocol(SCCP), often referred to as "skinny", uses 2000 as a default port.

It is generally acceptable to use any ports greater than 1024, but as you see in the Wikipedia link you provided, the number of reserved ports is increasing quite a bit. For this reason you run less chance of a port conflict if you use higher port numbers.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Cor on August 11, 2013, 06:29:45 pm
@Zwaver. Ok understood , many thanks,

Cor
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Intrepid on August 11, 2013, 07:36:38 pm
What is a good port for blue iris?, I guess the 2000 I am using is pretty crap :-s

No idea, but they can go to 65535, I think?  Might as well make it something uncommon and obscure.  It will be found, and that's where the password strength is critical, along with reliance on BI's web server security.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: RichardTSchaefer on August 11, 2013, 08:27:31 pm
When hackers look for vulnerabilities .. they walk (scan) the whole set of Ports ... it does not matter what port you actually use ... It only takes a few minutes to access the port availability of a particular IP address.  And it's amazing how often this happens ... I have some logging watching for it. Once they find a responding port that than they attack it looking for known vulnerabilities.

If they find a web server ... they start looking for server side vulnerabilities ... Your Vera and your IP cameras all have a web server ... many Audio/Video components in the house also have web servers in them.

I have actually BLACK listed a large part of Asia because of the number of probes from that part of the world ... Sorry that has caused my Web Server with documents on my plugins to be unavailable to those folks.

Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: MDoc on August 12, 2013, 08:23:40 am
Richard, 

Is there any particular port scanning detecting software you reccomend?
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: RichardTSchaefer on August 12, 2013, 09:11:01 am
How/If you can do this is dependent on the hardware you have. Not generally possible with the typical residential router ... That's why I highly recommend to NEVER allow port forwarding except for a SSH/VPN tunnel. You may never know if you have been hacked.  A hacker may not even care about your resources directly. It may only use your resources to participate in a denial of service to someone else ... or an attempt to hide their identity by masquerading as you and do other mischievous actions.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: LightsOn on August 12, 2013, 09:41:59 am
@RichardTSchaefer

Quote
I have some logging watching for it.

Out of interest could you expand on this a little? what logging and watching do you have set up? as I would like to monitor similar security vulnerabilities.

Quote
I have actually BLACK listed a large part of Asia because of the number of probes from that part of the world
&
Quote
How/If you can do this is dependent on the hardware you have

I am assuming you are running DDWRT or similar? could you share some of your protection set up's? logging and monitoring stuff?

I have experience in this area and what you mention all sounds familiar but I have not directly looked to implement anything to offer monitoring or alerting to potential attacks or "scans (walks)"

Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Brientim on August 13, 2013, 04:59:51 pm
And if you use Chrome....

http://bgr.com/2013/08/07/google-chrome-password-security/
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: zedrally on August 14, 2013, 01:12:47 am
^^^
Thats scary as hell.

Now I have to find a better browser.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: garrettwp on August 14, 2013, 01:31:40 am
Or just not save your passwords! I never use this option.

- Garrett
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Brientim on August 14, 2013, 05:08:04 am

Or just not save your passwords! I never use this option.

- Garrett
The most appropriate line here is from Hitchhikers Guide to the Galaxy... "Don't Panic".

And if your are worried, just take the advise above and remove the passwords already stored.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: SOlivas on August 14, 2013, 03:54:40 pm
This brings to mind all sorts of things that are typically wrong with consumers using anything internet related as a "plug and play" device.  They plug it in, it works, they sometimes change a password and forget about it.

To solely depend on your internet provider's supplied router/gateway for security is just asking for trouble.  Then again, I personally think it is also partly the fault of the providers for lulling customers into a false sense of security with their internet connected devices, stating that their hardware will make their system secure.

Nothing is immune from being hacked or broken into (this old quote comes to mind
Quote
"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."
).  Be it your computer, your house, car, etc. 

One of the reasons why you need to have security in depth -- the layering of defenses, each one another roadblock to hopefully make it a bit harder to gain entry/access.

(Quote from:

http://spaf.cerias.purdue.edu/quotes.html


This quote is about security of computer systems. It appeared in "Computer Recreations: Of Worms, Viruses and Core War" by A. K. Dewdney in Scientific American, March 1989, pp 110. It was later misquoted in the book @Large: The Strange Case of the World's Biggest Internet Invasion by David H. Freedman and Charles C. Mann. (The misquoted version refers to titanium and nerve gas -- I never said anything like that.) The original quote is:  The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. )

I also like this quote as well:

Quote
Secure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police.
There are some good analogies from the same person here:
http://homes.cerias.purdue.edu/~tripunit/spaf-analogies.html

I like #20, 21, 37-39 -- when taken in the context of my security rant above. :)
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: garrettwp on August 14, 2013, 10:56:09 pm
Yup, the quotes are great. I always go by, if it's powered on and connected, it's vulnerable.

- Garrett

Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: redwood on August 15, 2013, 05:43:37 am
The research paper and Z-Force tool that we presented in BlackHat 2013 USA conference are now online :

http://research.sensepost.com/conferences/2013/bh_zwave
http://research.sensepost.com/tools/embedded/zforce
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: oTi@ on August 15, 2013, 08:02:31 am
Very cool. 8)

Looks like the U.K. researchers supplied firmware for the Z-Force tool on the EU frequency (for now).
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: Z-Waver on August 15, 2013, 08:36:33 am
@Redwood - Excellent work! I was mildly disappointed to not see disclosure of which lock/manufacturer you attacked. I sincerely hope that this is due to you continuing to work with and pressure Sigma and the manufacturer involved. I hope that it is device specific, but I suspect that manufacturers aren't doing their own development and are relying on Sigma, so the problem may be pervasive.

In any case, the release of the Z-Force tool now makes it trivial to play with/against unencrypted devices, such as my previously described garage door, activated using standard relay switches. It behooves the user to consider the risks to every device that they connect and to be very careful to avoid "risky" installations. Unintended activation of a light may not be a risk, but I know that some people are connection loads that really should only be operated manually, when under user observation. With the availability of Z-Force, these installations just became potentially very dangerous.

I hope that this encryption vulnerability is limited and is addressed quickly, but it is my further hope that Z-Wave device manufacturers will shift to using encryption for all devices. If not Z-Wave is doomed.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: redwood on August 15, 2013, 10:03:39 am
Thanks @Z-Waver. As you may have noticed the public version of the Z-Force tool does not include the door lock module in order to prevent possible misuses. Due to the time and resource constrains we were not able to test all available Z-Wave door locks. However, Sigma Designs has told us that they have tested all the certified Z-Wave door locks for the key reset vulnerability and only a limited number of door locks from a single manufacturer were vulnerable to this attack.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: SOlivas on August 15, 2013, 08:24:42 pm
Thanks @Z-Waver. As you may have noticed the public version of the Z-Force tool does not include the door lock module in order to prevent possible misuses. Due to the time and resource constrains we were not able to test all available Z-Wave door locks. However, Sigma Designs has told us that they have tested all the certified Z-Wave door locks for the key reset vulnerability and only a limited number of door locks from a single manufacturer were vulnerable to this attack.

Hmm, I hope we can find out so we can upgrade the firmware on the locks (if possible).  I wonder what vendor took a shortcut on their implementation?

Then again, if we do find out and people don't fix their locks, well......



Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: redwood on August 18, 2013, 04:50:10 am
Very cool. 8)

Looks like the U.K. researchers supplied firmware for the Z-Force tool on the EU frequency (for now).

The current Z-force firmware only supports EU freq. We would add the US freq support  in mid September release.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: SOlivas on August 31, 2013, 02:06:04 am
Awesome!  I'm looking forward to this update.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: robertloll1 on November 02, 2013, 05:36:58 am
I have seen video of Behrang Fouladi hacking a Taiwan made Z-Wave door lock sold in the EU market.  Very impressive and a little frightening.  I won't name the manufacturer, but to my knowledge, the door lock is not sold in the US.  It was not a Yale door lock as I have seen speculated.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: benr on November 13, 2013, 11:55:49 pm
Wow, and I was about to buy the 2gig garage door opener too. Not now. Just going to stick to sensors and switches.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: HouseBot on November 14, 2013, 08:14:09 am
Is this bug in all z-wave devices or only in this specific door lock? I thought you always have to press the include button (as a maniac) before you can include any device but it appears in the video as he do not need to press the include button on this specific door lock.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: oTi@ on November 14, 2013, 08:33:55 am
My understanding is this is specific to the firmware in this door lock, not a generic issue. But you'd have to test all door locks, to find if other manufacturers made similar mistakes.

I think the key is that the door lock is still included, but the controller can renegotiate a new key. The door lock shouldn't allow this, if a key was previously established, i.e. the door lock has not been previously excluded.
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: robertloll1 on November 16, 2013, 12:43:24 am
The Fouladi hack seemed wholly unique to the particular door lock.  I believe that he exploited a particularly poor implementation of the Z-Wave protocol by the EU lock manufacturer.  I would not worry about US lock manufacturers.  I have two Schlage Z-Wave locks.  However, for interesting reading take a look at the research paper presented at the BlackHat 2013 USA conference:

http://research.sensepost.com/conferences/2013/bh_zwave
http://research.sensepost.com/tools/embedded/zforce
Title: Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
Post by: cjshim on September 09, 2015, 01:44:47 pm
a very simple solution would be rent a web server or get a free web page, then simply have Blue Iris ftp cam pictures every 30 (or how often you like) seconds to it. keep all your ports on your home system closed secure the web server you are renting with a user name and password or https and just view the cam pics there.