Hacking Home Automation - Blackhat USA 2013


(Darryl) #1

During the upcoming BlackHat USA 2013, there is a presentation on hacking home automation. In the below article, it also covers vulnerabilities in z-wave and zigbee. The article doesn’t go into much details about what hacks were discovered—but it does bring concern.


(Jason D) #2

That’s my paranoid reason why I don’t use Z-wave locks. Heck, I don’t even use single cylinder deadbolts. If someone breaks a window to get in my house I want them to have to use that window to get back out. Not be able to open the door.

But seriously, the “hackability” of the cloud is what worries me more than Z-wave or Zigbee vulnerabilities. If someone wants to find a way to hack into Z-wave and turn my lights off and on, thankfully that’s only annoying and not disastrous.


(Cory S) #3

Eh, I’m kinda the other way on the locks. If someone wants in my house they will get in, and they will get in far easier than hacking my Z-Wave and encrypted deadbolt. I also think the type of people who typically break into houses are very unlikely to be hacking home automation signals. Locks are just for keepin honest people out IMO.

I am interested to see what comes up at Blackhat though. I figured a shakeup was coming as the platforms got more popular. I think the presence tags we use on our systems, and many use to lock/unlock their doors are probably incredibly insecure also.


(Jason D) #4

Its actually not the radio in the locks that bothers me, its the “connectedness” of them. If someone was able to hack the SmartThings cloud, the most they would control in my house is lights, some outlets and the air conditioning.

Its actually the same reason I hope SmartThings devises a way to use the hub disconnected to their cloud(Amazon AWS) someday, though I doubt that day will ever come.


(Cory S) #5

Yeah, I have a lot of problems with the cloud setup as well. Not as much as on the security front as on the reliability one. I just prefer to manage my own up time and be responsible for it myself if there is an outage.

So far I really don’t see any benefit to the consumer on the cloud approach. They explained it off as a way for them to be able to do complicated antilogarithms like facial recognition with connected cameras. In my opinion that’s ridiculous. That kind of work could be farmed out to the cloud on a case by case basis, it doesn’t have to be all or nothing.

Then things like PRISM get uncovered, and you really don’t have to be a tinfoil hat connoisseur to feel a little creeped out when you install those cameras.

On the other hand the benefits for them are limitless. Can you imagine the datamining value?


(Jason D) #6

I was thinking the same thing, Cory. A GOLDMINE of people’s coming and goings, and location data, usage, etc.

I agree with you. As a former Homeseer user for almost 10 years, I like SmartThings and its simplicity A LOT. But I’d prefer to just manage it myself from my own home connection.


(Mj) #7

Yes, hacking is always a concern - but there are other ways to get into someone’s house as well. If they want in, they will get in. Period.

I love the functionality of my z-wave locks. It has added a high level of convenience, that I received the “wife stamp of approval” to purchase additional locks right away. It makes life so much easier when the deadbolt engages / disengages when you leave or arrive at home. It’s a trade-off with security / convenience.

Computers and other electronic systems are vulnerable to hacking too. But, your standard mechanical lock can be bumped or picked as well. I don’t see much of a difference when you compare the two.

As for the cloud - I too would like to have local control over my hub and its functions. I’m not a big fan of cloud computing, because when it rains, it pours.


(Darryl) #8

As far as I am concerned this probably will have to be handled more on the z-wave/zigbee level, then the SmartThings level. I would hope that the security between the SmartThings hub and the cloud is pretty secure… (Just bare with me on the assumption). In this case, the BlackHat event will hopefully trigger z-wave/zigbee to add additional security to the system. I only hope the hardware will still allow a bit of growth in that, and we wont have to wait for a new version, and then wait for SmartThings to support it (or have a new version to support it).

If people want to get in my house, sure…they will find a way. But in all honesty, many thieves don’t want to make a loud noise, and wont focus on a single hose too long. But if they can wardrive, send a signal and know they can just walk on in—I am sure they are going to do just that. I know for my neighborhood, its unlikely they will break into my house through glass (And having 2 wolf-dogs and a loud golden retriever mix helps with the security), but that would change if the door is already unlocked (minus the dogs).

Perhaps someone from the SmartThings can chime in as we continue to discuss this all, and learn what is found next month…


(Cory S) #9

Personally, I think Z-Wave locks are more secure…even if they were to get exploited. If I give someone a key say a housekeeper, or a friend I would have to change my locks to be sure they didn’t make a copy of it and could still get into my house…if I ever got the key back at all. Now, I can either provide them a code I can revoke, or I can simply have them call me when the arrive and unlock it remotely.

IMO it’s the same argument on Google Wallet and other contactless payment systems and all the commotion on if it is NSA level secure. No, it probably isn’t…but neither are your credit cards, heck those things are clear text to the point of advertising it on the front of the card.

Yeah the thought of a thief wardriving a neighbourhood is troubling…but think for a second about the type of people who commonly commit those types of crimes. They are usually the types who would have trouble setting up a Facebook account, let alone wardriving a neighbourhood.

But, as I’ve mentioned before…the door lock at my house is there for their protection anyway :stuck_out_tongue:


(Jason D) #10

Like I was saying before - In order to pick a lock someone has to be here - on hidden camera which is getting fed to me by motion. So even though the locks I have are BumpStop(ASTM Grade 6) and they aren’t 100% impenetrable, it takes longer. I don’t give out keys either.

The network/wardriving (or a cohort over the phone doing the hacking, with someone on site doing the break in) angle - could be done from across the street, down the street, etc. and then they can just walk in. Someone can still break a window but the deterrent is the fact that if someone can’t open a door its less tempting for them to rob a house they have to climb into and take stuff out of a window, vs. one that they can just walk in and out of.

I have no desire to convince people to stop using Z-wave locks, I’d personally rather just keep my connected items to things non access related. I admitted before I have some paranoia about my access devices being connected to the internet :slight_smile:

Same reason years ago I disconnected the alarm system from the company and started monitoring it myself.

I work in software development/infrastructure of a SaaS (cloud application) and the biggest concern I have faced is not security, but loss of access to the system when there is an outage. This happened to us last year, when Amazon AWS(what ST uses as I understand) had a large outage. Its pretty stable now with 99% something uptime. But it happened in 2011 - and again in 2012 - and took down Netflix, Instagram and Pinterest and our apps. Hopefully that’s a thing of the past now. I need to do some research about ST’s redundancy, because we are redundant on Microsoft Azure now, to prevent outages.

We can all put it this way though: NOTHING is hack proof. Someone can always find a way in. (Network or Physical). Someone can also bust a door down rather easily. Making things harder so they move on to another house or hopefully give up altogether, is the main point.

And - Cory: I echo your last sentence before, when I am home :slight_smile: Good discussion, guys.


(Cory S) #11

While I have access to firearms at home thats not what I meant. I have two German shepherds who wouldn’t give me the chance haha. They already proved themselves at my previous rent house that was in a bad area I moved to until I found something better after taking a new job. The guy crowbarred the door open while I was at work and the neighbours told me the hilarious story on how they hear a scream then some shirtless guy running away…shirt was in Axels bed when I got home haha.


(Amanda S ) #12

I’ve got to agree with Cory on this. If someone really wants into your home, they will always find a way. But I feel much more threatened by spare keys than z-wave locks. Keys can be misplaced, copied and misused. Give a key to the housekeeper or handyman? Who knows where all its been. Adding and removing user codes for integrated z-wave locks takes away that unknown. And for most people with z-wave locks the report doesn’t even apply (Read http://suretycam.com/can-hackers-unlock-my-z-wave-door-lock/). The questions for most people are what security measures are most appropriate for their situation, and what functionality is most important.


(Different Computers) #13

I sure hope there’s some sort of certificate based encryption between hubs and smartthings.com.

Without it, dns spoofing/redirecting is a pretty straightforward exploit.

Anyone at Physical Graph care to comment?