Reverse Engineering and Security Review of Vera


(Carlos Perez) #1

Interesting articles on how a group of interns reverse engineered and attack the Vera solution and came up with attacks against it:


Have a fellow security researcher who is about to release a very nice toolkit for sniffing and fuzzing Z-Wave that he will present in a con soon.


(Edward Pope) #2

Thanks for the info, I know that the standards are not super secure. I also know that with these techniques that homes are vulnerable. The sad thing is, that there is never going to be 100 percent assurance of security. Even if you have guards etc, there are always ways around anything done to secure the home.


(Carlos Perez) #3

yep, specially since the change I think in 2013 of some lock vendors to the newer less vulnerable version of Z-Wave http://www.youtube.com/watch?v=gn-amPvXn6M Yale and others where not vulnerable, when it comes to vendors it is best to go with known dedicated brands for locks. Starting to see more and more research done on attacks against this systems and right now the cost to entry is around $150 in HW to attack Z-Wave and around $50 for Zigbee. Will we see soon crooks using this? I doubt it but for companies who may be targeted directly by competitors or other types of attackers with more time, money and motivation this should be part of their risk matrix


(Beckwith) #4

I tend to think SmartThings would be less vulnerable to man-in-the middle attacks because their SSH keys are from a “trusted source” in the cloud. However, the stated hybrid goal of hub 2 makes it more likely a lazy engineer stores them locally.

I hope SmartThings get hub 2 security audited by a reputable third party. Even the best engineer can compromise security for expediency.


(Carlos Perez) #5

I worry more about SE attack, I once had chat support change setting on my hub and only info they asked from me was my email address, I was hoping they would ask more questions or send a push notification to my phone to prove my identity. Not all attacks have to be cyber but meat space attacks are also posible. v2 should provide even more security since the cloud will not be 100% needed something like disconnecting internet or flooding the internet connection with packets will not affect it.


(Beckwith) #6

@darkoperator

I agree social engineering is more likely vulnerable. I would feel much more comfortable if SmartThings added two factor authentication.

Hub 2 should be less vulnerable to denial of service type attacks, but in my opinion, the complexity of a hybrid architecture opens them up to further mistakes. During testing and debugging of a hybrid architecture, an engineer needs to remove certain security tools. They often create backdoor code that they intend to remove before releasing to production. However, in my experience, this removal is often neglected. With a properly designed cloud solution, back door code isn’t required and thus can be secure from the start.

As home automation becomes more ubiquitous, it will be more tempting for nefarious hackers to compromise. I wouldn’t doubt hub 1 is not buttoned up tight. SmartThings may have to step up their game so to speak with hub 2, however. Security is a continuing process and requires a “security attitude” from top to bottom to be successful.

You can often tell if a company has the wrong attitude when they attempt to shrug off exploits. So far I don’t see that with SmartThings, but time will tell.


(Carlos Perez) #7

this made me sad https://www.ssllabs.com/ssltest/analyze.html?d=graph.api.smartthings.com&s=184.73.200.185 seem ST is not using the best SSL config and is even vulnerable to a MITM attack


(Beckwith) #8

Most look easy to remedy.

@ben are you checking this out?


(Ben Edwards) #9

We have been looking into several of the fixes brought up in that report. We are continually looking for ways to make SmartThings more secure and even routinely pay external consultants (white hat hackers) to push us more and point out vulnerabilities.


(Charlie Treadwell) #10

Symantec Cybersecurity here…

I’m working with one of our white hat hackers to create a position paper on IoT and security. As a smart home owner, we used my Smart Things to show him what could be controlled if my account was compromised. It’s not good.

You guys really need to turn on two-factor authentication immediately. This is a simple addition to your product that will make all users who enable it virtually unhackable, and would defend against the social engineering attacks mentioned above.

Regardless of SE attacks, with Shellshock (bash bug), Sandworm (OLE), Poodle (SSL), and the recent acquisition of usernames and passwords (including millions from gmail), my account could be compromised if someone tried my gmail as username, and one of my passwords that is probably floating around on the black market. Luckily, I use unique passwords on every website, but 99% of people do not.

I’m happy to bring some of my researchers in to help you guys, but really, just turn on 2FA and make sure your SSL certs are up to par (we can help with that too). It’s time for you guys to take security seriously. You can’t afford to be the next headline, and none of us will tolerate being hacked or burglarized for that matter.

Cheers,

Charlie


(Convinced ST will never be unbroken…) #11

Another vote for 2FA.


(Chrisf) #12

Was the z-wave vuln supposed to be presented at GRRCon? I noticed a home automation talk scheduled a few months ago, but it disappeared on the official schedule I received at the event.


(Carlos Perez) #13

No clue I do know Josh Wright is working on a tool set and demo against several Z-Wave devices that he has been using in his current engagements, no clue when he will make all of that public.