Haunted Hacker Homes

This article excerpt, written by Thomas Fox-Brewster, originally appeared here: http://ow.ly/Q3yWD

In modern houses, it doesn’t take a poltergeist to turn lights on and off, unlock doors or send a shiver down occupiers’ spines anymore. Hackers have numerous avenues into people’s properties thanks to growing numbers of connected machines managing residential environments.

Today, a slew of vulnerabilities in so-called “home automation” technologies, which provide an easy way to access all connected machines in a house from the web or a smartphone app, were revealed. They would have allowed anyone, even someone with close-to-zero technical ability, to infiltrate properties from anywhere on the planet.

Two of the flaws reside in software from Honeywell, of Morristown, NJ, one of the biggest technology manufacturers in the US. According to Maxim Rupp, security researcher at German firm Cure53, it’s remarkably simple for anyone to access others’ Honeywell Tuxedo Touch web interfaces, used to control all connected parts of the home, including cameras, thermostats, lights, locks and shades. That’s because of some seriously slack authentication, says Rupp.

He told FORBES an attacker could send a request to a specific page on the Tuxedo Touch interface, such as the one used to lock the doors, and when the device asked for a username and password, the attacker could simply ignore the demand (by intercepting and dropping requests containing the string “USERACCT=USERNAME:_,PASSWORD:_,”) and access that page. As it’s possible to scan the web for Tuxedo Touch devices to find the related web interface, anyone could easily find and attack a Honeywell-powered home where patches haven’t been applied.

That was one gaping hole, but there was another, known as a Cross-Site Request Forgery (CSRF) vulnerability. This meant that an attacker could send a seemingly innocuous link to a user of Honeywell’s tech that would force them to launch actions on Tuxedo Touch, though the victim would have to be logged in at the time.

As Rupp noted, both flaws would allow an attacker to take control of connected components, such as doors, temperature regulation and security cameras. The authentication vulnerability, which didn’t require any interaction between the attacker and the victim, is evidently the more perturbing of the two.

Rupp believes most vendors working on home automation technology “unfortunately set their main focus on non-security related issues”. “This is partially due to the growing competition on the market, resulting in even more neglect of security issues in favour of new features,” Rupp added.