Pwning a house

Badly configured home automation systems are easy to locate using Google, and once you discover them, you can seize control of a stranger's entire home: "lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices." The manufacturers blame their customers for not following security advice, but even "enthusiast" customers who think they've locked down their networks are sometimes in for a nasty surprise.

Insteon chief information officer Mike Nunes says the systems that I’m seeing online are from a product discontinued in the last year. He blamed user error for the appearance in search results, saying the older product was not originally intended for remote access, and to set this up required some savvy on the users’ part. The devices had come with an instruction manual telling users how to put the devices online which strongly advised them to add a username and password to the system. (But, really, who reads instruction manuals closely?)

“This would require the user to have chosen to publish a link (IP address) to the Internet AND for them to have not set a username and password,” says Nunes. I told Nunes that requiring a username/password by default is good security-by-design to protect people from making a mistake like this. “It did not require it by default, but it supported it and encouraged it,” he replied.

In Thomas Hatley’s case, he created a website that acted as the gateway for a number of services for his home. There is a password on his website, but you can circumvent that by going straight to the Insteon port, which was not password protected. “I would say that some of the responsibility would be mine, because of how I have my internal router configured,” says Hatley who describes himself as a home automation enthusiast. “But it’s coming from that port, and I didn’t realize that port was accessible from the outside.”

The company’s current product automatically assigns a username and password, but it did not during the first few months of release — which is one of the products that Trustwave’s Bryan got. If you have one of those early products, you should really go through with that recall. Bryan rated the new authentication as “poor” saying that cracking it would “be a trivial task for most security professionals.”

When 'Smart Homes' Get Hacked: I Haunted A Complete Stranger's House Via The Internet [Kashmir Hill/Forbes]

Notable Replies

  1. gths says:

    For some reason this got me thinking about pretend poltergeists.

  2. For some reason it got me thinking about the article Cory just posted about WaPo's "FUD-laden, inaccurate and hysterical story about "WiFi security risks" that appears to have been ginned up by publicists for "security companies" who rely on public fear to generate business."

  3. Could you possibly think of Poltergeists, because the author mentions Poltergeist in the second paragraph of the article? wink

  4. quail says:

    Oh noes! If McAfee came preinstalled as the security for my automated house I run screaming! Sorry, can't connect to the porch cameras because a scan is being run on my HVAC. And I'd have to click the app on my phone every 5 seconds during the scan or it hangs up. That is unless I bought the pro version.

  5. As someone who's seen security cams owned firsthand, I cannot understand why anyone would have any web-enabled household appliances. You can't remember to cut off your own lights like every other generation of humans (whose lanterns might actually burn down the house instead of just running up a few cents on your bill?) Is the novelty value of firing up your hot tub with your phone worth it if, the next time you front on the neighbor's prick kid for blasting his stereo at 3am, he'll just turn around and blast yours at 3 am? what is the actual upside to any of this stuff? the positive return is diminished to nil in face of pwnage. even if you're leet enough to set it all up yourself, there's someone easily crowdsourced by your neighbor's prick kid who is more leet than you. none for me, thanks.

Continue the discussion

6 more replies