Pwning a house


Badly configured home automation systems are easy to locate using Google, and once you discover them, you can seize control of a stranger's entire home: "lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices." The manufacturers blame their customers for not following security advice, but even "enthusiast" customers who think they've locked down their networks are sometimes in for a nasty surprise.

Insteon chief information officer Mike Nunes says the systems that I’m seeing online are from a product discontinued in the last year. He blamed user error for the appearance in search results, saying the older product was not originally intended for remote access, and to set this up required some savvy on the users’ part. The devices had come with an instruction manual telling users how to put the devices online which strongly advised them to add a username and password to the system. (But, really, who reads instruction manuals closely?)

“This would require the user to have chosen to publish a link (IP address) to the Internet AND for them to have not set a username and password,” says Nunes. I told Nunes that requiring a username/password by default is good security-by-design to protect people from making a mistake like this. “It did not require it by default, but it supported it and encouraged it,” he replied.

In Thomas Hatley’s case, he created a website that acted as the gateway for a number of services for his home. There is a password on his website, but you can circumvent that by going straight to the Insteon port, which was not password protected. “I would say that some of the responsibility would be mine, because of how I have my internal router configured,” says Hatley who describes himself as a home automation enthusiast. “But it’s coming from that port, and I didn’t realize that port was accessible from the outside.”

The company’s current product automatically assigns a username and password, but it did not during the first few months of release — which is one of the products that Trustwave’s Bryan got. If you have one of those early products, you should really go through with that recall. Bryan rated the new authentication as “poor” saying that cracking it would “be a trivial task for most security professionals.”

When 'Smart Homes' Get Hacked: I Haunted A Complete Stranger's House Via The Internet [Kashmir Hill/Forbes]

Unlock your doors with an iPhone

Here's a $149 gadget that you can mount over a door's deadbolt so you can turn the knob via your iphone.

Lockitron is an attachment you can place on the back of any deadbolt lock in your house that allows you to lock and unlock it remotely via your smartphone. Better than that, if you have your iPhone 5 in your pocket when you approach a Lockitron deadbolt, you don’t have to even have to use your iPhone because it will detect you via Bluetooth 4.0 and unlock automatically.

You can share access to your lock with friends and family so that if you’re not at your house and want to let them in you don’t have to worry about getting them an extra key. The sharing access feature makes it perfect for Airbnb customers.

Cult of Mac: Lockitron Wants To Replace Your House Keys With Your iPhone 5

Wi-Fi controlled power outlet makes home automation easy

Steven Sande of The Unoffical Apple Weblog reviewed the Belkin WeMo Home Automation Switch and says it works well with If This Then That (IFTTT.com).

NewImageIf you've never used IFTTT before, give it a try. There are currently 50 "channels" on IFTTT, with everything from Twitter and Facebook to ESPN and weather. You create "recipes" that perform a certain action if a specific trigger is met. For example, I use a recipe that tweets the URL of every post that I write on TUAW from my Twitter account.

What does this have to do with WeMo? Well, there are IFTTT channels for the WeMo motion detector and switch. This opens up all sorts of possibilities. Say you want to receive a text message whenever your cat uses the litter pan. You set up a motion detector next to the litter pan, and every time el gato feels the need to go, you get tweeted.

There are even wilder things you can set up. Plug a fan into a WeMo switch, then set up an IFTTT recipe to turn the fan on if the local outside temperature goes above 85° F (I tried this -- it works). Have IFTTT call you whenever someone enters the house (it works). And if you want to shut that fan off, you can either write another recipe or just use the WeMo app to shut it off remotely.

Read Sande's complete review: Belkin's WeMo: iPhone-based home automation with a taste of IFTTT