Criminals Love Connected Homes
Posted by Chriss
|
Google, Microsoft and Apple are supporting technologies that make your home “smart” enough to be managed from your smartphone. You can turn on the sprinklers, set the heat, close the garage or program what time to automatically make coffee. But with all these “cool” conveniences comes the real risk that high-tech criminals are able to hack into the software to break into your home and do what they wish to you and your family.
|
For the high-tech
burglar, this will take the “breaking” part out of breaking and entering; just
tell the door lock to open and walk right in.
Wired
homes represent hundreds of thousands of end points that criminal organizations
or governments can hack. Very few people understand that those endpoints
if not regularly maintained and updated like a computer, will get compromised
and stay that way for a long time.
Daniel
Crowley and David Bryan of Trustwave SpiderLabs demonstrated at the most recent
Black Hat how easy it is, to hack into VeraLite,
a popular $180 home automation product sold by Mi Casa Verde.
Crowley explained that VeraLite “has a web interface, but also UPnP
(Universal Plug and Play Protocol) interface, which doesn’t take a user name
and password. You can go on the network, ask if there are UPnP devices,
it will respond and tell you all the things it can do. If I have access to your
home network, then I have access to your home, shortly before using a couple of
keystrokes to open a door lock sitting on the table in front of him.”
The
VeraLite is not the only vulnerable program. Crowley and Bryan said they
had tested 10 different products, “and only found one or two that we couldn’t
manage to break. Most didn’t have any security controls at all.”
Mi Casa
Verde’s founder and Chief Tec
hnology
Officer Aaron Bergen did not respond to a request for comment. But Paul
Roberts, writing in the Veracode blog,
said Bergen told him by email that what Trustwave called vulnerabilities were
“by design.” VeraLite is written so that the purchaser has “root access”
to the software code so that “power users do all sorts of advanced things and
want to have root access.” Consequently, once a hacker breaks into the
system, he or she can also reprogram the software.
Bergen
contended that Trustwave wanted Mi Casa Verde to, “block our users from
accessing their own Veras. But this would cause a furor among our
community.”
But
Crowley emphasized: “Having security controls on a product does not prevent
people from using it. It prevents unauthorized people from using
it. The vulnerabilities we found allow unauthorized users to control the
VeraLite, either by gaining access to their home network or by convincing any
person on the home network to visit a malicious webpage.”
The
bottom line is that home automation systems, most of which include security
features, are not secure. Even Lockitron, which won praise at Black Hat
for the security built into its Wi-Fi-enabled front-door lock, is not bullet
proof. The New York Times, cited a company statement that while it built
the lock with security in mind, “anyone claiming their system is ‘un-hackable’ is
wrong.”
So far,
these vulnerabilities do not seem to have prompted a rash of burglaries or
other damage from hackers. In their video interview, Trustwave’s Crowley
and Bryant said they were not aware of any home systems compromised by hackers
yet.
But
Kevin Mitnick, formerly described as the country’s “most-wanted hacker” and now
head of Mitnick Security Consulting, said the risks of such systems are “nothing
new, but there is new interest in them,” now that those systems are more common
and increasingly connected to the Internet. He said the reality is that,
“a lot of them aren’t built for security, and the consumer can’t really do
anything but rely on the manufacturer.” He said he wouldn’t own
anything that connects to the Internet, “unless I could unplug it.”
Roger
Thornton, Chief Technology Officer of AlienVault, agrees that they are
vulnerable, but said they can be useful if consumers take their own security
precautions of their own. “If you can’t set up a virtual private network
(VPN) and run a security operations center (SOC), best to think twice about a
modern connected home of the future,” he said.
Since
most homeowners know far less about technology than their teenage children, you
should be aware that connecting your home to the Internet to enjoy all the cool
conveniences, may also be an invitation to criminals, who often have superior
knowledge of defeating the basic elements of network security.
Listen
to Chriss Street and Paul Preston on “AGENDA 21 Radio”
Streaming Monday through Friday at 6-9 AM Pacific Standard Time
Streaming Monday through Friday at 6-9 AM Pacific Standard Time
No comments:
Post a Comment