Cyber poltergeist threat discovered in Internet of Stuff hubs
Hackers can turn your home into an unintentional rave – and there's nowt you can do
New security research has revealed a whole new area of concerns for the soon-to-be-everywhere Internet of Things – smart home hubs.
Hubs – devices that link into home networks to control lighting, dead-bolt locks and cameras – can be dangerously vulnerable to attack, according to security tools firm TripWire.
Craig Young, a Tripwire VERT (Vulnerability and Exposure Research Team) security researcher, tested Wink Hub, Vera and SmartThings Hub (all smart home hubs), discovering a variety of issues in the process. The most serious issues affected Wink Hub and Vera.
El Reg contacted both vendors, who downplayed the significance of the findings and stated the testing was done on kit using old versions of firmware.
Kit from Vera displayed improper neutralisation of special elements used in an OS Command (CWE-78) and cross-site request forgery (CWE-352) problems. Equipment from Wink turned out to have similarly serious problems, namely improper neutralisation of special elements used in an SQL Command (CWE-89) and cross-site Request forgery (CWE-352).
Left unresolved, both sets of flaws created a means for hackers to obtain remote root shell access with minimal user interaction. Wink has developed an update to block exploits against its hubs.
The SmartThings hub is vulnerable to improper certificate validation (CWE-295). This (less serious) security flaw potentially gives hackers unauthorised access to data flows to/from the hub which, in turn, might provide an entry point into the home network.
It's not ideal but the SmartThings risk is “minimal” compared with Vera or Wink because it is much harder to exploit, according to Tripwire’s Young.
“Despite the Smart Things Hub and Wink Hub being patched, this of course relies on the user to apply the patch so it is likely some users will remain vulnerable,” a Tripwire representative added.
Something strange in the network neighbourhood
Young provided a detailed explanation of how hackers might go about exploiting each appliance.
Vulnerable versions of Vera and Wink could be attacked through HTTP requests. These requests may come from a malicious web page (as demonstrated at IID on the Vera), a phone app on the LAN, or a malicious user on the LAN directly connecting to the vulnerable device.
In the case of Vera, the attacker can directly supply commands to run on the Vera’s embedded operating system. In the case of Wink, the attacker would inject SQL commands to trick SQLite into creating a PHP script on the device.
A subsequent request can then trigger execution of the PHP code with root permissions.
Exploiting the SmartThings Hub certificate validation problem, however, would require the ability to intercept data from the hub to the SmartThings infrastructure.
Based on the deployment model of the hub, an attacker would need control of some portion of the network route between the hub and its ‘cloud’.
A successful attack would allow a hacker free rein on compromised Wink or Vera devices.
“On Wink and Vera an attacker who had successfully exploited the targeted device and gained root access could do absolutely anything that the legitimate product owner can do (i.e. monitor or control devices, change configurations, etc.), Young told El Reg. “Additionally the root shell can be used as a pivot point to attack other computers on the home network or act as a zombie in a DDoS attack.”
The devices themselves are embedded platforms running Linux, and many communicate via ZigBee and Z-Wave radio technologies. Hackers might be able to access them through Wireless connectivity development kits, which cost around $75.
Home hubs represent the same class of vulnerability as insecure routers while offering the added potential of allowing hackers to act like a “cyber-poltergeist” and mess with the controls in homes, an attack more easy to carry out if miscreants were able to log onto the victims’ Wi-Fi network.
The whole thing is essentially a stalking risk rather than presenting the possibility that hackers might log into the devices remotely and unlock front doors in networked homes, or other things that would make networked homes easier to burgle.
The Wink Hub uses the same crypto key on every device, according to Young.
"These devices are marketed to consumers and not designed with security in mind," he told El Reg during a meeting at the recent Infosec trade show.
El Reg spoke to Tripwire ahead of the full publication of its research. Tripwire has notified the affected vendors.
In response to a query from El Reg SmartThings said it “was made aware of the issue in November 2014 and worked with a third party security firm to remedy it in full”.
Quirky, the company behind Wink Hub, confirmed that it had resolved the problem with older versions of its technology.
“We believe Tripwire may have been using an outdated version of our firmware as the vulnerability mentioned has been fixed,” a Quirky representative explained.
MiOS, the parent entity behind Vera, claims that the testing was done using an old 2012 version of their firmware. Any audit would only be meaningful if performed on a secured controller (users & account info/ unit settings/Secure Vera: enabled), a representative added. ®