Security Review: Wireless Home Automation Systems

By chernyak at 10:57 pm on March 17, 2008 | 4 Comments

Summary:Home automation systems in general attempt to enable home owners to have a “smart” house. Instead of light switches you have integrated panels that control everything from your lights, to your shades, to your entertainment system, climate control, alarm system, motorized locks, etc. Some specific examples of such systems like those offered by Control4 use wireless communications between the panels and devices they control. Some also have integration with cell phone applications. One of the selling points for these systems is that they improve security.

Assets

– The security of your home.

– The proper and desired functionality of your home automation

Adversaries

– Any malicious individuals wanting to gain access to your home by exploiting home automation.

– Vandals or pranksters who wish to disrupt the functioning of your home automation system

Weaknesses:

– Information is communicated wirelessly from control panels in your home to the devices they control. These can be security cameras, motorized locks, an alarm system, or even something benign like climate control. As far as information is available, the communication is done over z-wave which is a publicly described protocol for appliance networking. This means that the devices in the home will be susceptible to outside interference and signals. (Z-wave uses something called ‘home codes’ which is a 32 bit sig that all the devices are marked with to make sure they only communicate with devices with the same ‘home code.’ However it is noted in the specification that an attacker could easily forge the home code and join the network of z-wave devices). Even if some sort of crypto is used on top, if it is not done properly it will be susceptible to replay, man in the middle, and all the other classic forms of attack.

– Furthermore, the cell phone application can take one of two forms. It is either a web application that a user with a data-enabled mobile device can use (and thus has to be considered for security as any web app would – except in this case alarm systems and security camera feeds are involved), or it is an application somehow attempting to authenticate via the use of cell phone. In the latter case, the only identifying information conceivable is that stored on the SIM card – but as we have already seen, we can clone these!

Defenses:

– Real security with good crypto MUST be used for appliance networks. Luckily this problem has been long solved in computer networks 🙂

– I question the validity of making resources as sensitive as security camera feeds available via web applications that are visible on the internet – chances are there is a security flaw somewhere and an attacker can see in your house.

Risk Analysis:

I think the risks here are quite real. Individuals with such expensive integrated home automation systems probably have very nice houses, and these systems can in fact give potential adversaries more avenues for attack.

Conclusion:

I am not trying to say these systems are “bad.” I think the idea is extremely cool, but to boast about how they improve security seems strange when they have potentially only weakened it.

Filed under: Physical Security,Privacy,Security Reviews4 Comments »

4 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Rene Schickbauer

    March 21, 2008 @ 4:02 am

    Conrad Elektronik (Austria, Germany) has a very popular System called “FS20”, that uses 16 Bit house-codes and 8 bit Device-ID.

    This system is often used to switch lights, open the garage door and control the alarm system.

    The interesting part is that there are transmitters available, that can be used via serial port (including setting both codes). Nice for a simple brute-force attack like this (even if you don’t have a reciever):
    As this isn’t a 24 bit “code” but rather two codes that can be set independent, a user will most likely set the house code to some random number and start the device numbers with 0 or 1. So all you have to try is really a 16 bit code and very few variations of the device number at first (which could amount to a 19 bit code). This effectively means you can use a laptop to brute-force the house code and THEN iterate over all devices.

    Now, let’s assume that there are very few FS20 systems in the vicinity of the target (or none at all). It is therefore reasonable to assume that – given the non-existence of neighborhood interference – the owner will leave the house code on its (documented) default and only iterate over the device numbers. This amounts to only 256 possibilities.

    Now, given the goal to disable the alarm and enter through the garage, an attacker would have to transmit a few thousand sequences at most, if the exact type of the used systems (and therefore the command required) isn’r known and the commands are not standardized inbetween devices of different manufacturers.

    There is even the problem of a possible master key (may be manufacturer dependend), to bypass normal “security” in case the original remote controll is lost or broken. In this case, only very few commands need to be sent.

    All in all, circumventing this systems could be done with a simple (original) transmitter module, a microcontroller and a case to make all parts into a small handheld device, that could possible open the garage door and disable the alarm in a matter of seconds.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Bovey King

    May 5, 2008 @ 3:54 pm

    Family system, a computer or a simple LAN, used to be just out-bound connection node, from which family users initialize only out-going requests to download music, upload pictures or just surf web.

    But things changed recently with the embedded system evolution and IP based service expansion. The family system starts to take in-bound connection to handle requests. Typical application for such in-bound connection can be found in P2P games, VIOP and IP video surveillance.

    Take IP video surveillance as example, a web server running in an embedded device and server the in-coming request for real time video, snapshot, recorded images or administration tasks. Service is supposed to be more vulnerable than non service application because it will open more ports and take in information from outside, which can be malicious.

    An embedded device running open service such as ftp, web deployed in family environment can impose great security threat on regular family users. The reasons can be briefly summed as following:

    1. Family system is the least protected end point in the WWWW world. No professional system admin, no commercial grade firewall, no password and security policy.
    2. Family users are regulars users without much knowledge how to protect their network, and how to detect the attack.
    3. Most services running in embedded system are implemented loosely without security in the first place
    4. For an embedded system, the end to end connection channel protection is impossible. The standard SSL just does not work for embedded system, the reason for that is no one won’t pay and update certificate after the device is shipped.

    No matter how an IP camera brag its security feature, it can be very easily to be tampered if somebody really want to, because if there is no protection in the whole transportation channel, the device is regarded no protection. Same for other embedded device with open services running.

    However, the security flaw for embedded is not really this significant as it sounds. The reason is the limited ability for an embedded system, because a tampered embedded system won’t be harmful as a desktop system.

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by hypotheek

    May 22, 2008 @ 5:10 pm

    There are some valid points already raised. But I think that, like many other “security” projects, the idea of safety is interpreted from a personal and not objective view.

    A lot of IP cams are not installed correctly, leaking data or just not covering the area as they should. BUT here in Europe it DO give a lot of people a feeling of safety that is sometimes worth a lot.

  • 4
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Zoe Hellar

    November 5, 2008 @ 2:22 am

    The comercial aspect of security also needs to be taken out. Margins are not good in this industrial sector aand so called engineers will be tempted to make aquick buck, putting the elecronican digital technology into disrepute.
    Zoe

RSS feed for comments on this post