
How to break a smart home, again - kushti
https://securelist.com/iot-hack-how-to-break-a-smart-home-again/84092/
======
nimbius
Speaking as a former HVAC/mechanical maintenance engineer, technology like
Nest is obscenely underdeveloped. Commercial HVAC systems like Liebert dont
get 5-6 strikes at the plate to figure out how to avoid shutting off a
customers heat in the dead of winter. Screw up the HVAC in a nursing home or
elementary school, and you can kill people.

Honeywell's commercial offering should be the gold standard here in my
opinion. Its fully ipv6 and ipv4, and relies on time tested probes and
monitors to determine what the hell is going on. You cant force it to short-
cycle motors until they burn up, and it cant be forced offline from the
control interface if environmental conditions are outside a certain range
(Desert summer, for example.) Januaries update even included EC25519 for
console and PFS support for the web interface. Best of all, if something is
egregiously screwed up in the system, it failsafes to a simple thermostat or
pulls settings from a cluster.

~~~
FLUX-YOU
>Commercial HVAC systems like Liebert dont get 5-6 strikes at the plate to
figure out how to avoid shutting off a customers heat in the dead of winter.

There's more money to test in that side of the industry, I'd wager. Unless the
people developing commercial HVAC are simply better software/hardware
developers than consumer companies' solutions.

~~~
nitrogen
_Unless the people developing commercial HVAC are simply better software
/hardware developers than consumer companies' solutions._

Sometimes this is true, relative to the purpose at hand. Take a mediocre web
developer and ask them to build a smarthome system, and you end up with a wire
protocol of raw, unverified, unfiltered Python code in plain trxt, running
under eval() on a grossly underpowered microcontroller (true story, was fixed
eventually AFAIK, not naming names).

There's something to be said for the discipline that comes from working in a
resource-constrained hardware/software project. We could benefit from more
cross-pollination between industries, as long as experienced engineers are
sanity checking the resulting ideas (Python is not a protocol!).

------
Klathmon
Yet another article that went out and found the shadiest cheapest worst IoT
devices and extrapolates in headlines that the entire ecosystem is that bad.

Where's the analysis of Nest? Where's the pentesting of SmartThings? Where's
the article about how they tried 12 different ways to get into another
reputable brand?

Don't think for a second that I'm saying anyone should get a pass, they
shouldn't, but this to me seems like the equivalent of reviewing $3 luggage
locks and talking about how insecure they are, then concluding that all locks
are insecure and you shouldn't use them...

I will say that this article is better than most at keeping the criticism
specific to these devices (except for the headlines), but they don't name the
devices, so the analysis isn't doing any good (I still have no idea which
device it is, and therefore can't protect myself by not buying it...)

~~~
supergeek133
Completely agree with your points. Every time one of these articles comes out
it just fuels the FUD factor for Smart Home from reputable companies.

Especially in the last year or two when many of these articles focus on the
physical access exploits of cheaper manufacturers. If someone is going to
break into my house just to ransomware my thermostat, or upload new firmware
to my Gen 1 Alexa... someone needs to explain to me how there are not more
high value targets/things in either of those cases. Even for surveillance
purposes.

Hardware is hard. I think many small IoT companies have figured that out, the
larger ones have known it for a long time. Security is harder, but that's why
it's important to buy from someone reputable (e.g., the "default password"
fiasco on cheap DVR wired camera systems)

Disclosure: I work for a large consumer IoT company.

~~~
emiliobumachar
Think big. The latest and greatest in DDoS is botnets of compromised IoT
devices (as of a few months ago, I don't keep current). The nightmare
scenario, still theoretical, is to synchronize the activation and deactivation
of power-hungry processes to wreck the electric grid.

~~~
supergeek133
Yes, by a number of cheap devices with default passwords/firmware holes.
Multiple manufacturers, same (or same few) ODMs.

The same bad practices repeated over and over.

~~~
emiliobumachar
I agree that it's unfair to tar the whole field with the blunders of the worst
performers. But your comment I was replying to seemed to ask, "what's the
worst that can happen?". It's a valid question for physical access attacks,
but, once scalable remote exploits get into the picture, the worst that can
happen is very bad indeed.

------
lev99
> An interesting fact is that the bulb does not interact with the mobile
> application directly. Instead, both the bulb and the mobile application are
> connected to a cloud service and communication goes through it.

That convinces me to not buy a smart lightblub. The lifespan of an LED is ~30
years. The lifespan of a IoT/cloud company can be much shorter.

~~~
StavrosK
Buy a YeeLight, it has a local API. Mine can't even get to the internet.

~~~
lev99
Why is YeeLight worth $18? I usually spend $5 or less for led lightblubs.
Where is the extra value?

Edit: Amazon sells a pack of 16 Phillips 800 Lumen (brither than YeeLight) for
$1.75/blub. The light is brighter, the color temperature is the same, and it's
1/10th the price. Alexa, a smartphone app, and dimming isn't worth $16.25/bulb
to me.

~~~
gh02t
For some people dimming/color changes/automation features etc _are_
worthwhile. If you don't want that or the added cost isn't worth it to you
then of course it doesn't make sense to buy something like the YeeLight, but
if you do want that stuff then the $5 bulb is not an option. Smart bulbs are
more of a niche product than the current IoT frenzy lets on, but it's not fair
to totally dismiss their added functionality when comparing against a
traditional light bulb, even if it isn't your cup of tea.

Edit: also the projected lifetime of LED bulbs is usually quoted at 50000
hours- about 6 years, not 30. In practice it's 5-10 years. That's all LED
bulbs, not just smart ones, and is mostly down to heat causing the LEDs or the
power supply to fail.

~~~
lev99
> For some people dimming/color changes/automation features etc are
> worthwhile.

Who?

I'm not dismissing that there is a market, I'm dismissing that it's the type
of product that should be in most homes. I see the value added being worth
cost in smart vacuum cleaners, smart thermostats, and IP surveillance cameras
for the average home. I don't see a 10x value added for light bulbs.

You're correct about 50,000 hours. Most lights in my home are used less than 5
hours a day, which is the origin of my 30 year number. From my point of view I
think about owning an LED for 30 years, but when I communicate the lifespan of
an LED to the world I should use a more common measurement.

~~~
gh02t
It's worth it to me. I like having my lights automated to respond to my
schedule and coordinate with other sensors so that the lights come on and off
automatically, fade to keep light levels constant, adjust color temperature to
reduce blue light in the evening. For me, the real killer app is using them as
an alarm in the morning. I'm not a very good morning person and have trouble
waking up abruptly from an alarm, but I can use my lights to slowly fade on
and wake me up gently (I'm super sensitive to light so just the slow fade in
over 30 minutes is plenty to wake me up). I don't feel nearly as groggy in the
mornings waking up like that.

It's a luxury for sure, but it's one that appeals to some people. Smart lights
are definitely over-hyped however, they are far from essential.

~~~
lev99
> For me, the real killer app is using them as an alarm in the morning.

I use a window for that. If I didn't have access to sunlight I would consider
using bright dimmable programmable leds in my bedroom. Very good point.

~~~
gh02t
For me it's more of a time issue. I'm _really_ light sensitive, if I didn't
have the window blacked out I'd be woken up at dawn every day. I don't have to
get up that early for work, so instead the lamp does its thing. You can get
alarm clocks that do basically the same thing, but they're more expensive than
a smart bulb.

~~~
lev99
I wake up at dawn everyday. The only bad part is that I live on the 47th
parallel, so sunrise changes from 5am - 8am every year. Luckily my schedule is
flexible enough to accommodate this.

------
retSava
The connected lamp in the article is, one can read from the pics, the Xiaomi
Yeelight. I have a couple of those. They are wifi-connected and you use an app
to interact with them (by default). What you can do is to, in the app, enable
"developer mode" which enables a local-network interface. Then, you can
control them on the local network over TCP.

They have a really nice build quality, a well-documented API for local
control, very nice light with adjustable color temperature. And, they have
built in support to simplify things (eg "go to 100% over a period of 3 seconds
by dimming slowly", or "fade to 3000K color temp over 10 seconds"). And they
cost only about 15€.

The non-RGB variant cannot change color temperature and is in my opinion too
cold so I can't recommend it.

------
nathan_long
Personally, I think a "smart" home is one that provides maximum comfort for
minimum effort.

Having to (eg) update the firmware on my lightbulbs sounds about as smart as
having to hand-wash my clothes. Hours of effort to save myself 2 seconds a day
toggling lights? Not too smart, IMO.

~~~
annabellish
Hours of effort? Updating the firmware on my Hue bulbs is a two minute thing
automatically managed by the app, that happens once in a blue moon.

Besides, smart bulbs aren't really an effort-reduction tool. You get a lot
more control over lighting if you can adjust brightness and colour on the fly,
and do a lot to change the mood of a room.

~~~
nathan_long
Yes, sorry for the hyperbole. But in general, for a "smart home" you're going
to have apps, logins, setup processes, updates, compatibility grids, security
concerns, etc.

I don't know what the total hours of effort are. But I'm pretty sure they're
more than I have when I just screw in a lightbulb, plug in a dumb tea kettle,
etc. And so far I haven't heard any compelling use cases.

For me, the "smart lighting" I'd enjoy would be getting a few manual dimmer
switches installed. Changing color would be neat if it could be done via a
similar dumb switch, but it's not something I'd take up a "smart home hobby"
for.

~~~
annabellish
Smart lighting is where most of my experience lies. Adding a bulb is a case of
screwing it in, going to the app, hitting "register new bulb", and assigning
it to the room its in. At that point it just joins in the same behavior as the
rest. Because they're LED bulbs, they have a very long lifetime and are
unlikely to die.

I don't think I'd call that level of investment anything near a hobby. You can
go a lot deeper with configuration options and other integrations and _make_
it a hobby, but the core behaviour is barely less trivial than a traditional
lightbulb.

~~~
IntronExon
Go out into the world, and poll a few hundred people of all ages and
backgrounds. Take note of how many either lose interest or start laughing when
your explanation of how to install a lightbulb continues past “screw it in.”

~~~
annabellish
Most of the people I've discussed it with have been quite interested,
actually. It's an easy technology to demo.

The price usually turns them off, however.

------
Taylor_OD
Does anyone have secure home security camera recommendation that doesnt
operate on a subscription model?

~~~
Mister_Snuggles
I have a handful of WiFi cameras and can recommend two based on my experience,
with a caveat:

* Lower-end D-Link Cameras. Look for screenshots of the web interface on the camera in the manual. * Amcrest

The caveat is that both companies offer a cloud service and their cameras
really like to try to phone home. The upside is that if you put them on a
network that's unable to connect to the internet they still function normally.

Depending on what you want, there are a couple of options. All of these assume
that you do not want to use the cloud service and do not want the cameras to
phone home, this is enforced by your firewall/router.

1) Easiest is to give the cameras access to your ISP's mail server and use the
camera's onboard motion detection/email features to send you alerts.

2) Another easy option is to give the cameras access to an FTP server and have
them send any files there when they detect motion.

3) You can go all out and deploy Zoneminder, Blue Iris, iSpy, or a similar
product on your network. Personally, I use Zoneminder, but by all accounts the
other products listed work well. QNAP and Synology NAS devices also include
camera monitoring software, but I haven't done any serious investigation into
either.

All three of these approaches can be mixed and matched, but once you have more
than a couple of cameras it's really nice to have everything centralized.
Option 3 is definitely the most effort.

The key thing is to read the manual and reviews before you buy and make sure
that the camera will work in the manner you want.

~~~
dsfyu404ed
I would look at network cameras and a rooted android device.

Using an android device basically solved the 3rd party integration (e.g. auto-
upload, notifications) and being root you could view cameras in real time with
some I/O redirection (i.e. tell hangouts that the network camera is the phone
camera) and it would have plenty of local storage and battery life. It would
be easy enough to do a simple CLI over email or hangouts chat (e.g. "motion
detected on camera X, here are snapshots of the last 300sec, reply "hangout
camera X" to view the feed with hangouts")

Redirecting video feeds every which way from a Linux-like box is a really dead
horse so there's plenty of options and documentation out there on the various
details. Options for adding more security/reliability into that sort of stack
are also fairly plentiful and well documented.

------
kilo_bravo_3
So, if an attacker is already physically on your network, and they trigger a
firmware update on the lightbulb, and they have modified your router's DNS to
request a malicious site, AND they have set up a rogue firmware server likely
on your own network, AND they have crafted a malicious firmware for your smart
lightbulb...

...they can install a malicious firmware on your smart lightbulb that will
forward them your wifi password?

The horror, the horror.

~~~
RoyTyrell
At a glance it seems like a making a mountain out of a mole hill, for sure.
However let's say some unscroupulous person puts together a little device and
anrdoid app, sells it to would-be criminals. For some amount of money they can
buy a device that can try to brute force break into a home network, unlock the
doors and perhaps even turn off a security system.

Insurance would cover your stolen items but you're still fucked temporarily,
and maybe longer if they were able to steal info to commit identity theft.

Granted they could just smash a window too but this might be easier and make
less noise.

------
ptero
The article makes reasonable technical points, but adds a fair amount of
scaremongering. Even the title is clickbait-y (which is not surprising since
the firm is in the IT security business).

I personally do not feel that all IoT-capable devices must be secured to the
hilt. If I set min and max temp on a network-enabled thermostat I am not
worried that someone will connect and warm (or cool) my home a bit within that
range while I am out. At worst I might suffer a minor discomfort when I come
in, but the chances are low and the fix is cheap.

Most IoT setups I would consider fall in the same category: low benefit for
attacker and low pain if hacked. If so, I take simplicity and reliability over
security. And if I ever wanted to build an IoT setup that would be more
painful when hacked I would probably put together 2-3 simple, completely
distinct systems that report the same data and check for discrepancies to
detect intrusions rather than trying to secure one device to the max. Just my
2c.

~~~
jlg23
> If I set min and max temp on a network-enabled thermostat I am not worried
> that someone will connect and warm (or cool) my home a bit within that range
> while I am out.

Will you say the same after I set min/max temperatures to optimize for high
cost and change it back in time so you only notice on your next electricity
bill?

And how many times are you willing to wake up at 3am in an overheated
apartment before you insist that only you should be able to adjust your
thermostats?

I am sure there are plenty more ways to abuse even simple things like
thermostats to make your life hell. And the more devices are deployed in the
wild, the more "pranks" will be thought of and executed.

~~~
ptero
That is a fair question, but I still consider it very low likelihood and
pretty low impact. Sure, you can make an involved setup harassing me via my
thermostat, but I would be amazed (and amused) if it ever happened to me.

I am not a public figure, who would do such a thing? A friend as a prank --
s/he would probably tell me soon enough. An enemy -- it is a _really_ involved
way for some sort of hassle -- slashing car tires or breaking windows
overnight is just as easy (or easier) and much more painful.

~~~
zaarn
Last week someone dumped one of their scripts onto my private git server
instance and created issues with attempted XSS. Purely due to chance, I was
using the mobile browser to inspect these which didn't have a script blocker
installed.

It has one installed now.

You might think "nobody will do this to me" but the internet is filled to the
brim with skids who have nothing better to do than scan your router for any
open ports (or in a recent case, attempt to scan your IPv6 /64 subnet, though
I'm questioning the sanity of that move).

If they find anything they will blindly shove their shit into your IoT
hardware. Maybe it'll work. Maybe it doesn't. They don't care, they've already
spammed the next host.

Do not underestimate the probability of someone wanting to ram their script up
into your IoT or router.

------
ourmandave
Looks like they'll need to add a map function to haveibeenpwned.com so you can
search by your house address. =(

------
_bxg1
The most surprising thing was that they even _bothered_ encrypting the root
password or responding to the vulnerability reports. From what I can tell,
that's far above and beyond the average IoT manufacturer.

------
nkrisc
In the comments here and articles like this one, what is the rationale against
naming and shaming? Is it legal CYA? Some kind of arbitrary hurdles for would-
be exploiters?

I want to know what stuff to avoid what companies don't care about security.

------
Fiahil
If GDPR was enforced, the manufacturer of such devices would be heavily fined,
right ?

~~~
jmcomets
In the case of the light bulb, it depends if Wifi SSID & Password count as
"user information". I don't see any details concerning the other device tested
here.

I'm interested in what's exactly specified as "user information". Wikipedia[0]
says that it's "any information relating to an individual, whether it relates
to his or her private, professional or public life. It can be anything from a
name, a home address, a photo, an email address, bank details, posts on social
networking websites, medical information, or a computer’s IP address."

[0]:
[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Scope)

------
JoeAltmaier
Is this scaremongering? I write firmware for IoT devices for a living. The
client rarely has any interest in security. I put some in, but if it gets in
the way (e.g. a variable password for setup depending on the device serial
number) they ask to remove it. Sellers actually want a single default.

The latest did want encryption between the device and their upgrade server,
which was good. Now it's as secure as their server. Hack that, and of course
you own the device, no ALL their devices. No, ALL the devices supported by the
service that manages IoT devices for them and others.

