
DIY Smart Home Security? Meh - altercation
http://blog.seekintoo.com/diy-smart-home-security-meh.html
======
knz
> What does this mean for iSmartAlarm? Not much probably. People will continue
> to purchase "Smart" devices as long as it is popular and trendy.

An interesting read but isn't it kind of missing the point? Most people
running a home grown security system via one of the main IoT hubs just want
basic security against your average smash and grab criminal. They aren't doing
it because it's "popular and trendy" \- it's a relatively easy way to monitor
your home without the cost of traditional home security systems.

To be clear (i.e. avoid the usual negativity of IoT thread on HN - "No one
should use IoT because it's so insecure!" etc), personally I think this type
of breakdown is something that should be encouraged - hopefully it'll push
device manufacturers towards making more secure products. iSmartAlarm is being
sold specifically as a security system so they should be open to criticism if
they aren't any more secure than a basic IoT hub with a few sensors...

It would also be interesting to see similar analysis against COTS/commercial
grade security systems.

~~~
haser_au
> just want basic security against your average smash and grab criminals

I think the concern here is stated in the article; "I'm attacking a
established radio network protocol developed by TI that is used in hundreds,
if not thousands of other products that could have also made the same fatal
implementation mistakes."

The problem is this device protects against smash and grab criminals, but it
literally opens the door and reduces the barrier of entry for more
sophisticated, remote attackers. Adding this type of vulnerability to Shodan
would mean these devices can be identified, attacked and remotely controlled
by any remote attacker, giving them information about the target they never
had originally.

I don't think it's too far fetched to imagine an "AirTasker" criminal network,
where a remote (sophisticated) attacker links up with a "smash and grab"
criminal for hands-and-feet on the ground, agrees to split proceeds and work
as a team on something like this.

Personally, I find this very disturbing. A security device manufacturer should
take their security, and the responsible disclosure of vulnerabilities, far
more seriously than they appear to be to-date.

~~~
ytjohn
You know, as you described this scenario, I'm now seeing all those tv shows
and movies suddenly seem more possible. I'm talking about the scene where the
one guy is sneaking around and talking to their remote hacker friend who is at
their computer disabling cameras, silencing alarms, and unlocking doors.

The "smash and grab" criminal would have some pre-built arduino/raspberry
pi/sdr combo that has to be within radio proximity of the building, but once
in signal range, the remote person can work their magic.

~~~
tw04
And why would someone with this skill set risk prison time over something like
burglary? You could make a lot more money with a lot less risk doing any
number of legitimate or illegitimate activities.

~~~
Symbiote
Potentially, because they live in a poor country and the income far exceeds
what's possible with a legitimate job.

~~~
bryanrasmussen
maybe the live in an unfair country and while they could gain success with a
legitimate job they wouldn't be sticking it to their class enemies in the same
way. There are lots of potential motivations.

------
wyc
Many of the points in this article are only relevant to solutions that network
wirelessly, with poorly implemented custom RF solutions at that.
WPA2-supporting devices are very secure against many of these attacks, except
for RF jamming. Is WPA2 more expensive for the device to implement? Yes, but
this is the kind of performance trade-off you have to make if you want
security.

If you're serious about home security, then you may want to hardwire your
devices and VLAN isolate your security/control network to give some semblance
of closed-circuitness. I will always hardwire when possible and concentrate on
physical attack vectors.

When you're going up against someone who knows how to use a spectrum analyzer
and jammer, then you might have bigger problems.

~~~
floatrock
I don't disagree with your main parts, but this wasn't a "poorly implemented
custom RF solution." This was a lightweight wireless protocol and system from
TI, exactly designed for building relatively simple and cheap RF products.

In the same way that web developers grab Bootstrap and get a beautiful-enough
site working out of the box, this company found a Bootstrap-for-wireless-
communications framework and chip from TI.

What they didn't do is customize it for their needs (security-hardening) nor
use any non-default configuration.

Point is, using a pre-built building-block component to speed up your go-to-
market isn't inherently bad. In fact, you might even argue that an alarm
company who rolled their own fly-by-night wireless protocol would raise more
eyebrows.

~~~
wyc
Good point. I wish we knew how to convince vendors to use secure defaults and
actually care about their users' security. Public shaming seems to be one way
that's working, so thanks for the post! :)

------
supergeek133
Working in the space (Disclaimer: I work for Honeywell) I can tell you this is
one of the things that is really hard to communicate to customers in terms of
IoT:

You get what you pay for in some respects.

Some of these products are more expensive than their counterparts because of
the amount of time and effort put into security and overall design of the
product.

But if I see a deal online for $200 home security DIY and my closest pro
install costs $X over Y years, the actual technical security of the product
doesn't come first in a consumer's mind. I know until I worked in the space, I
can't say I thought of it either.

~~~
hannob
> You get what you pay for in some respects.

Is that the case? It was my impression that the lack of security is pretty
much ubiquitous in the IoT space and expensive brands basically do all the
same crap. Is there _any_ vendor that stands out, e.g. by saying "we'll do
security reviews and guarantee updates when vulnerabilites show up for at
least X years"?

~~~
supergeek133
One example I like to use (personally, not as Honeywell) is Blackhat/Defcon
from a year ago (I forget which).

They showed a ransomware takeover of a thermostat. Everyone started freaking
out. Here is what they didn't say though: \- You needed physical access \-
Thermostats are replaceable (as in put a new one on the wall) \- It was not a
major brand to my knowledge.

Something you have to think about is path of least resistance.

------
Animats
Bad crypto key handling, again. The big problem here is the lack of a secure
way to introduce all the devices to each other. You can't securely do this
over wireless alone. But you should at least have a system which doesn't allow
adding or deleting devices from the network while armed.

~~~
hvidgaard
If you want to incorporate physical security, you need the devices to be
physically linked to be paired. I suppose you could use a custom made USB
device to simply transfer the keys from the devices to the hub.

~~~
Animats
That would work. It can be a problem if you have to re-key and the device is
in a hard to reach location, such as a building-mounted camera.

The problem with many of these devices is that they're all too willing to talk
to things that don't have their key. That makes them vulnerable to attacks.

------
plaes
Do they also provide source code for GPL-licensed parts (Linux kernel,
u-boot)?

------
sbierwagen
>Saleae returned a result of 58173 baud for the UART port, which is very close
to the common rate of 57600 baud which I will use when hooking up a UART to
USB converter.

I've used Saleae autobaud before and it really likes to end up a few percent
off from the actual bitrate. I'm guessing it actually was 56700, but there was
enough slack that it worked anyway.

------
TeMPOraL
A tangent, but did "DIY" changed its meaning recently? How is off-the-shelf
IoT crap a _DIY_ solution? That's just a shitty product, not something one
does themselves.

Beyond that, a great article. Highlights well the complexities of securing
wireless devices.

------
noobiemcfoob
This proves give it 10 years and Watch_Dogs will be a reality.

------
ilovefood
The work done here is so impressive. Oh my. I learned so much!

