Smart House Attack Vectors

There’s a very healthy debate going in Norway right now regarding Smart Home security. Internet of Things security is poor, as proved multiple times before by researchers, malware and even worms. Are our devices, and private information safe, just because we got a WPA2-PSK enable WIFI network, and strict firewall rules? In this blog post I’d like to discuss some things that should also concern us when it comes to Smart House security. What are some other ways to break into a smart-house outer defenses?

WPS could be enabled. WIFI Protected Setup (WPS) is by default activated in many devices, and it adds to the attack surface. In fact, for many years WPS has been considered the “go-to” way to most easily break into wireless networks. Sure enough, there are protection mechanisms for WPS as well, but since we’re not living in a perfect world, where every device is updated to the latest and greatest model, this still ranges as a valid attack method today.

What about pre-compromised computeres on the internal network? Today we see botnets with millions, if not 10’s of millions of computers. If any of these infected computers are on the internal LAN of a smart-house, the bad guys is already on the inside. With computer access being sold across the Dark Net, shopping for bots that are inside smart-houses might become a big thing in the future. Think about it, IoT is known to be immensely insecure, thus by gaining access to bots already on the LAN, bad guys can much easier extend their reach into IoT devices as well. Another thing is metamorphic malware. Malware which will change its functionality, perhaps based on what type of network it is on. It might ask itself, am I on a LAN with Z-Wave devices? Then I’ll phone back to C2, pull down modules, and compromise those devices as well.

Most of us has already heard about the evil-maid attack, where perhaps the company cleaning lady is getting bribed (or perhaps forced depending on the country of operation) to plug in a USB for a third party. We’re talking about smart-homes here, so someone bribing someone into plugging a USB into your devices is probably unlikely, but the threat is still there. What about family, friends, friends of friends, basically anyone who has ever been on your wireless, and knows your wireless password? Do you trust them all? The sad truth when it comes to a lot of crime, especially against kids, is that the attacks have actually been done by someone close to the family… Think about it.

The cheap commodity that our ISP’s sell or rent to us is also not perfect. We’ve seen before how weak PRNG functions has allowed WPA passwords to be disclosed, just by knowing the MAC address of the device, or in some cases the serial number (which could be brute forced). It is not unlikely that our edge devices contain vulnerabilities, and we should plan for these devices to fail, and still be somewhat secure.

Every month or so, a major leak hits the mainstream media; credentials have been lost. Your passwords, or any of your families passwords, could be lost tomorrow, and if the passwords are synchronized to an external VPN to your house, or perhaps to log onto an application on your smart phone, this could also compromise assets in your smart-house. An example, if I lose my Nissan Leaf password to someone else, could not they control several functions of my car, remotely? I’d expect it to be the same with all our gadgets, locks, cameras and what not.

Our smart-house gadgets also have another attack surface, one which I unfortunately haven’t had a whole lot of time to address yet, but many of them are also communicating on other frequency bands than 802.11a/b/g/n/ac. They could in-fact speak e.g. the Z-Wave proprietary protocol over 900Mhz, and with the right equipment, such as an SDR, these protocols can also have vulnerabilities. In-fact Z-Wave devices have been hacked on several occasions, and adding to that, it is a proprietary protocols which means not a lot of transparency when it comes to security. The latest Z-Wave generations do however come with built-in encryption, using strong encryption protocols and signing protocols. However, this does not mean they are secure. It is still very possible that we could see a vulnerability within the devices themselves, perhaps opening up attacks which could open your front-door, not touching your WIFI, just simply interacting with the devices on other protocols.

And finally, the WPA pre-shared key is in many cases not randomized, so dictionary attacks will be a perfectly valid solution for many peoples homes. The trends I’ve seen is that people and business select predictable passwords, e.g. for a homeowner I would expect to see:

  • Language specific words, e.g. Words from Norwegian language
  • Numbers from 0000 to 9999, likely 1980 to 2030 at the end of a word.
  • Street names
  • Phone numbers
  • Last names

People will still be people, and they have continued to pick bad passwords throughout the years of IT so far. Likely to stop anytime soon? Unfortunately it doesn’t seem like it. Check out my post on Passwords Managers if you want to make your life much easier: Passwords Managers – Why aren’t everyone using them already? 

I am not trying to do any fear-mongering or spreading of FUD here. I just want us to be realistic, and especially not have anyone think that “I got an un-hackable house”. That is non-sense and you should know about the risks you are running, and hopefully you will decide on what risk level you find is acceptable. Personally, I’d like to have a “semi-smart” house. My TV does not have to be smart, in fact I am trying to find one which isn’t ;), and I’d really like to have my front-door and alarm systems de-coupled, just for defense in depth. I am not telling you to not buy gadgets for your home, just don’t be surprised if you see them hacked, and when you do, have a plan to deal with it. 🙂