Armed with a Raspberry Pi and a wireless adapter extension two hackers show how surprisingly easy it is for an attacker to take control of a Home Automation System and disable the motion detector or unlock doors.
More than one of the many lists predicting the tech trends of 2014 forecasts that this year the Internet of Things will finally really burst on the scene. They’re probably wrong. The IoT is not like the smartphone, a concept that struggled for years until the launch of the right device at the right time made it go viral. It is a complex system of systems that needs standards, interoperability protocols and even more bandwidth than we already use. That takes time to roll out.
It also needs security build in from the start.
This week security expert Bruce Schneier warned that IoT devices are already riddled with vulnerabilities and no manufacturer, supplier or any other agent feels responsible for beefing up security. The IoT is heading down the same road as personal computers in the mid ’90s, says Schneier. The lack of attention for security left systems critically vulnerable and there were no procedures in place to patch them.
Those were personal computers in a time most of them did not store troves of critical data because people were still figuring out what to actually use them for. Today we’re networking pacemakers, cars and our homes. And they’ve all been hacked.
The flawed security of home automation system HomeMatic was revealed by hackers Sathya and Malli at the 30th Chaos Communication Congress (30C3) held in Hamburg, December 27-30. HomeMatic, developed by the company eQ-3, enables users to unlock doors, control the heater or receive alerts from a motion detector. Performing three live hacks within an hour Sathya and Malli showed how they were able to gain unauthorized access and take over control of each of those functions.
Initially the two opened up their HomeMatic device because they wanted to improve some of its capabilities. Unsatisfied with the range of control over heating system they decided to write their own firmware. It soon become clear they could do a lot more and went on to create new interface software which they named Homegear.
Using only a Raspberry Pi running Homegear and a wireless transceiver module add-on, Malli and Sathya showed three different attacks which give access to almost all of the HomeMatic devices. Sathya pointed out that they only work when the user hasn’t changed the default key for the encryption system called AES. He added that many users do not change the key because doing so has caused issues with AES in the past.
The first on-stage hack consisted of preventing the motion detector from switching on a light to alert the owner of movement on the property. Normally the motion detector sends a data packet to the light switch telling it to turn on. Malli and Sathya spoofed the signal and sent packet to the switch with the message to stay turned off. Using the wireless transceiver they sniffed a packet from the motion detector to determine its and the switches’ address. Then they used the Homegear software to send their own packet to the switch, disabling the functionality of the motion detector.
The demonstration of opening the electronic locks of the HomeMatic system is only slightly more complicated.
Sathya wrote eQ-3 to inform them about the vulnerabilities found in their system. At the time of the 30C3 presentation the company had failed to respond. However, on January 7 eQ-3 posted a notice on the HomeMatic website urging its customers to change the default AES key referring to the 30C3 video to explain why.
For more technical details and the demonstration of the lock and heater hacks, watch the 30C3 presentation of Sathya and Malli.
Image: Malli and Sathya at 30C3
Edit: Some spelling and syntax adjustments.