A leading security firm says some of the network-controlled automation systems that owners have opted to install in their properties are highly vulnerable to hacking and infiltration via the Internet.
Researchers from Chicago-based Trustwave say a number of network-controlled devices which have proven popular on the market are surprisingly easy to access, leaving their owners’ properties vulnerable to illicit entry by anyone with a modest amount of technical know-how.
According to the Trustwave’s in-house experts, one of these products is VeraLite, a home automation gateway system manufactured by Hong Kong-based Mi Casa Verde.
The VeraLite enables users to control as many as 70 device simultaneously via the Internet, including lights, alarms, surveillance cameras, door locks, window blinds and HVAC systems.
While the system’s sophisticated network controls may be immensely convenient for home and property owners, Trustwave’s Daniel Crowley says the product’s developers have given much less scrutiny to basic security measures.
In its default setting, VeraLite does not require either a username or accompanying password, meaning it can be controlled by anyone using the local network.
Even if a username and password is created by owners, the device can still be accessed by outsiders via the Universal Plug and Play (UPnP) protocol as a result of Misa Casa Verde’s failure to develop a UPnP authentication feature or extension for the product.
The system is also vulnerable to hacking via the Internet by means of cross-protocol attacks upon users on the same local network as the VeraLite.
“If I know someone has a VeraLite on their home network and they’re at home, I can trick them into visiting a Web page that instructs their browser to set up a backdoor to their VeraLite device using UPnP,” says Crowley.
Trustwave’s team points to the Insteon Hub as another network control system which suffers from glaring security holes.
“When you first set up the Insteon Hub, you’re ask to set up port forwarding from the Internet to the device, so basically you’re opening up access to it to anybody from the Internet,” says Trustwave researcher David Bryan, who tested the product on his own house.
The device’s smartphone function is particularly vulnerable to access, with Bryan discovering that communications between his phone and the Insteon Hub via the Internet was devoid of either authentication or encryption measures.
Nor did the product’s developers provide users with the option of activating authentication measures for the entry of commands via the Insteon Hub.
“This meant that anybody could have turned off my lights, turned on and off my thermostat, changed setting or [done] all sorts of things that i would expect to require some sort of authorization,” said Bryan.