Not all home automation systems are the same, and some come with security vulnerabilities that could be exploited to command the smart gadgetry in the house. Recently, researchers disclosed risks in three smart hubs that relay the owner’s instructions from the smartphone app to connected devices managed by wireless sensors, such as lights, cameras, door locks, sockets, alarm systems, thermostats and heat pumps.
Penetration tester Wesley Neelen researched Fibaro’s Home Center 2 and Home Center Lite products and found that attackers could gain full control of the device if they had access to the web management interface. Chances are a good many users would keep their units exposed over the internet for remote control of the IoT in the house. According to Google Play, the Android app for the Fibaro system has been downloaded at least 50,000 times since release.
The ethical hacker took the device apart and searched its internal system for critical flaws. His first success came when he managed to run an arbitrary command to the system by leveraging a PHP file’s failure to validate or authenticate its input. This achievement did not grant him the privileges necessary to take complete control of the Fibaro unit. More tinkering rewarded Neelen with a solution to obtain higher access permissions, through an executable file used to install a firmware update manually.
With a way to run arbitrary commands with elevated privileges on the Fibaro system, Neelen created proof-of-concept code that chained the two vulnerabilities and demonstrated his findings. The maker was notified about the bugs and pushed a firmware update with the fixes.
In September, researchers reported security problems in other home automation systems. Products from Wink and Insteon hubs were found to handle sensitive information insecurely. Their mobile apps stored authorization and authentication data in plain text, allowing anyone with physical or remote access to the phone to extract the data and use it to control the IoT control units.
Although some methods exist to improve the security of an IoT network, a patch from the vendor is most often the only complete solution to the issue. Lacking a mechanism that installs the updates automatically or announces their existence, the new firmware version has to be downloaded and applied manually by the user, steps that many individuals are unlikely to perform, even if they know the security risks.
In the case of Fibaro, the availability of a firmware update is signaled to the owner through an LED indicator on the Home Center system. Manual intervention is still required to complete the process, but the user knows when a release is pushed and can choose the moment to run the update. A fully automatic procedure, as is the case with smart hubs from Wink and Insteon, is the no-hassle solution for users, because the new release is pushed to the device without user involvement.
tags
November 14, 2024
September 06, 2024