New security research has revealed a whole new area of concerns for the soon-to-be-everywhere Internet of Things – smart home hubs.
Hubs – devices that link into home networks to control lighting, dead-bolt locks and cameras – can be dangerously vulnerable to attack, according to security tools firm TripWire.
Craig Young, a Tripwire VERT (Vulnerability and Exposure Research Team) security researcher, tested Wink Hub, Vera and SmartThings Hub (all smart home hubs), discovering a variety of issues in the process. The most serious issues affected Wink Hub and Vera.
El Reg contacted both vendors, who downplayed the significance of the findings and stated the testing was done on kit using old versions of firmware.
Kit from Vera displayed improper neutralisation of special elements used in an OS Command (CWE-78) and cross-site request forgery (CWE-352) problems. Equipment from Wink turned out to have similarly serious problems, namely improper neutralisation of special elements used in an SQL Command (CWE-89) and cross-site Request forgery (CWE-352).
Left unresolved, both sets of flaws created a means for hackers to obtain remote root shell access with minimal user interaction. Wink has developed an update to block exploits against its hubs.
The SmartThings hub is vulnerable to improper certificate validation (CWE-295). This (less serious) security flaw potentially gives hackers unauthorised access to data flows to/from the hub which, in turn, might provide an entry point into the home network.
It's not ideal but the SmartThings risk is “minimal” compared with Vera or Wink because it is much harder to exploit, according to Tripwire’s Young.
“Despite the Smart Things Hub and Wink Hub being patched, this of course relies on the user to apply the patch so it is likely some users will remain vulnerable,” a Tripwire representative added.
Something strange in the network neighbourhood
Young provided a detailed explanation of how hackers might go about exploiting each appliance.
Vulnerable versions of Vera and Wink could be attacked through HTTP requests. These requests may come from a malicious web page (as demonstrated at IID on the Vera), a phone app on the LAN, or a malicious user on the LAN directly connecting to the vulnerable device.
In the case of Vera, the attacker can directly supply commands to run on the Vera’s embedded operating system. In the case of Wink, the attacker would inject SQL commands to trick SQLite into creating a PHP script on the device.
A subsequent request can then trigger execution of the PHP code with root permissions.
Exploiting the SmartThings Hub certificate validation problem, however, would require the ability to intercept data from the hub to the SmartThings infrastructure.
Based on the deployment model of the hub, an attacker would need control of some portion of the network route between the hub and its ‘cloud’.
A successful attack would allow a hacker free rein on compromised Wink or Vera devices.
“On Wink and Vera an attacker who had successfully exploited the targeted device and gained root access could do absolutely anything that the legitimate product owner can do (i.e. monitor or control devices, change configurations, etc.), Young told El Reg. “Additionally the root shell can be used as a pivot point to attack other computers on the home network or act as a zombie in a DDoS attack.”
The devices themselves are embedded platforms running Linux, and many communicate via ZigBee and Z-Wave radio technologies. Hackers might be able to access them through Wireless connectivity development kits, which cost around $75.