Cyber poltergeist threat discovered in Internet of Stuff hubs

Stalking threat

Home hubs represent the same class of vulnerability as insecure routers while offering the added potential of allowing hackers to act like a “cyber-poltergeist” and mess with the controls in homes, an attack more easy to carry out if miscreants were able to log onto the victims’ Wi-Fi network.

The whole thing is essentially a stalking risk rather than presenting the possibility that hackers might log into the devices remotely and unlock front doors in networked homes, or other things that would make networked homes easier to burgle.

The Wink Hub uses the same crypto key on every device, according to Young.

"These devices are marketed to consumers and not designed with security in mind," he told El Reg during a meeting at the recent Infosec trade show.

El Reg spoke to Tripwire ahead of the full publication of its research. Tripwire has notified the affected vendors.

In response to a query from El Reg SmartThings said it “was made aware of the issue in November 2014 and worked with a third party security firm to remedy it in full”.

Quirky, the company behind Wink Hub, confirmed that it had resolved the problem with older versions of its technology.

“We believe Tripwire may have been using an outdated version of our firmware as the vulnerability mentioned has been fixed,” a Quirky representative explained.

MiOS, the parent entity behind Vera, claims that the testing was done using an old 2012 version of their firmware. Any audit would only be meaningful if performed on a secured controller (users & account info/ unit settings/Secure Vera: enabled), a representative added. ®