X10 Community Forum

🛡Home Security => Home Security General => Topic started by: Brian H on July 27, 2013, 06:18:28 AM

Title: Insteon Web Based Home Control Compromised
Post by: Brian H on July 27, 2013, 06:18:28 AM
Found this on the web.
Interesting how some web based home control got compromised. Insteon was one of them mentioned.
Seems the default of no user name and password was part of the problem. Especially to a new user not too well versed in security.

http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
Title: Re: Insteon Web Based Home Control Compromised
Post by: dhouston on July 27, 2013, 09:12:27 AM
There are several new hubs (e.g. the LEDs that Tuicemen is working with) that might also be vulnerable. And, I wouldn't even trust passwords for this type of access.

In fact, it would be a good idea to move and/or copy this thread to a more general forum so that more people might see it.
Title: Re: Insteon Web Based Home Control Compromised
Post by: beelocks on July 27, 2013, 09:54:42 AM
Don't forget to add it to the troubleshooting list when "my lights turn on/off at random".

Additional questions to ask...

Is your HA computer attached to your network?
Do you have a password controlled network?
Are you using any remote desktop software?
Can you access your HA system from your smartphone/ipod/work computer/anywhere else?

This is also another damn fine reason NOT to connect locks and garage door openers to your HA system.

Did you also see this link?
https://securityledger.com/2013/07/breaking-and-entering-hackers-say-smart-homes-are-easy-targets/ (https://securityledger.com/2013/07/breaking-and-entering-hackers-say-smart-homes-are-easy-targets/)

Title: Re: Insteon Web Based Home Control Compromised
Post by: Tuicemen on July 28, 2013, 07:52:23 AM
In fact, it would be a good idea to move and/or copy this thread to a more general forum so that more people might see it.
Done.

Quote
There are several new hubs (e.g. the LEDs that Tuicemen is working with) that might also be vulnerable. And, I wouldn't even trust passwords for this type of access.
this type of LED hub is only accessible from inside your home network currently. I'm guessing until security issues are resolved that was by design.
However using PCC you can access it from outside your lan on the Web.


When I first got my first laptop I was surprised how many wireless networks just in my neighbour hood I could access.
People had their ISP set these up and most used their phone numbers as a password.
These either had the house street name and number as the SID or their last names.
Simply doing a reverse look up I was able to get their passwords and get on their network.

I know much more about wireless networks now but I'm still far from a pro at it.
Users need to change their passwords and user Ids from the factory defaults
There is far more that can be done to tighten ones network security but that's the first step that should be done.
Title: Re: Insteon Web Based Home Control Compromised
Post by: dhouston on February 21, 2014, 11:16:52 AM
In addition to the Z-Wave and Mi Casa Verde Veralight flaws described in the link cited above by beelocks, a similar flaw was found in Belkin's WeMo recently and Philips Hue was also hacked (although this appears to be a top-down Gaslight style attack enabled by another insecure device on the LAN). And, "Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes, and security cameras. Although no attacks against these devices have been found in the wild, many users may not realize they are at risk since they are unaware they own devices that run Linux."

In 2012 some security researchers (hackers?) scanned the Internet for vulnerable devices. They found more than 450 million devices of which several hundred thousand were vulnerable. Many were small embedded processors like those likely to be used in HA type devices which they incorporated in a (benign) botnet. As the IoT (Internet of Things) grows, this number is likely to grow geometrically.
Simon Mullis, another security expert who works for FireEye, has said, "Compromising lower-level devices such as simple sensors could offer hackers a way to move up the food chain toward their real target. A hacked low-level device, Mullins warns, could help inject malware into a government or company control system with more authority, and thus create a major security breach."

I would add that for we HA enthusiasts, eager to try the next HA gizmo, it also makes our home network vulnerable for things like identity theft or as participants in botnets directed at things higher up the food chain.
Title: Re: Insteon Web Based Home Control Compromised
Post by: dhouston on February 21, 2014, 05:48:13 PM
This is likely to become a security nightmare very quickly. In addition to the WeMo Crockpot and maker kit covered in the main article, check out the links to similar products at the bottom of the page linked below which like the maker kit will allow every Tom, Dick and Harry or Moe, Curly and Larry do their own Thing.