🛡Home Security > Home Security General

Insteon Web Based Home Control Compromised

(1/2) > >>

Brian H:
Found this on the web.
Interesting how some web based home control got compromised. Insteon was one of them mentioned.
Seems the default of no user name and password was part of the problem. Especially to a new user not too well versed in security.

http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/

dhouston:
There are several new hubs (e.g. the LEDs that Tuicemen is working with) that might also be vulnerable. And, I wouldn't even trust passwords for this type of access.

In fact, it would be a good idea to move and/or copy this thread to a more general forum so that more people might see it.

beelocks:
Don't forget to add it to the troubleshooting list when "my lights turn on/off at random".

Additional questions to ask...

Is your HA computer attached to your network?
Do you have a password controlled network?
Are you using any remote desktop software?
Can you access your HA system from your smartphone/ipod/work computer/anywhere else?

This is also another damn fine reason NOT to connect locks and garage door openers to your HA system.

Did you also see this link?
https://securityledger.com/2013/07/breaking-and-entering-hackers-say-smart-homes-are-easy-targets/

Tuicemen:

--- Quote from: dhouston on July 27, 2013, 09:12:27 AM ---In fact, it would be a good idea to move and/or copy this thread to a more general forum so that more people might see it.

--- End quote ---
Done.


--- Quote ---There are several new hubs (e.g. the LEDs that Tuicemen is working with) that might also be vulnerable. And, I wouldn't even trust passwords for this type of access.
--- End quote ---
this type of LED hub is only accessible from inside your home network currently. I'm guessing until security issues are resolved that was by design.
However using PCC you can access it from outside your lan on the Web.


When I first got my first laptop I was surprised how many wireless networks just in my neighbour hood I could access.
People had their ISP set these up and most used their phone numbers as a password.
These either had the house street name and number as the SID or their last names.
Simply doing a reverse look up I was able to get their passwords and get on their network.

I know much more about wireless networks now but I'm still far from a pro at it.
Users need to change their passwords and user Ids from the factory defaults
There is far more that can be done to tighten ones network security but that's the first step that should be done.

dhouston:
In addition to the Z-Wave and Mi Casa Verde Veralight flaws described in the link cited above by beelocks, a similar flaw was found in Belkin's WeMo recently and Philips Hue was also hacked (although this appears to be a top-down Gaslight style attack enabled by another insecure device on the LAN). And, "Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes, and security cameras. Although no attacks against these devices have been found in the wild, many users may not realize they are at risk since they are unaware they own devices that run Linux."

* http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lite.pdf
* http://arstechnica.com/security/2013/08/philips-hue-lights-malware-hack/
* http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
In 2012 some security researchers (hackers?) scanned the Internet for vulnerable devices. They found more than 450 million devices of which several hundred thousand were vulnerable. Many were small embedded processors like those likely to be used in HA type devices which they incorporated in a (benign) botnet. As the IoT (Internet of Things) grows, this number is likely to grow geometrically.

* http://internetcensus2012.bitbucket.org/paper.htmlSimon Mullis, another security expert who works for FireEye, has said, "Compromising lower-level devices such as simple sensors could offer hackers a way to move up the food chain toward their real target. A hacked low-level device, Mullins warns, could help inject malware into a government or company control system with more authority, and thus create a major security breach."

I would add that for we HA enthusiasts, eager to try the next HA gizmo, it also makes our home network vulnerable for things like identity theft or as participants in botnets directed at things higher up the food chain.

Navigation

[0] Message Index

[#] Next page

Go to full version