Home is where the hack is, at least when it came to this year’s Black Hat security conference in Las Vegas.
This week, researchers shined a light on how devices ranging from smart TVs to thermostats can be compromised by an attacker, and the increasing role IT security plays in the physical security of the home.
To Drew Porter, senior security analyst at IT consultancy Bishop Fox, physical security can now be broken down into two worlds – the analog world of locks and doors and the digital world of motion sensors and keypads.
“For a long time, the major focus of breaking physical security was on the former,” he told SecurityWeek before the conference. “Recently, the focus has been shifting toward a blend of the two worlds, known generally as building controls which are locking devices that are secured not by a physical key, as many would think, but rather, a digital signature. These devices include: RFID, biometrics, and many others. In the olden days, we used big dogs to deter intruders, now we have small motion sensors mounted on doors and in corners of rooms that sense and alert us when someone enters or moves within the premises.”
But while the digital mechanisms may provide a sophisticated shield for a home or office, Porter they can be bypassed using methods that are anything but.
“Some attacks take $2 and about ten seconds to get past,” he said. “While other attacks, such as the keypad, require around $3,000 and an understanding of the deployed tech. Sensor attacks are far less expensive and easier to conduct, but in return, only allow access to one area. Attacking a keypad gives entry to the entire security system but requires cellular knowledge as well as a few thousand dollars.”
Even though there are different makes for physical hardware, all sensors operate similarly, and therefore can be owned using similar methods, regardless of brand, he added.
“Due to a flaw in the firmware, we found a few exceptions that can totally disable an entire family of sensors,” he said. “This allowed us to develop extremely effective attacks that are cheap, easy to use, and relatively simple to build.”
But there are other ways for hackers to get into a victim’s home as well. In the case of two presentations, that way was through smart TVs. Korea University researcher Seungjin ‘Beist’ Lee discussed how some smart TVs have hardware devices like a camera or microphone that can be hijacked by an attacker and used for spying. In a separate presentation, Aaron Grattafiori and Josh Yavor of iSEC Partners discussed vulnerabilities they found in the application architecture, APIs and applications of Samsung Smart TVs. The duo uncovered a wide range of issues – which have since been fixed – including the ability to modify other existing applications on the TV and being able to access the camera API [application programming interface], Grattafiori said at a press conference about the talk.
Outside of the TV room, a lack of authentication for a home automation controller also opened a pathway to attacks. Researchers from Trustwave’s SpiderLabs demonstrated how a product called the Insteon Hub allows users to control home automation devices over the Internet, such as radio frequency deadbolts and door locks. However, because Insteon does not restrict the user in the naming of their device and the web interface does not require the user to set authentication to make requests, it was possible for an attacker to hijack them. Insteon has since recalled and discontinued the affected units.
“There are lots and lots of devices out there…non-traditional network connected devices,” Dave Bryan of SpiderLabs told members of the media Wednesday.
“Home invasion 1.0 is where somebody busts open a window, unlocks your door, comes in and takes your stuff,” he said. “Home invasion 2.0 is remote; home invasion 2.0 is not easily detected [and] does not leave traces that people would be looking for or maybe even traces at all.”
