Your home automation things are a security nightmare

Publicado por caddesigner on miércoles, 8 de abril de 2015 / Etiquetas: ,

It's not just home broadband routers that have hopeless security: according to security outfit Veracode, cloudy home automation outfits also need to hang their collective heads in shame.


With nothing but standard by-the-manual configurations and network traffic capture – but with no attacks against the devices or the cloud services – the testers reckon they turned up a variety of vulnerabilities in kit from Chamberlain Group, SmartThings, Ubi and Wink.


It seems that if you're the kind of uber-lazy gadget-fan who can't imagine pressing a button to do something voice control is possible, you're matched by uber-lazy device developers. Versacode found that all but one of the devices it tested failed even its non-hostile vulnerability tests.


The products tested were Wink's WinkHub and Wink Relay home automation controllers; Unified Computer Intelligence's Ubi always-on voice activation system; SmartThings' home automation and home access control hub; and Chamberlain Groups' MyQ Garage (an Internet interface to garage door systems) and MyQ Internet Gateway (which extends control to switches and electrical outlets).


The tests covered:




  • Whether devices supported or required cryptography to communicate with their vendors' cloud services; whether strong passwords were enforced; and TLS certificate validation. The SmartThings Hub was the only device that passed all tests.

  • Interactions with cloud services – device authentication strength, encryption in cloud interactions, MITM protection, protection of sensitive data, and protection against replay attacks. SmartThings was again the only winner; nobody else protected against MITM attacks, and nearly nobody against relay attacks.

  • The mobile interface – protection of communications between the device and a smartphone. SmartThings won again, with the caveat that there's only limited direct communications in any of the devices tested – most are routed via the cloud service.

  • Debugging security – are there debugging interfaces open, are they protected, can attackers run arbitrary code on a device? For a change, SmartThings had a slip – it allows Telnet access, but passed the other two tests; MyQ Gateway passed all tests.


The Veracode white paper is available with registration here. ®



Sponsored: Today’s most dangerous security threats






from ffffff http://go.theregister.com/feed/www.theregister.co.uk/2015/04/08/your_home_automation_things_are_a_security_nightmare/

via IFTTT

0 comentarios:

Publicar un comentario