July 30, 2013, 8:31 PM — A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave.
Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights and other sensitive systems.
The Trustwave researchers plan to discuss vulnerabilities they discovered in several such products during a presentation Thursday at the Black Hat USA security conference in Las Vegas.
One of the more interesting devices they tested was a home automation gateway system called VeraLite that's manufactured by a Hong Kong-based company called Mi Casa Verde.
The VeraLite is an embedded device that sits on a home network and can be used to control other systems connected to it. It can manage as many as 70 devices at once and is equipped to work with 750 smart systems, including lights, thermostats, surveillance cameras, alarm systems, door locks, window blinds and HVAC (heating, ventilation, and air conditioning) systems.
In its default configuration VeraLite doesn't require a username and password, so if the owner doesn't set one up intentionally, the device can be accessed and controlled by anyone from the local network, said Daniel Crowley, a security researcher at Trustwave.
Even if the device owner does create a username and password, the device can still be controlled using the Universal Plug and Play (UPnP) protocol, which doesn't have built-in support for authentication, Crowley said. You can write your own UPnP authentication feature or use an UPnP extension for it, but Mi Casa Verde didn't do this for VeraLite, he said.
VeraLite's UPnP functionality allows anyone located on the local network to execute arbitrary code on the device as root, the highest-privileged account type, giving them complete control over the system, the researcher said.
It is also possible to exploit this vulnerability from the Internet by launching a cross-protocol attack against a user who is on the same network as the device.
"If I know that someone has a VeraLite on their home network and they're at home, I can trick them into visiting a Web page that instructs their browser to set up a backdoor on their VeraLite device using UPnP," Crowley said.
Another thing that's concerning is a remote access feature in VeraLite that involves the device connecting via the Secure Shell (SSH) protocol to a remote forwarding server operated by the manufacturer, Crowley said. The user can then log in to the forwarding server via a remote Web interface and control their device, he said.