This architecture has security problems, because when the VeraLite connects to the forwarding server, the port is forwarded, Crowley said. "Connecting to a particular port on the forwarding server connects you to your VeraLite."
According to the researcher, this creates a single point of failure, because if an attacker managed to bypass the firewall protecting the forwarding server, he could get access to every VeraLite unit connected to it.
An attacker wouldn't necessarily need to compromise the forwarding server itself. Finding and exploiting a vulnerability in the Web interface or the Web server could be enough, Crowley said.
When these issues were reported to the manufacturer, the company responded that these are not vulnerabilities but intended features that exist by design, the researcher said.
It's an odd design to give users the option to create a log-in account and password and have different levels of access on the device, but then create a separate so-called feature that bypasses all of those security controls, he said.
Mi Casa Verde did not immediately respond to a request for comment sent via email.
Another product analyzed by the Trustwave researchers is called the Insteon Hub and is a network-enabled device that can control light bulbs, wall switches, outlets, thermostats, wireless Internet Protocol (IP) cameras and more.
"When you first set up the Insteon Hub, you're asked to set up port forwarding from the Internet to the device, so basically you're opening up access to it to anybody from the Internet," said David Bryan, a Trustwave researcher who reviewed the device after buying one to use in his house.
The Insteon Hub can be controlled from a smartphone application that sends commands to it over the local network or the Internet, he said.
When inspecting the traffic coming from his phone over the Internet and into the Insteon Hub, Bryan discovered that no authentication and no encryption was being used. Furthermore, there was no option to enable authentication for the Web service running on the Insteon Hub that receives commands, he said.
"This meant that anybody could have turned off my lights, turned on and off my thermostat, changed settings or [done] all sorts of things that I would expect to require some sort of authorization," Bryan said.
Attackers could use Google or the SHODAN search engine, or could perform port scans, to locate Insteon Hub devices connected to the Internet, Bryan said.
Insteon, the company in Irvine, California, that manufactures the device, was notified of the issue in December, according to the researcher. A new version of the product that uses basic authentication for the Web service was released in March, he said.