Smart Home Hacked via Vulnerabilities, Social Engineering
Hacking Smart Homes – the Stuff of Horror Movies
The Smart Home is coming. In a few privileged areas, it is already here. It comprises a series of separate IoT devices often centrally controlled via or by a hub, often called the Home Center. Because it is coming, its security is a growing concern. Because it is still relatively rare, that security is not yet fully understood or tested.
Researchers at Kaspersky ICS CERT had the opportunity to test smart home security when a Kaspersky VP invited them to hack his own smart home. The good news is that it wasn’t easy, but the bad news is that they succeeded. As so often happens with cyber-attacks, it wasn’t the direct jab at the front door, but the left-hook behind the defenses that succeeded. They did not directly break into the smart home hub developed by the Fibaro Group, but used social engineering to enter from the cloud.
The Kaspersky VP is clearly security aware. All known vulnerabilities in the hub had been patched out. His own password was strong, and dismissed by the researchers as a candidate for cracking. Attacking the Z-Wave protocol used by the hub to communicate with devices was also dismissed, as that would require proximity to the target. However, the VP did give them the hub’s static IP address to save them having to find it.
There is frequent communication between the hub and the Fibaro cloud. Whenever a device performs an act that needs the cloud (such as send an SMS or email to the device owner, or upload a backup), the device sends an HTTP request to the server with the serial number and hardware key as parameters. The keys are protected, but only the device serial number is used for scanning and checking for updates — and the serial number can be obtained via the system’s API. “This makes it quite straightforward to download any update from the cloud by serial number,” say the researchers.
They discovered an authorization error that allowed them to list the backup copies of any user, to upload backup copies, and to download them without having any rights in the system.
They then discovered a SQL injection vulnerability in the hub. SQL injection could be eliminated with a library of prepared statements between SQLite and PHP — however the hub doesn’t include such a file. The researchers conjecture that this could be due to the small amount of available memory and the need to keep some availability for the potential addition of additional devices in the future. Lack of memory for security features is a common problem with IoT devices.
The Fibaro developers attempted to eliminate SQLi by other methods, but these ultimately failed, “because,” say the researchers, “the quotes can still be escaped using a backslash in the first parameter. If such a backslash is inserted, it leads to a breakout from the string context in the second parameter and potential SQL injection in the database query.”
With this vulnerability, they retrieved a backup copy from the hub containing the SQLite database. This file contained the hub password in cached and salted form, the location of the home using the device, the location of the owner’s smartphone, email addresses used for registration in the Fibaro system, and details on all attached devices (model, username/password in text form, IP addresses of devices in the internal network, etc). This means that any attacker with access to the hub also has access to every device attached to the hub.
At this stage the attackers knew what they could do if they had access to the hub, but still didn’t have that access. They dismissed the idea of trying to brute-force their colleague’s strong password. So, they turned to the hub’s interaction with the Fibaro cloud. They crafted their own special backup file with their own PHP script. They sent an email and an SMS to the user for him to update the software on the device by downloading from the cloud the backup copy they had prepared.
Their colleague recognized the email as a social engineering attempt, but did what was asked anyway. The researchers are confident that many users not expecting an attack would be fooled. Once the backup was installed, the researchers gained access to the hub and to all devices attached to it with maximum privileges. Being researchers rather than criminals, they did nothing more than change the melody of the user’s alarm clock to indicate their presence: next morning he “awoke to the soothing tones of drum & bass.”
However, it is worth considering what they learned and what they could have done had they been genuine cybercriminals. They knew the physical location of the house, they knew the geolocation of the user’s smart phone (so they knew when the house was likely to be unoccupied), and they had control over any connected devices (which could include alarms, window/door/gate opening and closing mechanisms, surveillance cameras and so on). “The havoc a villain could wreak in this situation,” they say, “is the stuff of horror movies.”
“Unlike us,” comments Pavel Cheremushkin, security researcher at Kaspersky ICS CERT, “a real attacker with access to the home center would be unlikely to limit themselves to a prank with an alarm clock. One of the main tasks of the device we studied is the integration of all ‘smart things’ so that the owner of the house can manage them from a single home center. An important detail is that our assessment targeted an actively deployed system — previously, most of the research was conducted in lab conditions. The research has shown that despite a growing awareness of IoT security, there are still issues to be addressed. Even more important, the devices we studied are mass-produced and deployed in functioning smart home networks. We thank Fibaro for its responsible attitude to the issues, as we know they are focused on cyber security, and making the home of our colleague much more secure than it was before the research.”
All vulnerabilities found in this research exercise were reported to Fibaro, and have been fixed. “Fibaro Smart Home Centers have become more secure as a result of our little experiment,” writes Kaspersky in a separate associated blog, “and we now consider them safe to use.”