Smart home apocalypse

At MWC 2018, Kaspersky Lab researchers show how easily a smart home can be hacked.

Imagine the life smart home developers want you to see: Your busy day at work is over, and you’re almost home. Your door unlocks automatically the moment it recognizes your face and your iris. The house is already warm and the light in the hall is on, music is playing quietly, and the electric kettle just turned itself off; the water in it boiled right before you stepped into your apartment.

You eat your dinner and relax on the sofa, using your smartphone to dim the lights a little and to turn on the TV. Living in a smart house makes everything very convenient — all those small daily routines are either automated or controlled with your phone.

However, there’s another scenario, equally possible. You approach the door, but it doesn’t open; it forgot your face and your iris. You knew that might happen, though, so you have an old-school physical key with you. You unlock the door and enter the unusually dark house. It’s freezing in there because the heating was not turned on two hours before, as it was programmed to do.

A few seconds later, the smart alarm goes nuts, blaring its intruder alert. It was supposed to detect your smartphone’s presence and stand down! At least something seems to be working: The TV is on already — but it is showing a real-time feed of you from the smart camera on the ceiling. And you can hear the sirens of approaching fire engines. What the heck happened? Your smart home was hacked.

This situation might come to pass if someone hacks into the smart hub that controls all of the appliances in your smart home. At Mobile World Congress 2018, Kaspersky Lab’s Vladimir Daschenko showed that it’s not so hard to do.

What is a smart hub?

A smart hub is the nerve center and the brain of your smart home. Usually it’s a small box, sometimes with a touch screen and sometimes without. Using special protocols, the smart hub talks to all of the smart devices in your house, and they talk back to it, providing information or answering commands.

If the smart hub doesn’t have a screen, it’ll have a mobile application or a Web-based service, or both, that you can use to program your smart appliances. The smart hub is needed to sync the gadgets all around your house and to command them all at once. That’s very convenient for the user, but it also means that to hack the smart home, an attacker needs to hack just one thing — the smart hub.

How a smart hub can be hacked

The smart hubs from a particular vendor (whose name we won’t disclose here) didn’t have any significant vulnerabilities in their code. However, a few logical mistakes were enough to let our expert hack in remotely, without even gaining access to the user’s Wi-Fi network.

To control the hub using the Web portal, the user sends a synchronization command from the Web interface to the hub. Under the hood, it looks like a whole configuration file being assigned to a hub with a particular serial number, which the hub then downloads and implements. The file is sent over an HTTP (not encrypted) channel, however, and the hub’s serial number is the only thing that is used to identify the recipient.

If an attacker happens to know the serial number of the hub they are going to hack, they can send a custom configuration file to the hub, and it will be accepted without any additional communications. That may sound unlikely, but users don’t usually realize that the serial number is the master key to their smart home system, so they happily publish reviews of their smart hubs on YouTube and show all of the information needed to hack the hubs — including serial numbers. As if that weren’t bad enough, it turns out that the serial numbers can be brute-forced.

The login and password for every smart hub can be found in its configuration file. The login can be extracted right away, but the password is encrypted — which is good. However, the encryption is weak and can be broken rather fast with publicly available utilities — which is bad. Further weakening protection, the vendor imposed no complexity requirements for passwords, making them easier for hackers to break.

With the login and password, a hacker can gain complete control over the smart hub and all of the devices connected to it, making the smart home’s apocalypse scenario a grim reality for the smart hub’s owner.

How to avoid a smart home apocalypse

Smart homes are relatively new to this world, so they are not very well researched and thus may be vulnerable — as our research once again unfortunately proves (we proved it before, too, showing how to hack into several other smart appliances).

The vulnerable Internet of Things

In this particular case, the vendor made several logical mistakes that, combined, made it possible to hack their smart home system. Let’s go through those mistakes once again: configuration file transmission by unencrypted HTTP, use of a serial number as the only means of authentication for configuration updates, and login-password data that is easy to extract.

What can you do to protect your smart life? With this particular hub, the solution seems to be rather simple:

  • Don’t show the serial number of your smart hub to anyone. It’s the master key to your smart life.
  • Don’t buy smart appliances second hand. Their firmwares could have been modified by previous owners to give a remote attacker full control over your smart home.

Keep in mind, however, that hackers can still use random serial numbers to try to hack into smart hubs, so unfortunately, there’s no way to ensure safety 100% in this case. For the time being, to stay on the safe side, it’s better to wait until the hubs that control smart homes are thoroughly vetted for vulnerabilities — and patched properly. In the case of this particular smart hub, the vendor is still in the process of rolling out the patch, and that’s why we won’t disclose its name. You can find more details in this post on Securelist.