The idea of a smart home is becoming more and more mainstream nowadays. Previously appealing mostly to geeks and people who always buy the newest toys, smart home setups have become quite popular, and a basic setup can even be affordable.<\/p>\n
One of our colleagues joined the smart home party and added some fancy, techie things to his new home. After he installed everything, he thought researchers from Kaspersky ICS CERT<\/a> might have some fun playing with his new toy. Of course, security researchers\u2019 idea of a good time is trying to break new toys. And, of course, they thought it was a marvelous idea. And, of course, they succeeded. And so, of course, here is the short story of how they hacked that smart home and what they were able to do with it once they were in.<\/p>\n The setup is as follows: The house, in a remote location, has a Fibaro Home Center Lite smart hub, which is responsible for managing all of the smart things that are connected to it.<\/p>\n The smart things in the home include lights with a motion sensor that can automatically power on and off; a fridge, a stereo system, and a sauna heater that can be remotely manipulated and also turned on and off. Several smoke detectors and flood sensors, as well as a couple of IP cameras for monitoring the house are also connected to the same hub. And, of course, the heating system and the entrance door with a smart video doorbell, are managed from the hub as well.<\/p>\n All of that was connected to a home wireless network. What the security researchers knew was the model of smart home hub and its IP address.<\/p>\n So, how do you attack a smart home? It usually goes as follows: The team of security researchers tries to jot down all possible attack vectors, thus modeling the so-called attack surface<\/em>. And then they methodically test the most promising methods and cross them off one by one until they find an attack that actually works \u2014 one they can use to penetrate the network.<\/p>\n But some attack vectors are harder to exploit than others, and these also usually get cut in the process of modeling the attack surface \u2014 malefactors aren\u2019t willing to waste time and effort trying to use them, and neither was the security researchers team. And some attack vectors have limitations \u2014 they require the attacker to stay physically close to their target, say, and these vectors are also of no particular interest in this case.<\/p>\n That\u2019s why Kaspersky\u2019s ICS CERT guys decided not to look at attacking the Z-Wave protocol \u2014 which the smart home hub uses to talk to the appliances \u2014 because it required the physical presence of the attacker near the house. They also discarded the idea of exploiting the programming language interpreter; the Fibaro hub used the patched version.<\/p>\n Eventually, they succeeded in finding a remote SQL-injection vulnerability<\/a>, despite Fibaro\u2019s significant efforts to avoid them, and a couple of remote code execution vulnerabilities in the PHP code (for more details, read Securelist\u2019s report<\/a>).<\/p>\n If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, which basically means getting full control over it. It\u2019s worth noting that even the owner of the hub doesn\u2019t have such access rights and thus won\u2019t be able to override attackers\u2019 actions. But first, attackers need to be able to send commands to the device.<\/p>\n What\u2019s important about the Fibaro smart home is that it can be managed remotely from any location using the cloud. That means vulnerabilities might exist not only in the device itself, but also in the cloud that it uses, and the communication protocols it employs. As it turned out, a severe vulnerability was present in the Fibaro\u2019s cloud, and it allowed the attackers to access all backups uploaded from all Fibaro hubs all around the globe.<\/p>\n That is how the security researchers team acquired backup data stored by the Fibaro Home Center located in this particular home. Among other things this backup contains a database file with a lot of personal information in it \u2014 the house\u2019s location, geolocation data from the owner\u2019s smartphone, the e-mail address used to register with Fibaro, information about the smart devices (Fibaro and non-Fibaro) in the owner\u2019s house, and even the owner\u2019s password.<\/p>\n The password, however, was stored properly, being hashed<\/a> and salted<\/a>. It could not be decrypted easily, and was of no use to the security researchers. It\u2019s worth noting that if some of the other smart devices required passwords, these passwords were stored in the very same database without any encryption.<\/p>\n The team of security researchers then crafted a special version of the backup that contained a payload in a form of a PHP script that would execute arbitrary commands sent to it remotely. After that, they used a cloud function that let them send e-mails and SMS messages to the owner, telling him something had gone wrong with his smart home and that he needed to apply an update to restore proper function.<\/p>\n Of course, the infosec-savvy person who was already expecting an attack quickly realized that the request was really bait, but the average unsuspecting user probably wouldn\u2019t. So, the smart home owner played along, and that is how the attackers got access to the smart hub, along with all of the smart devices it controlled. Most important, they also gained access to the home network.<\/p>\n Once they\u2019ve virtually broken into a smart home, attackers can control all of the smart appliances and devices connected to the home network. In this case, that means they could control the temperature in the house, turn on the sauna, play loud music from the stereo (something they actually did \u2014 they changed the alarm sound to a drum and bass track), print anything on a network printer and so on and so forth.<\/p>\nHacking begins<\/h2>\n
How it works: Narrowing the attack surface<\/h3>\n
The flip side of the smart home<\/h3>\n
What happens if a smart home gets hacked?<\/h2>\n