Jump to content

- - - - -

Home Automation and Cybercrime

Security Notice ZigBee Z-Wave X10

Trend Micro published a research paper recently, focusing on home automation and the potential security issues associated with these technologies.  The paper focuses on X-10, Z-Wave and ZigBee (I guess UPB and INSTEON aren't popular enough, or are extremely secure).
While there aren't any shocking revelations in this paper, it isn't a boring/long/dry document, so I encourage you to check it out if you have any interest in this type of stuff.
Home Automation and Cybercrime Research Paper (wp-home-automation-and-cybercrime.pdf)


Good read but I always get perturbed by this topic.  It reminds me of many conversations in the past about automated door locks and security implications.

I just don't think its realistic to conclude that the technology is chink in the armor.  The thief that is going to break into my house isn't going to sniff and hack my codes in order to learn my habits and gain unfettered entrance into my home.  He is going to see if there are any cars in the driveway and, if not, kick the door open or break a window. That's the reality of home security.  In my profession, we research these type of vulnerabilities and as far as I've seen, this type of attack has never happened.


That's why I've always told people that in my opinion, alarms and cameras are great but not the most effective tools to secure your home.  The best home security system I have ever seen is a good DOG!

Dan (electron)
Mar 16 2013 05:36 PM

Home Automation is definitely not going to expose you more to potential break-ins (it's a lot easier to bump a lock than hack a light switch), but it is interesting how IP cameras, etc. are increasingly getting more attention, since the manufacturers do such a crappy job securing the devices.

Mar 16 2013 07:04 PM

I guess that's more of my concern is the cyber hacking into existing systems via your network connection as there seems to be a lot of knowledgeable people who know this out there who seem to have the time to do this sort of thing.

I see more folks are thrilled about being able to utilize their cell phone to remote their homes; that said typically they do not care/unaware about the grey areas regarding said functionality.  It could be a teenager leaving their phone on a park bench or even one of their peers "playing" with their phone or someone leaving the cell phone at their desk at work or train seat or wherever.


Turning on or off a light or adjusting the thermostat is just a prank and really not a life saftey issue; but turning off and on an alarm, triggering an alarm for kicks is malicious and easier to do these days.   


Funny thing too as a potential thief only has to ask and said person is so thrilled with the functionality that they will show some stranger how easy it is to remote control their home. 


Most folks want to keep it simple; IE: codes and passwords are typically saved and navigation speed is more important.


Really then its as easy as picking up someone's PDA phone or tablet; shutting off the alarm, making a few bank money transfers and going on to the next PDA or phone and turning off the lights when they leave your personal cyberspace.

Mar 17 2013 01:03 PM

Good points Pete, that's why it's important for our site to keep bringing these matters up (Dan does a really good job at this as this post and his others describing how devices are being hacked are brought to our membership's attention).


I would recommend that everyone get something like wheresmydroid for their phones so they can locate, and even remotely wipe the phone if they feel it was compromised.


I really like that app myself as it has some really cool features, like sending a notification if the sim card was changed.

@ Pete - So true.  It's crazy just driving down the road by my house with wifi sniffer on my phone to see how unsecured networks there are out there.  I tell them all the time to lock it down.  So many people leave themselves exposed in so many different ways.


@BraveSirRobbin - That's a great app...and so many others to lock or reset your phone remotely if you need to.  Another big problem is folks creating thier own passwords.  We already know that passwords in general are easy enough to hack but people using codes they can remember means they are to easy to crack.  Recently I started experimenting with Lastpass to generate new and more secure passwords in a way that I can manage and pull when I need to.  


I also have been playing around with an NFC enabled Yubikey.


I use this to access my android phone and tablet.  It can be set up in many ways but in my case, I use the NFC to generate a one time password (OTP) that's transmitted in AES.  I can just swipe my phone near my pocket where the yubikey is and unlock my phone.  Without it, the phone won't unlock.  I also use it to unlock some of my vital accounts on the phone and tablet...pretty cool so far.  It's more work (though not much) but it secures my phone better than it was before.


I see potential to use these keys in different ways with regards to home automation as well but I'm not there yet.  Right now I'm just trying to get more comfortable with carrying the key itself and using it primarily for my phone and tablet which travel with me all the time.

All good points. Which is why I only use key/password protected SSH access to my home and NEVER store any codes! Further, I don't expose any of my disarm automated tasks, such as what my keyfob will trigger. It could even be from a part of your hand touching the task by mistake to make it active.... opening the garage door and disarming the alarm would't be too good!


But yeah... the punk kids around here are looking for a simple smash and grab! They don't even know what an automated system is.