Zigbee HA vs. Z Wave

[ecborgoyn]

Looks like I started a good thread.... :mellow:
 
The good news is that IoT security IS indeed garnering a lot of attention/research/etc from many directions.  Recent chatter on the topic on an internal discussion group in my company just today.  The academic and government research groups are active in the area. The bad news is that more and more 'bad guys' are looking that direction also.  And it's NOT a new topic.  Remember the STUXNET 'incident'??
 
And it's not only that you necessarily want your light bulbs on the internet.  It's also about un-intended paths in the network.  No-one intended to put the Jeep steering control on the internet...  Today, lots of the HA/IoT applications are using common mobile devices for UI's.  Need I say more....  I suppose one could have a mobile device that only has WiFi and that WiFi is segmented to only be internal to the house.
 
A good dialog on this thread as HA/IoT security needs to be center-stage.  And too often it's not.

 

[ano]

No-one intended to put the Jeep steering control on the internet... 

I guess we have the intelligence to send a man to the moon, but we just can't figure out how to separate the steering controls on a Jeep from the Internet. 

 

[LarrylLix]

I think the sad fact is if Home Depot and Yahoo and LinkedIn and the US Government can't protect themselves from hackers, its doubtful efforts to protect your light bulbs will be successful either. If you don't want your lightbulbs to be hacked, don't connect them to the Internet.  I think long-term people will learn their lesson, and the need to connect everything to the Internet will wane.  Like for example, does the possibility that a hacker might remotely control your car and cause a crash that can get you killed really outweigh the benefit that you can remotely read you car's diagnostic codes 2 feet away on your computer?  Its doesn't to me.  I know I'm old-fashioned, but I live day-to-day with only Zigbee bulbs which don't connect to the Internet. 

I avoid connecting things to the Internet as much as possible but via a few bridges almost everything is connected to the Internet.

If we want to get technical firwalls don't make any difference as they can be hacked but the effort to turn my Hues to green would be extreme, and impossible unless they break into my home, break the bulbs glass, and replace an LED inside them with a green one.

 

[wkearney99]

... but we just can't figure out how to separate the steering controls on a Jeep from the Internet. 

 
It's not so much a matter of can't, which I assume is what you meant to type, but that engineers made choices on how things got connected and that led to unintended access.  I'm not familiar with any of the details, but I'd be curious to know what justifications went into the design choices.  In many situations someone takes the easy route, resulting in leaving something open to abuse.  Not using security certificates is a common IT mistake, mainly because someone can't explain what paying for them really accomplishes (which would be well off-topic, so let's not bother).  Or barely getting something running in time for a ship date and never going back and completing the intended security code.  Someone in middle manglement decides "it's working, so stop spending money on it".  Etc...

 

[LarrylLix]

In the Jeep case the hackers aim is to stop the integration of control CPUs in vehicles from the entertainment CPUs/busses.

I am not sure whether they are sharing a CPU to all the car's automation or just that CPUs can talk to each other. The outside world connected CPUs can be hacked to access the control CPUs.

They stated Toyotas can be hacked also but only with some attached device.

 

[Dean Roddey]

I avoid connecting things to the Internet as much as possible but via a few bridges almost everything is connected to the Internet.

If we want to get technical firwalls don't make any difference as they can be hacked but the effort to turn my Hues to green would be extreme, and impossible unless they break into my home, break the bulbs glass, and replace an LED inside them with a green one.

 
A story was just posted over on reddit where someone used a drone to remote hack a Hue bridge and use the over the air firmware update capability to install malicious code on the Hue. So it's apparent not THAT difficult. And that's not to just change the color of your lights, that gets them inside your network.

 

[jkmonroe]

the Hue hack via drone is a zigbee stack hack, not an IP hack.  so yeah, they can control your bulbs, but wont have access to protected data.
 
for the most part, as long as you dont open any ports to the outside, and have a level of comfort with your internal devices not 'phoning home' (not cheap Chinese cams), then you'll be fine against all but the most directed attacks.  and if you're the subject of a directed attack, you're either incredibly unlucky or should be in a position to know better.  
 
i think security threats are real, but they end up blown way out of proportion.  i mean, this isn't some dude sitting at a cafe in Russia directly attacking your 5 device home network; it's a scripted attack using the most generic of vectors.

 

[Dean Roddey]

It implied that they were able to use the over the air firmware update capability to install their own firmware on the device. That would effectively give them a node inside your network. So the hack Zigbee and use that as a vector to install firmware, which then means that they have code running inside your home now.
 
At least that was what seem to be implied in the summary.

 

[LarrylLix]

This is good to know about the Philips Hub.
 
I never punch holes in my firewall for a Phillips Hub. I do for other things that could operate the hub, but the packets issued are restricted to just what I put in. Controlling my bulb colours from afar, is just too Mickey Mouse for me. Cool for the first 5 minutes only.
 
With  Philips you just have to do a low-tech power blink to turn them all on to 100% white. A simple seal cut and pull my hydro meter off would do that.
 
I don't use any HA door locks or other sensitive HA devices. I already don't carry keys for my vehicle or house, and I am not going to scramble to dig a mobile phone out of my pocket, turn it on, run some stupid app, while my arms are full of grocery bags, to get into my house. Complete abuse of the technology.
 
Bad Philips! Must have been a female engineer, leaving a back door open..

 

[Dean Roddey]

But, again, if I read the summary right, none of that matters. It sounds like the Hue allows for firmware upgrade over Zigbee. Which means that they can get malicious code on the Hue hub directly, bypassing your network protections. Once they do that, they now have code running inside your network, which can now make outward connections to wherever and download more stuff, maybe packet sniffers or whatever. Or of course they could just use you in DOS attacks as well. None of your safety precautions would protect you against that.
 
Of course in many homes they could probably password attack the router successfully, then they could open up any ports they want and so forth.

 

[jkmonroe]

But, again, if I read the summary right, none of that matters. It sounds like the Hue allows for firmware upgrade over Zigbee. Which means that they can get malicious code on the Hue hub directly, bypassing your network protections.

 
Not the hub, the bulb itself; they were attacking the bulb.  They actually brought the bulbs into their own dedicated network.

 

[Dean Roddey]

Oh, OK. I missed that bit. Sometimes I don't get the details because, being completely paranoid, I never click on any of those links.

 

[emrosenberg]

Not the hub, the bulb itself; they were attacking the bulb.  They actually brought the bulbs into their own dedicated network.

 
This is why I brought up the article to begin with.  So presumably even in a system closed off from the internet completely, if it has zigbee devices there is a way to infect the system.  This doesn't keep me up at night, but it really surprised me.  I expect IP exploits.  A zigbee exploit was new to me.

 

[jkmonroe]

Yeah; and this is why you should buy from established companies.  The exploit has already been patched by Philips.
 
But we all should know that most RF comms will be vulnerable to some form of attack (BT, ZWave, Zigbee, well - just about any RF in general).

 

[wkearney99]

It sounds like the Hue allows for firmware upgrade over Zigbee. 

 
WHY would they do this?  What legitimate reason would a device like a hub need to get updates from a network pretty much devoid of 3rd party security tools?  
 
If that's what happened then it goes right to the heart of security needs to be consided during the design stage.  And features should not be enabled without legitimate, demonstrated needs in the field.