Each year in Las Vegas, elite hackers from around the world gather at DEFCON to discuss the latest trends in computer network security. Do some googling if you are interested in learning more about the event…
This year, Daniel “unicornFurnace” Crowley, Jennifer Savage and David Bryan will present a topic that should cause professionals in the architecture, engineering, construction, insurance and legal industries to take notice. Their presentation is called, Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices.
In a recent article in Forbes, Kashmir Hill (no relation) describes how she was able to easily gain control over strangers’ home automation equipment:
Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search engines – meaning they show up in search results — and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.
Thomas Hatley’s home was one of eight that I was able to access. Sensitive information was revealed – not just what appliances and devices people had, but their time zone (along with the closest major city to their home), IP addresses and even the name of a child; apparently, the parents wanted the ability to pull the plug on his television from afar. In at least three cases, there was enough information to link the homes on the Internet to their locations in the real world. The names for most of the systems were generic, but in one of those cases, it included a street address that I was able to track down to a house in Connecticut.
Unfortunately, that is just one example. Crowley, who runs a security consulting firm called Trustwave, found other vulnerabilities:
He and his colleague found security flaws that would allow a digital intruder to take control of a number of sensitive devices beyond the Insteon systems, from the Belkin WeMo Switch to the Satis Smart Toilet. Yes, they found that a toilet was hackable. You only have to have the Android app for the $5,000 toilet on your phone and be close enough to the toilet to communicate with it.
“It connects through Bluetooth, with no username or password using the pin ‘0000’,” said Crowley. “So anyone who has the application on their phone and was connected to the network could control anyone else’s toilet. You could turn the bidet on while someone’s in there.”
Tickets are still available for this year’s DEFCON event which kicks off August 1st. One word of advice if you do decide to attend: disable all network communications on any advice you have, or better yet, don’t bring any device with you. Just google “wall of sheep” to see why…