If there’s one thing we should have learned over the years, it’s that there’s no such thing as a secure system connected to the Internet.
Apparently we haven’t learned that lesson yet.
One of the up-and-coming trends these days is to link home automation systems to home security systems. Comcast’s XFINITY system allows you to connect your lights and thermostat. So do AT&T’s My Digital Life, ADT’s Pulse system, and the less well-known vendor’s systems.
And they also offer the ability to connect to the connected devices via the web and smartphone apps. Check the cameras from work, turn up the heat if your dog is cold, make sure your kids are home from school, and that they don’t have unauthorized guests.
They also let you arm and disarm the security system remotely. “Forgot to set the alarm? No problem! Want to turn off the alarm and turn on the lights as you walk up from the curb? Easy!”
The problem? For obvious reasons, most of the systems use standard parts (controllers, sensors, etc.) that use one of a small set of standard protocols for communication and control. Arguably the most popular is the Z-Wave wireless protocol; several presentations at the upcoming Black Hat USA and Def Con conferences will highlight vulnerabilites in Z-Wave. Worse yet, a presentation two years ago pointed out that only one device was using encrypted communication, and it was incorrectly implemented such that an eavesdropper could easily intercept the encryption keys and decrypt all of the traffic.
Cheerful thought, huh? It gets better: the latest systems even let you lock and unlock the doors. No need to carry a key any more. And now, no need for burglars to break down your door, either. Just hack the system and check the cameras to make sure nobody is home. If not, turn off the alarm, unlock the door, turn on the lights, and help yourself.
Alarm companies tell us the advantage of an alarm is that it encourages burglars to move on to a neighbor who doesn’t have an alarm. If it’s true though, and if the systems are really as vulnerable as the crackers say, it’s not going to take long before there are “one-click” security crackers similar to programs for cracking webcams. Why risk the noise of breaking a window when you can install an app on your stolen, jailbroken iPhone and walk right in?