Summary:Home automation systems in general attempt to enable home owners to have a “smart” house. Instead of light switches you have integrated panels that control everything from your lights, to your shades, to your entertainment system, climate control, alarm system, motorized locks, etc. Some specific examples of such systems like those offered by Control4 use wireless communications between the panels and devices they control. Some also have integration with cell phone applications. One of the selling points for these systems is that they improve security.<\/p>\n
<\/p>\n
Assets<\/p>\n
– The security of your home.<\/p>\n
– The proper and desired functionality of your home automation<\/p>\n
Adversaries<\/p>\n
– Any malicious individuals wanting to gain access to your home by exploiting home automation.<\/p>\n
– Vandals or pranksters who wish to disrupt the functioning of your home automation system<\/p>\n
Weaknesses:<\/p>\n
– Information is communicated wirelessly from control panels in your home to the devices they control. These can be security cameras, motorized locks, an alarm system, or even something benign like climate control. As far as information is available, the communication is done over z-wave which is a publicly described protocol for appliance networking. This means that the devices in the home will be susceptible to outside interference and signals. (Z-wave uses something called ‘home codes’ which is a 32 bit sig that all the devices are marked with to make sure they only communicate with devices with the same ‘home code.’ However it is noted in the specification that an attacker could easily forge the home code and join the network of z-wave devices). Even if some sort of crypto is used on top, if it is not done properly it will be susceptible to replay, man in the middle, and all the other classic forms of attack.<\/p>\n
– Furthermore, the cell phone application can take one of two forms. It is either a web application that a user with a data-enabled mobile device can use (and thus has to be considered for security as any web app would – except in this case alarm systems and security camera feeds are involved), or it is an application somehow attempting to authenticate via the use of cell phone. In the latter case, the only identifying information conceivable is that stored on the SIM card – but as we have already seen, we can clone these!<\/p>\n
Defenses:<\/p>\n
– Real security with good crypto MUST be used for appliance networks. Luckily this problem has been long solved in computer networks \ud83d\ude42<\/p>\n
– I question the validity of making resources as sensitive as security camera feeds available via web applications that are visible on the internet – chances are there is a security flaw somewhere and an attacker can see in your house.<\/p>\n
Risk Analysis:<\/p>\n
I think the risks here are quite real. Individuals with such expensive integrated home automation systems probably have very nice houses, and these systems can in fact give potential adversaries more avenues for attack.<\/p>\n
Conclusion:<\/p>\n
I am not trying to say these systems are “bad.” I think the idea is extremely cool, but to boast about how they improve security seems strange when they have potentially only weakened it.<\/p>\n","protected":false},"excerpt":{"rendered":"
Summary:Home automation systems in general attempt to enable home owners to have a “smart” house. Instead of light switches you have integrated panels that control everything from your lights, to your shades, to your entertainment system, climate control, alarm system, … Continue reading