If you added a home automation system to create your version of a "smart" house, it could give you access from anywhere in the world to remotely control your lights, door locks, house temperature, electric appliances, water valves, alarm system, garage door, the ability to open and close your shades and blinds, or even to turn on music and crank up the volume. While that might seem pretty sweet, it also can be pretty vulnerable. If you use the Z-Wave wireless protocol for home automation then you might prepare to have your warm, fuzzy, happiness bubble burst; there will be several presentations about attacking the automated house at the upcoming Las Vegas hackers' conferences Black Hat USA 2013and Def Con 21.
Home automation devices are easy to spot with Shodan, a search engine for hackers, aspointed out by its creator John Matherly. And the home automation market forecast is predicted "to exceed $5.5 billion in 2016." Despite the technology having been available for over a decade, and many of these automation systems being extremely vulnerable, having a "smart house" has become very trendy.
Exploiting houses with home automation may not be low-hanging fruit for malicious hackers, but with its increasing popularity and expanding product lines, we will see it gaining more attention from hackers who realize how insecure many of these systems actually are. For example, CEDIA IT Task force member Bjorn Jensen said, "Today, I could scan for open ports on the Web used by a known control system, find them, get in and wreak havoc on somebody's home. I could turn off lights, mess with HVAC systems, blow speakers, unlock doors, disarm alarm systems and worse."
The Z-wave wireless protocol is particularly popular in regards to home automation; according to the Z-Wave facts, there are "over 700 interoperable products available, 12 million Z-Wave products worldwide." They are "supported by over 160 manufacturers and service providers throughout the world," and can be "found in thousands of hotels, cruise ships, and vacation rentals; including 65,000 devices in the flagship Wynn Hotel in Las Vegas, NV."
Yet at Def Con 19 in 2011, Rob Simon and Dave Kennedy showed off how to hack home and business automation over the power lines; they said that "Zwave power-over-broadband technology supports AES encryption," but Kennedy explained that "It's possible to sniff those encryption keys when initializing the devices and inject packets." In fact, theyadded "The one device they found that was using it, implemented the encryption incorrectly - the key exchange was done in the clear so an attacker could intercept the keys and decrypt all of the communication." There has otherwise been "almost no public security research done on the Z-Wave protocol."
Sign up for Computerworld eNewsletters.