Internet of malicious things: Yale home automation vulnerable
The Yale Home System (Europe) Android application vulnerable to a man-in-the-middle attack due to TLS errors .
Yale home automation app
The development of smart home technologies has not come without its vulnerabilities, it appears.
As a species within the higher class of technology we now know as the Internet of Things (IoT), smart home controls exist to control heating, lighting, security surveillance and a variety of other functions.
Penetration testing and vulnerability assessment firm MWR InfoSecurity has issued an advisory detailing a vulnerability it has discovered in the Yale Home System (Europe) Android application. The app itself acts as remote smartphone-based software to control the Yale Easy Fit SmartPhone alarm system with arm and disarm tasks as well as a camera function.
A vulnerability was discovered that could allow an attacker to perform a man-in-the-middle attack, bypassing the software's protection layer and executing arbitrary commands on the Android device with the permissions of the home system app. The Yale Home System Android application is based upon a Webview – a feature of Android that allows applications to display HTML content within their apps.
The smart home family is growing
Although the particular vulnerability in question here ‘could' be quite damaging, this particular app has enjoyed comparatively limited user popularity with (according to Google) only between 1,000 and 5,000 downloads. Other software in this same category includes (but is not limited to): Honeywell EvoHome, Heat Genius, Nest learning thermostat, Hive Active Heating from British Gas, Tado and Netatmo Thermostat for Smartphone.
Robert Miller, senior security researcher at MWR explained that his team performed a number of tests on the Yale application and discovered that the Webview used was configured to ignore TLS errors. Transport Layer Security (TLS) is a cryptographic protocol in the same family as Secure Sockets Layer (SSL) that performs ‘handshakes' and other related functions between data connections to create security controls.
“This [ignoring of the TLS errors] means that, if the network traffic were intercepted by an attacker, the application would ignore the security warnings and continue communicating, allowing the attacker to read and alter the communications between the application and the server. As the application is used to control and monitor the home alarm, it is likely that the attacker could control the alarm system if the vulnerability were exploited,” said Miller.
MWR InfoSecurity says it alerted Yale to the issue with its application as far back as July of this year. It has subsequently worked with the company to resolve the vulnerability.
Neither confirm, nor deny
A statement from Yale adds, “Yale's policy is neither to confirm nor deny any reports about the security of Yale products.” As bewildering as this might at first sound, the company explains that any comment could inadvertently disclose information that might aid criminal activity. The company recently released a new version of the Android app for this product, which is now available to all customers to download and update through the Google Play store and this version further improves the app.