Internet of malicious things: Yale home automation vulnerable

News by Adrian Bridgwater

The Yale Home System (Europe) Android application vulnerable to a man-in-the-middle attack due to TLS errors .

The development of smart home technologies has not come without its vulnerabilities, it appears.

As a species within the higher class of technology we now know as the Internet of Things (IoT), smart home controls exist to control heating, lighting, security surveillance and a variety of other functions.

Penetration testing and vulnerability assessment firm MWR InfoSecurity has issued an advisory detailing a vulnerability it has discovered in the Yale Home System (Europe) Android application. The app itself acts as remote smartphone-based software to control the Yale Easy Fit SmartPhone alarm system with arm and disarm tasks as well as a camera function.

A vulnerability was discovered that could allow an attacker to perform a man-in-the-middle attack, bypassing the software's protection layer and executing arbitrary commands on the Android device with the permissions of the home system app. The Yale Home System Android application is based upon a Webview – a feature of Android that allows applications to display HTML content within their apps.

The smart home family is growing

Although the particular vulnerability in question here ‘could' be quite damaging, this particular app has enjoyed comparatively limited user popularity with (according to Google) only between 1,000 and 5,000 downloads. Other software in this same category includes (but is not limited to): Honeywell EvoHome, Heat Genius, Nest learning thermostat, Hive Active Heating from British Gas, Tado and Netatmo Thermostat for Smartphone.

Robert Miller, senior security researcher at MWR explained that his team performed a number of tests on the Yale application and discovered that the Webview used was configured to ignore TLS errors. Transport Layer Security (TLS) is a cryptographic protocol in the same family as Secure Sockets Layer (SSL) that performs ‘handshakes' and other related functions between data connections to create security controls.

“This [ignoring of the TLS errors] means that, if the network traffic were intercepted by an attacker, the application would ignore the security warnings and continue communicating, allowing the attacker to read and alter the communications between the application and the server. As the application is used to control and monitor the home alarm, it is likely that the attacker could control the alarm system if the vulnerability were exploited,” said Miller.

MWR InfoSecurity says it alerted Yale to the issue with its application as far back as July of this year. It has subsequently worked with the company to resolve the vulnerability.

Neither confirm, nor deny

A statement from Yale adds, “Yale's policy is neither to confirm nor deny any reports about the security of Yale products.” As bewildering as this might at first sound, the company explains that any comment could inadvertently disclose information that might aid criminal activity. The company recently released a new version of the Android app for this product, which is now available to all customers to download and update through the Google Play store and this version further improves the app.

Other vulnerabilities in the new smart home space have included everything from electronic garage doors (the MyQ Garage system from Chamberlain for the US market) to home ‘white goods' appliances.

A Veracode white paper study on this topic concluded, “Already, broad-reaching hacks of connected devices have been recorded and will continue to happen if manufacturers do not bolster their security efforts now. In this light, Veracode's research team examined six Internet-connected consumer devices and found unsettling results.”

IoT hacks from people that you know

As a now viral customer review on Amazon makes clear, smart home devices can be exploited without any actual degree of hacking by people that we all know. One recently jilted ex-husband could still control the thermostat in his ex-wife's home through the Honeywell WiFi thermostat app installed on his smartphone.

The reviewer calling himself The General wrote, “Since this past Ohio winter has been so cold I've been messing with the temp while the new love birds are sleeping. Doesn't everyone want to wake up at 7 AM to a 40-degree house? When they are away on their weekend getaways, I crank the heat up to 80 degrees and back down to 40 before they arrive home. I can only imagine what their electricity bills might be. It makes me smile. I know this won't last forever, but I can't help but smile every time I log in and see that it still works.”

Co-founder of technology analyst house RedMonk,  James Governor, spoke to SCMagazineUK.com directly on this story to say that ‘security by obscurity' is not an effective approach to information or home security.

“Back doors are always bad news. Adopting open source technology without seemingly adopting modern security policies makes very little sense. Cloud-based systems can be more secure than traditional proprietary on premises ones, because of the ability to monitor the entire estate and make automated system changes across it; but they are not inherently more or less so.”

Governor continued, “Open source meanwhile enables more people to identify bugs. All that being said, we should not react too strongly to scare stories, but rather fix vulnerabilities as we find them and keep customers informed. If Yale is to use the cloud to support its IoT rollouts it needs modern approaches to IT security.”

CEO and CTO of Sparkl, Jacoby Thwaites, also spoke to SC to say that the problem at the moment is that IoT means a whole lot of security holes and a raft of complexity because there is no standard abstraction that makes everything work together.

“Everything currently described as being an Internet of Things application or gadget for the smart home is soup-to-nuts, that is to say everything comes with its own prescribed connectivity and management app,” said Thwaits. “Embroidering links between all of these things by hand is unspeakably unscalable.  The abstraction is key to realising the full potential of the IoT – the Internet of things needs to be about the inter-operation of things."

If they haven't already, all users should update to the latest version of the Yale Home System (Europe) Android application. This is version 1.11 at time of writing. 

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events