Three of the top-selling smart home systems on Amazon have significant zero-day flaws that, if successfully exploited, would enable hackers to identify when people are out of their homes.
Smart home hubs are used to control lighting, heating, locks and cameras in people’s homes. In order to understand the risks associated with smart home hubs, Tripwire’s Vulnerability and Exposure Research Team (VERT) found that these devices can be used as a gateway to inflict physical damage to a home, and ironically, actually make homes less secure.
According to Tripwire, the flaws would also allow attackers to change alarm settings, open locks without authorization, use the smart hubs to mount DDoS attacks, and access local area networks.
Currently, two out of the three vendors have patched these reported flaws; however, one vendor’s smart home system remains at risk. If left unpatched, some of the vulnerabilities revealed in the analysis could be exploited through malicious web pages or smartphone applications, and execute commands with system level access.
“Smart home hubs are steadily growing in popularity; however, as with many consumer technology products, functionality has trumped security,” said Craig Young, security researcher for Tripwire. “Smart home hubs enable users to have control over the connected devices in their house, but they also open new doors for criminals. The threat is relatively low for now, but it will increase as malicious actors recognize how much information can be gained by attacking these devices.”
There’s also the opportunity for sheer mischief. “For example, many of these devices interface with heating, ventilating and air conditioning controls. An attacker could turn off the heat on a freezing cold night while a family sleeps or worse, when the family is away for the weekend, causing pipes to freeze and burst.”
Smart home hubs that are vulnerable to remote code execution could allow attackers to migrate from a breached computer to the hub, effectively hiding themselves on the network.
“In addition, a cross-site request forgery could allow malicious actors to manipulate device settings every time the consumer surfs the web or opens an email,” said Tyler Reguly, manager of security research at Tripwire. “The risks are real, and the points of entry are numerous. Vendors need to acknowledge vulnerabilities and issue updates on a regular basis, and consumers need to realize the risks and apply vendor issued updates.”