Anonymous hacked/attacked ISY

[heyfrank]

Has anyone encountered anything such as this recently? About two of our ISY's were hacked and making switches go 100% and the off function to turn the lights off for a second and back on 100%. The thermostat as well they set to 30 degrees F to turn the AC on in the middle of winter... They also were able to get into the Insteon wireless cameras as well it seems. There was a scene named "facepunch.com" as well, not so sure what this site is used for or why it was left in a device name, as well as what looked to be a username "Terminutter" (which is also a scene name) when i did some research into the site.

 

I know the default username and password was most likely the reason it was hacked, as well as keeping it on a common port. Which are issues I've already addressed and secured. But I'm just curious if anyone else has come such a thing.

 

I attached a screenshot as well.

[gatchel]

Not with an ISY but I have seen other scenarios where people didn't take the time to implement basic security measures with IP cameras and other IP based devices. Lesson learned, I hope.

Personally what I see is a bit childish and funny but other might take offense to your pic, just an FYI.

 

At least ISY doesn't store your Credit Card for anything...

[Teken]

Has anyone encountered anything such as this recently? About two of our ISY's were hacked and making switches go 100% and the off function to turn the lights off for a second and back on 100%. The thermostat as well they set to 30 degrees F to turn the AC on in the middle of winter... They also were able to get into the Insteon wireless cameras as well it seems. There was a scene named "facepunch.com" as well, not so sure what this site is used for or why it was left in a device name, as well as what looked to be a username "Terminutter" (which is also a scene name) when i did some research into the site.

 

I know the default username and password was most likely the reason it was hacked, as well as keeping it on a common port. Which are issues I've already addressed and secured. But I'm just curious if anyone else has come such a thing.

 

I attached a screenshot as well.

 

Too funny!

 

Teken . . .

[mbrett]

I have had the exact same problem with my temp linc's I beleive it is a software glitch in the thermostat hardware and had nothing to do with being hacked.

[Brian H]

I have seen web articles on how easy some Home Automation installations have been hacked.

I had seen the HUB mentioned a few times but not any others. Until now.

That is scary.

 

Insteon.com actually had a response to the HUB hacking information.

http://www.insteon.com/Press080213.html

[MWareman]

The Vera was (to my knowledge) one of the most public. Reason being, by default, it does not use a username or password at all when accessed from the LAN. Many people !eave it that way 'for convenience' then act all surprised when their door can get unlocked. Go figure.

 

My guess, no SSL (or default certificate) used - or Username and password left default, or easily brute-forcible.

 

Edit: just saw that OP listed a default user name and password was in use.

[MaddBomber83]

Hmm, I've always been in the 'you don't have a defense against a professional' crowd; everything else is just to keep children off your system.

 

I'll have to think about our security setup. Thank you for the post, OP; and sorry this happened to you.

[Michel Kohanim]

Hi OP,

 

Please do NOT use the default userid/password and make sure you always use https to communicate with your ISY remotely. Otherwise, all your traffic (including the userid/password) can be sniffed by hackers.

 

With kind regards,

Michel

[heffa]

Funny, but not only did they hack themselves into your ISY, but more important is that in order to do this they need to be on your network. Are you securing your WiFi network?

 

For your WiFi I would:

* Enable WPA

* Change WiFi password

* Change password for your router

* Change SSID name

* Disable SSID Broadcast

[larryllix]

Funny, but not only did they hack themselves into your ISY, but more important is that in order to do this they need to be on your network. Are you securing your WiFi network?

 

For your WiFi I would:

* Enable WPA

* Change WiFi password

* Change password for your router

* Change SSID name

* Disable SSID Broadcast

Does this mean they even ran the Admin Panel to edit the ISY?

You also got some nasty Trojan on your PC to get rid of I would think.

[MWareman]

Funny, but not only did they hack themselves into your ISY, but more important is that in order to do this they need to be on your network. Are you securing your WiFi network?

 

For your WiFi I would:

* Enable WPA

* Change WiFi password

* Change password for your router

* Change SSID name

* Disable SSID Broadcast

Disabling SSID Broadcast is really pointless - does nothing but make it more difficult for you.

 

The SSID is still 'broadcasted' - its just suppressed from display.

[heffa]

Does this mean they even ran the Admin Panel to edit the ISY?

You also got some nasty Trojan on your PC to get rid of I would think.

Admin Panel/Console was definitely used, but was started from the hackers browser. They did not have any access to OP's computer and he did not get any virus/Trojans.

[shannong]

I don't think I would qualify leaving the default username/password and making the ISY available to the internet as "hacked".

 

Funny, but not only did they hack themselves into your ISY, but more important is that in order to do this they need to be on your network.

 

* Disable SSID Broadcast

 

Why do you say that? There's nothing to indicate that they were "on the network". He said it was available to the internet on the default port with the default username/password. Thus no need for local access.

 

As someone else already mentioned, disabling SSID broadcast provides no security against hacking. The SSID is still sent in clear text during beacons by clients for association. It just makes it more difficult for some devices to associate.

[heffa]

I don't think I would qualify leaving the default username/password and making the ISY available to the internet as "hacked".

 

Why do you say that? There's nothing to indicate that they were "on the network". He said it was available to the internet...

Now we're just playing with words. Either they were connected to his wifi network - maybe no wifi password. Or they figured out the public IP address of his router (from his network provider?) and that OP managed to open up the address/port of the ISY in that router using default port. Not an easy task. I vote for the first one - wifi.

 

Anyhow, let's close this until OP comes back with more facts.

[MFBra]

After reading all comments and considering several people open their ISY to the "wild web" I was wondering if there is any brute force attack prevention on the ISY, let's say, if there are more than x wrong passwords do something.

 

For sure it should be considered, it could be a notification and also a "growing wait time to release again the access" (ie 3 errors 1 minute, additional password error exponential growth).

 

I know people may complain, but I'd rather have to power cycle my ISY to reconnect than reinstall it after a hacking session...

 

 

 

MF_Bra

[LeeG]

Unless the ISY is hundreds of miles away!

[Teken]

After reading all comments and considering several people open their ISY to the "wild web" I was wondering if there is any brute force attack prevention on the ISY, let's say, if there are more than x wrong passwords do something.

 

For sure it should be considered, it could be a notification and also a "growing wait time to release again the access" (ie 3 errors 1 minute, additional password error exponential growth).

 

I know people may complain, but I'd rather have to power cycle my ISY to reconnect than reinstall it after a hacking session...

 

 

 

MF_Bra

 

In the past many of us have asked that the next firmware drop increase the number of characters that can be used. Say from 8-10 to 12-16 characters. The system should also have user set attempt value from 3 to what ever they desire. Once this threshold has been exceeded there should be a user definable time out.

 

Most systems allow it to be timed out for 3-15 minutes . . .

 

Even better if the system could send a two form authentication via its e-mail feature. I've always mused about being able to create a custom e-mail which the system upon user login would ask the person to take the inbound e-mail and enter what ever pass phrase was used in conjunction with the user name / password.

 

That would be extremely hard for the casual hacker to determine and breach. 

[larryllix]

After reading all comments and considering several people open their ISY to the "wild web" I was wondering if there is any brute force attack prevention on the ISY, let's say, if there are more than x wrong passwords do something.

 

For sure it should be considered, it could be a notification and also a "growing wait time to release again the access" (ie 3 errors 1 minute, additional password error exponential growth).

 

I know people may complain, but I'd rather have to power cycle my ISY to reconnect than reinstall it after a hacking session...

 

 

 

MF_Bra

I do like the lockout functions that many security schemes use. After three bad passwords a lockout of say 3-5 minutes would stop most trial and error password sniffers. Even my keypad doorlocks use this simple technique.

 

A very common technique the lockout on password failure should be easy for UDI to implement and present very little or no hardship to any user.

 

Three to five minutes would be about right to access your password vault (wife) and confirm your password.

[giesen]

Another option is we could figure out a way to proxy through Apache running on a Raspberry Pi, then logs could possibly be monitored and bad actors blocked.

 

There's a few big concerns I see with security on the ISY:

 

- SSL is so slow as to be almost unusable

 

- Can't proxy SSL through another machine and still get live updates or Admin console

 

- Doesn't support HTTP Digest authentication, so that even if HTTP (not HTTPS) is used to work around the above problems, at least your password is still mostly protected (though still vulnerable to MITM attacks)

 

- Doesn't support multiple user accounts or an API key, so at least you could have throw-away passwords

 

If any of these points could be addressed (particularly the first three) I think it would do a lot for the security of the ISY

[paulbates]

Interesting comments, thanks. As a novice pi user, what are the precautions needed to protect the pi from the internet? Limit access to specific ports via firewall?

[Michel Kohanim]

giesen,

 

- SSL is not slow if you are on 4.3.x branch. We made 100% improvement in speed

- HTTP digest authentication is meaningless when you use TLS whereby everything (including all the headers) are encrypted

- Multi user on the horizon

 

With kind regards,

Michel

[giesen]

Michel,

 

You yourself said it still takes 3-4 seconds for the initial connection (HTTP is instant), which is my main complaint. I haven't tested, but if the default 512 bit certificate is swapped out for a 2048 bit, does that still hold true?

[Teken]

giesen,

 

- Multi user on the horizon

 

With kind regards,

Michel

 

Oh thank you . . . Thank You . . . Thank You! 

[Michel Kohanim]

giesen,

 

3-4 seconds for 2048 bit. Going to Paypal takes longer than 3-4 seconds.

 

With kind regards,

Michel

[larryllix]

Oh thank you . . . Thank You . . . Thank You! 

Remember we are east of you and will have this installed before you even get out of bed! :)