Jump to content

DEFCON - Insteon False Security


Nuttycomputer

Recommended Posts

Posted

I didn't see a general forum so this one is probably the closest.

 

Anyone seen this video yet from the most recent defcon conference?

 

 

It's certainly making me rethink a continued deployment of insteon based solutions, though I don't know how well the other solutions stick out. Would be curious as automation starts eeking more and more into the physical like alarm systems, door locks, garages, etc. if vendors are really looking out for our best interests.

Posted

You can find the same news about zwave and every other automation protocol.

 

There is no such thing as an unhackable device. Only something that hasn't been hacked yet.

 

The people that attends these conferences (as well as black hat) are some of the brightest minds in their field. Even with his explanations and stories, he showed that the avg (even above average) person could not get into your system.

 

There's vulnerabilities with everything. Only you can decide if it's worth the risk. Me, I look at how serious of a threat something is vs. the convenience and use.

Posted

+2 above

If this is the same info as was in the other articles Teken is referring to, basically if you have a single dwelling home someone would have to be sitting in your driveway literally parked against your house for several hours with an Insteon radio device modded to look at the data stream. This seems like a lot of work to be able to adjust your thermostat or turn on the lights. If you live in a multi family dwelling like a condo, than there may be a SLIGHT more concern if you have a neighbor with a lot of time on their hands.

I worry more about someone hacking my phone or bank accounts than my HA, but I still have a phone and thanks to HA not much in the bank to worry about.

 

 

Sent from using Tapatalk

Posted

You can find the same news about zwave and every other automation protocol. There is no such thing as an unhackable device. Only something that hasn't been hacked yet.

 

The avg (even above average) person could not get into your system.

 

There's vulnerabilities with everything. Only you can decide if it's worth the risk. Me, I look at how serious of a threat something is vs. the convenience and use.

 

Yes. Classic risk management... Severity + Probability.

  • Severity is in the HA users' hands -  How exposed are you, and do you know for sure?  You can assess where dualband goes and investigate your property's weak spots are with a remotelinc2 and a tablet w/ web. Don't deploy technology that exposes key assets to danger.  Do you have an alarm system and service? The insteon user is the key factor in this equation.

     

  • Probability of this happening is near zero for me. Why would a thief bother with the effort of taking this out of the lab, and figuring out how to make it field ready, for the contents of my house... which also has an alarm system and a sign? Thieves in my area are door shakers, as documented in stories and police reports in nextdoor.com.  A more likely probability to address is Identity theft from information gathered via easily accessible wifi, or PC that is physically stolen.

Paul

Posted

Old news and two related threads already exists about this topic.

Yep. This and the 'All-ON' issue are the two reasons why I continue to advise against Insteon control of garage doors (and why Smarthome continues to promote this and the Morninglink locks is beyond me).

 

Insteon is easily sniffable (to obtain IDs) and spoofable.

 

That being said - I use it extensively where it's use is appropriate. Not for garage doors, locks, water valves....

Posted

Agree with the others on scope of risk and likelihood. I actually took this information as great news and bought a radio so I could start playing myself. I look at it as a partial opening of the protocol for more fun things. I got the basics up and running but haven't had time to go back to it. In my head I've got a plan to one day write up a software stack to mimic the PLM but simply listen over TCP/IP instead of serial.

Posted

Given enough skill and resources, fort knox can be broken in.  Like the others say: risk is a combination of severity and probability. 

 

Given a good reciprocating saw, I could probably cut a hole in the side of many houses in a few minutes large enough to crawl through.  Security can be many layers.  Does the benefit of insteon outweigh the risk of insteon?  Who is your likely threat?  What threat are you trying to defeat?  Are you looking for notification of intrusion or prevention? 

 

The fact that insteon can be hacked by some people does not necessarily mean it cannot provide some level (perhaps limited) of security for some people.  As others have pointed out, if you are smart enough to do this, you probably have an honest job and are likely not going to involved in burglary.

Posted

With anything it comes down to how pervasive and density of the hardware in the field. As many have eluded to someone first has to identify a person has some kind of Home Automation technology. Whether that be from social engineering or simply over hearing someones casual conversation.

 

That person would than need to follow you to your place of residence.

 

Lets assume for just a moment they only know you have HA they would still need to determine what kind of protocol its running on: X-10, WiFi, Z-Wave, ZigBee, Insteon, Other. From there they would still need the tools to *Hack* your network for what ever reason they may have.

 

Keeping in mind not one of these protocols besides WiFi offers any meaningful RF distance. One only has to scan this forum and dozens more like it to read about the most common ask: I can't pair / connect, devices won't enroll, link, include, exclude, heal, etc.

 

Again, this assumes someone with the skill and hardware is willing to sit and wait to capture some of the weakest signals known to man kind. If this wasn't true there wouldn't be tens of thousands of threads asking about bridging / coupling, and poor me the mesh isn't strong . . .

 

If you take all of these elements into account unless you have placed yourself on the radar like an idiot. There is a higher likely hood of you being struck by a meteor while surfing backwards on your head when a full solar eclipse is present.

 

Now, having said all of that - I preempted my initial reply about *Density / Population* this is very important to understand and comprehend. The perfect example is the PC wars of yesteryear. I've blogged about this for decades and that was when Apple had less than 2% of the global market share in the computer world.

 

You were pretty hard pressed to see any kind of computer virus, trojan, malware, hack because no one cared enough to invest their brain power to hack something that had no impact in the free world. I would have to sit and listen to all the iSheep every year always smiling and chirping about how their ugly blue Mac was impervious to such issues unlike their counter parts the Windows PC.

 

The sad reality is many if not all of these Apple fan boys were pretty much at the bottom of the technical and computer gene pool. 

 

They simply drank the *Kool Aid* and recycled the same words every other moron did with out facts or thought. Because if there was no such threats why was there Anti_Virus software for said Mac's?!?! As many people already know in 2016 every operating system in the world has been hacked and will continue to be hacked.

 

Because of population, density, and because it matters . . .

 

The Unix / Linux OS is pervasive in tens of billions of devices now and the people who hack for a living see real financial and personal gain in investing the time and effort to circumvent said OS.

 

The biggest threat HA has is connectivity to the Internet via networking, period.

 

With so many services based on the cloud / cloud first vs local first this topology is the single most prevalent threat to the end user besides pure stupidity. The sad reality is in 2016 the human species has become complacent, lazy, inept, and full of themselves into thinking the world is bowl of cherries.

 

Who ever coined the phrase IoT needs to be punched in the throat besides the very fact people in this era need to smarten up and have a reality check about how they conduct personal / business. In life few things happen by chance - most if not all things happen because of poor decisions or the lack of comprehension.

 

Ignorance only goes so far in life and when a person has the capacity to learn but chooses to ignore the facts and information that lays before them.

 

That just makes them stupid . . .

 

I AM SURE THAT WAS MORE THAN 1000 WORD RANT - BUT HEY I HAVE LOTS OF WORDS!

 

On Topic:

 

Regardless, Peter S has been a long time member in this forum and no doubt has tremendous skill sets. But the video presentation was poorly executed on every level. Besides the incredible terrible sound which 35% of it was not even audible their demo was lack luster and didn't show anything.

 

I've seen lots of the DEFCON video's and many of them show case excellent presentation of the information with clear examples and demo's.

 

Sadly, this video did not offer any visual insight or confirmation besides a lot of slides which didn't offer a lot of detail(s). Having said this, Smartlabs documentation regarding encryption was justly called out by Peter S. In the past I have asked Peter to redo another personal video illustrating the hack they speak of but as of today this hasn't been done.

 

As I noted up above 99% of the Insteon (User) population complain the RF is too weak so this isn't something most people need to worry about. 

Posted

With anything it comes down to how pervasive and density of the hardware in the field. As many have eluded to someone first has to identify a person has some kind of Home Automation technology. Whether that be from social engineering or simply over hearing someones casual conversation.

 

That person would than need to follow you to your place of residence.

 

Lets assume for just a moment they only know you have HA they would still need to determine what kind of protocol its running on: X-10, WiFi, Z-Wave, ZigBee, Insteon, Other. From there they would still need the tools to *Hack* your network for what ever reason they may have.

 

Keeping in mind not one of these protocols besides WiFi offers any meaningful RF distance. One only has to scan this forum and dozens more like it to read about the most common ask: I can't pair / connect, devices won't enroll, link, include, exclude, heal, etc.

 

Again, this assumes someone with the skill and hardware is willing to sit and wait to capture some of the weakest signals known to man kind. If this wasn't true there wouldn't be tens of thousands of threads asking about bridging / coupling, and poor me the mesh isn't strong . . .

 

If you take all of these elements into account unless you have placed yourself on the radar like an idiot. There is a higher likely hood of you being struck by a meteor while surfing backwards on your head when a full solar eclipse is present.

 

Now, having said all of that - I preempted my initial reply about *Density / Population* this is very important to understand and comprehend. The perfect example is the PC wars of yesteryear. I've blogged about this for decades and that was when Apple had less than 2% of the global market share in the computer world.

 

You were pretty hard pressed to see any kind of computer virus, trojan, malware, hack because no one cared enough to invest their brain power to hack something that had no impact in the free world. I would have to sit and listen to all the iSheep every year always smiling and chirping about how their ugly blue Mac was impervious to such issues unlike their counter parts the Windows PC.

 

The sad reality is many if not all of these Apple fan boys were pretty much at the bottom of the technical and computer gene pool.

 

They simply drank the *Kool Aid* and recycled the same words every other moron did with out facts or thought. Because if there was no such threats why was there Anti_Virus software for said Mac's?!?! As many people already know in 2016 every operating system in the world has been hacked and will continue to be hacked.

 

Because of population, density, and because it matters . . .

 

The Unix / Linux OS is pervasive in tens of billions of devices now and the people who hack for a living see real financial and personal gain in investing the time and effort to circumvent said OS.

 

The biggest threat HA has is connectivity to the Internet via networking, period.

 

With so many services based on the cloud / cloud first vs local first this topology is the single most prevalent threat to the end user besides pure stupidity. The sad reality is in 2016 the human species has become complacent, lazy, inept, and full of themselves into thinking the world is bowl of cherries.

 

Who ever coined the phrase IoT needs to be punched in the throat besides the very fact people in this era need to smarten up and have a reality check about how they conduct personal / business. In life few things happen by chance - most if not all things happen because of poor decisions or the lack of comprehension.

 

Ignorance only goes so far in life and when a person has the capacity to learn but chooses to ignore the facts and information that lays before them.

 

That just makes them stupid . . .

 

I AM SURE THAT WAS MORE THAN 1000 WORD RANT - BUT HEY I HAVE LOTS OF WORDS!

 

On Topic:

 

Regardless, Peter S has been a long time member in this forum and no doubt has tremendous skill sets. But the video presentation was poorly executed on every level. Besides the incredible terrible sound which 35% of it was not even audible their demo was lack luster and didn't show anything.

 

I've seen lots of the DEFCON video's and many of them show case excellent presentation of the information with clear examples and demo's.

 

Sadly, this video did not offer any visual insight or confirmation besides a lot of slides which didn't offer a lot of detail(s). Having said this, Smartlabs documentation regarding encryption was justly called out by Peter S. In the past I have asked Peter to redo another personal video illustrating the hack they speak of but as of today this hasn't been done.

 

As I noted up above 99% of the Insteon (User) population complain the RF is too weak so this isn't something most people need to worry about.

But this is one of your rants that is 100% in topic and if benefit to almost everyone using home control and automation.

 

I apologize for this not being a 1000 word rant but I have a wife.

 

Best regards,

Gary Funk

Posted

The Peter Shipley video has bordered a 10,000 word rant, without point, in the form of a video.

 

He still doesn't understand what a "white paper" is, and has based his whole rant on ignorance of that fact. He should be very embarrassed to the technical world.

 

Without being able to sit through the whole presentation, I wonder what he is selling?

Posted

... I wonder what he is selling?

 

He is a very smart guy that doesn't like Smarthome.  The title "Insteon: False Security and deceptive documentation" provides a hint that's what's coming.

 

He seemed irritated that it was very hard for him to use Insteon's documentation against them.  

Posted

He pretty much showed that SmartLabs' documentation is BS and there is no security as that have stated.

 

I don't think he disliked SmartHome anymore than the rest of us. The title of his session was mostly accurate.

 

Whether you like him or not, he has an impressive set of credentials and he knows of that which he speaks. His big issue is his lack of social skills, but most great programmers are that way.

 

He's not selling anything and he's done pretty much all the work needed to hemp me turn an Arduino into in Insteon device.

 

Best regards,

Gary Funk

Posted

Public speaking and presentation is a learnt trait that takes years to master. Stage presence is another which either comes naturally or doesn't. Regardless, I believe if Peter had some time to reformulate the video in the future it would better relay the information to the general public.

 

Of interest to me was some of the items he spoke about off stage . . .

 

In the past I spent considerable amount of time trying to decipher the audio but got frustrated and gave up. In the past white papers were a method to relay the theory of operations, back ground / history, and the implementation of various ideas. It wasn't used as a way to market something or offer bias as Peter eludes to.

 

To be fair to Smartlabs both white papers have lots of technical information which does offer insight and facts. Unfortunately either someone was told or forced to confuse the general public that Insteon uses any kind of encryption.

 

Which is clearly a bold face lie . . .

 

My hopes are Smartlabs will release a next generation hardware that does offer 128 / 256 encryption like Z-Wave. Even though Z-Wave has actively pushed to make their protocol more secure it should not confuse the security issue(s). That the *Current* crop of Generation 5 hardware is no where near being ready, certified, or validated for security. Yet the Z-Wave camp is pushing very hard to get their wares into the security mainstream.

 

In the big picture I can't really fault them for doing so as this helps market penetration and acceptance. But none of the major security vendors will move forward anyways because they already have hardware they developed that meet all the criteria I stated above.

 

Ultimately the video presentation did provide some insight and awareness which to me is important.  

Posted

Those were not SmartHome product documentations. They are WHITE PAPERS, published conceptual ideas to provoke responses, and do not necessarily represent any product, or what was actually produced.

 

The Insteon protocol is their secret still, same as the nonsense people publish to get past the US Patent Office registration.

 

It is just nonsense arguing SmartHome did not produce the exact product they posted a conceptual paper about.

 

The fact that people run with these white papers, not understanding what they even represent, and try to attack a company for changing their implementation, only shows obsession with attack and hate mongering, and gathers an uneducated audience.

 

I don't like the way SH operates either but the video is based on half-truths.

 

 

"Oh look!, This chocolate bar contains nuts and I though they stated they were not going to put nuts in it, ten years agao, before production. I am going to sue" Ridiculous video.

Posted

From Wikipedia (which you may or may not accept as an authority, but it's a starting point...)

 

white paper is an authoritative report or guide that informs readers concisely about a complex issue and presents the issuing body's philosophy on the matter. It is meant to help readers understand an issue, solve a problem, or make a decision. The initial British term concerning a type of government-issued document has proliferated—taking a somewhat new meaning in business. In business, a white paper is closer to a form of marketing presentation, a tool meant to persuade customers and partners and promote a product or viewpoint.

 

 

Given the very detailed nature of the "white paper", though, I wouldn't call it a white paper, though Insteon chooses to call it such.

 

But nothing in the definition above - NOR in the white paper itself - suggest that it is simply a thought-provoker or proposal or for soliciting response. It is a highly-detailed discussion of the inner-workings of the Insteon protocol. And represented as such.

 

Without being able to sit through the whole presentation, I wonder what he is selling?

 

 

That should be pretty easy, and you needn't sit through the whole presentation to figure it out. DEFCON is all you needed to know. Presenters are security researchers, hackers, penetration testers, computer security firms, etc. etc. etc. He wants to sell his services. He wants you to hire him to attempt to break in to your product or your competitor's product, once you've seen what a great job he did of uncovering Insteon's security flaws. Or maybe he just wants to show-off how smart he is. (In his case, he probably wants to sell you his services.)

 

He could use better presentation skills. But it is important in his field to be at least a bit unkempt-appearing and overweight, with full beard, talk so as to be hard to understand (because nobody will understand what they are saying anyway), and to make major points bluntly and with at least a bit of sarcasm and profanity. Anyone probably would be rejected as speaker if didn't meet the stereotype of pizza-eating all-nighter-pulling hacker. ;)

 

Given the conference he was speaking at, and the field he is in, I doubt he has any grudge against Insteon.

 

Most computer security experts advocate for transparency and openness as a key point of security. Yes, for best security, the manufacturer should provide the detailed, accurate, documentation needed to analyze the product's security and to uncover any flaws present. The more eyes on it, the more secure the product will (eventually) become. And I agree. For a government or a financially motivated competitor - or a thief - the effort of reverse-engineering may be well worth-it. For most researchers, it may not. Open the product up, and you get more friendly eyes on the issues.

 

Are his friendly eyes? I'd say more so than the KGB or ISIS or Mafia...

Posted

Love the discussion.  Lots of viewpoints.

 

So here's mine:

 

The issue is NOT if Insteon is secure, nor is it whether or not any HA implementation NEEDS to be secure.  The issue is that there is NO standard for security in existence, and companies like Insteon take advantage of that by not documenting what security they do and do not provide, and letting their marketing of a product lead the consumer into believing that the product is suitable for the marketed application (specifically, Insteon as a security device, Insteon as a garage door opener, and application such as that).

 

Take a look at this forum -- you'll find a few highly-knowledgeable on software and network security, and you'll also note that almost each time those individuals comment negatively on an aspect of Insteon or the ISY, they get jumped on by a cluster of folks who try to argue that just because they personally don't have anything worth protecting, or because their personal HA implementation is physically hard-to-get-at, therefore it is the case that NOBODY needs security.  Again, let me clarify: Not everyone NEEDs security -- but EVERYONE NEEDS to know what security IS and ISN'T being provided!  And I think that's what's being (poorly) presented in this Defcon thing -- Insteon has decided that obscurity is their best approach to security, and that's been proven wrong so often.

 

By the way, it's not limited to Insteon, nor to this particular Defcon session -- others on this forum have been jumped all over when they questioned something about security -- as I learned early on.

 

If you're not concerned about security, please don't comment on security discussions.  If you are concerned, then pay attention to the message presented, not necesarily the scruffiness of the speaker, nor the quality of the audio, and there's no gain to security by arguing about white papers.

Posted

LOL!

you did eliminate some of the fitting statements in the Wikipedia article where more emphasis was put on a proposal, and thought provoking idea with the definied three different types of white papers but..

 

I think what these guys are doing is great and well worth my time!

 

 

In the end, if guys of this attitude and calibre take months of hacking and had that hard of a time to understand/hack the Insteon protocol(s)...

 

I feel almost totally secure using Insteon protocols, knowing that most other people would take years with their ears pinned to my front door before getting anywhere with hacking into my IO Link that operates my back doorbell. That would be really annoying running to the dryer in the middle of the night once before I unplugged it and twice before I set up a testing environment.

 

 

 

The only thing that really bugged me, with the prowess of these guys, (regardless of the presenting skills being worse than Bill Gates at $$100K/hr to look dumb) is not being able to link an Insteon module they fasttrack shipped, and the time it took to hack the On/Off switch on the microphone, to make it work. ooops :)

 

 

Thanks for the video link. Last time I saw it I figured we might have heard some actual results with promised hacking tools for Insteon protocols from these guys.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...