Feeds

REVEALED: Simple 'open sesame' to unlock your HOME by radiowave

Schoolboy security slip-ups in burglar sensors, electronic locks discovered

The Power of One eBook: Top reasons to choose HP BladeSystem

Black Hat 2013 A pair of security researchers probing the Z-Wave home-automation standard managed to unlock doors and disable sensors controlled by the technology.

Behrang Fouladi and Sahand Ghanoun took a long hard look at Z-Wave for their presentation at last week's Black Hat hacking conference in Las Vegas. The wireless standard dominates home-automation in the US, but the pair discovered some worrying flaws.

Not only were they able to switch off a motion sensor with a relatively simple replay attack, but they also managed to take control of a wireless door lock by supplanting the proper control centre, potentially allowing a burglar to walk right in and make himself comfortable.

The Z-Wave specifications are only available to paying customers after they've signed the non-disclosure agreement, which makes analysis of the standard difficult by preventing open discussion of potential flaws. It also makes manufacturers lazy in their implementations, which proved crucial to the success of the hack.

Before Fouladi and Ghanoun could find any vulnerabilities, the researchers had to work out how the security was supposed to work, a challenge in itself. There's very little open-source code available for the unpublished standard, but by extending the OpenZ-Wave toolkit the pair were able to analyse over-the-air communications with a motion sensor and discovered it was vulnerable to a simple replay attack.

Even without understanding the protocol the pair just captured the legitimate signal sent to deactivate the sensor, perhaps by lurking near a target's house, then played back the recorded series of wireless packets to successfully switch off the sensor.

That shouldn't be possible - replay attacks are the most basic of penetrative techniques and any modern system should be immune to them, but for some reason the tested Z-Wave sensor wasn't.

More formidable was a Z-Wave door lock, as it should be. Commands sent to the lock from the network controller are encrypted using AES128, well beyond the reach of all but the best-funded government agencies, but as is so often the case it's the implementation, not the encryption, that proved to be flawed.

Raise your hand when you spot the non-deliberate mistake

An automated home will have a single Z-Wave network, operating in the low-frequency industrial, scientific and medical (ISM) band (868MHz in Europe and 908MHz in the US), and each network is secured with a unique network key.

That network key is created by the device that appoints itself as network controller (normally a home hub of some sort) and distributed to other devices when they join the network, encrypted using a global key hard coded onto every Z-Wave device.

Cryptographers should be blanching at that statement, fully aware that any shared secret is a vulnerability that won't stay secret for long. The Z-Wave global key is only used during network setup – meaning it is of no value to anyone attacking an established network even if it remains a concern in some circumstances. But it turns out the global key isn't necessary to hijack at least one model of lock.

When the lock is first set up, and receives the network key from the controller, the user is required to press a physical button on the bottom of the keypad to acknowledge the new device. But once installed the lock can reconnect to a controller (say, after a battery failure) without user interaction, and it turns out that it isn't very picky about the network controller to which it connects.

Our attacker just identifies a lock on the network and sends it a new network key from his own network controller; the fickle door lock happily forgets its previous attachment and stands ready to respond to new commands, suitably encrypted using the new key, such as "open the door, please".

Speaking to El Reg, the hacker team declined to name the manufacturers of the lock and the sensor, but said they'd both been informed and both had claimed the flaws were rare implementation errors and that they would shortly be fixed. Fouladi and Ghanoun aren't convinced.

More testing is needed, but the pair's hypothesis is that both companies are using example code provided in the Z-Wave software development kit, and that the example code is intended to be just that - an example not to intended for use in actual products. Without seeing the kit it's hard to be certain, and the Z-Wave Alliance (which maintains and sells the SDK) is apparently working on a new revision, but didn't respond to our inquiries on the matter.

Fouladi and Ghanoun will demonstrate all this again in London at 44Con in September. And, lest we forget, security through obscurity has, yet again, arguably proved to be worse than no security at all. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.