Feeds

REVEALED: Simple 'open sesame' to unlock your HOME by radiowave

Schoolboy security slip-ups in burglar sensors, electronic locks discovered

Secure remote control for conventional and virtual desktops

Black Hat 2013 A pair of security researchers probing the Z-Wave home-automation standard managed to unlock doors and disable sensors controlled by the technology.

Behrang Fouladi and Sahand Ghanoun took a long hard look at Z-Wave for their presentation at last week's Black Hat hacking conference in Las Vegas. The wireless standard dominates home-automation in the US, but the pair discovered some worrying flaws.

Not only were they able to switch off a motion sensor with a relatively simple replay attack, but they also managed to take control of a wireless door lock by supplanting the proper control centre, potentially allowing a burglar to walk right in and make himself comfortable.

The Z-Wave specifications are only available to paying customers after they've signed the non-disclosure agreement, which makes analysis of the standard difficult by preventing open discussion of potential flaws. It also makes manufacturers lazy in their implementations, which proved crucial to the success of the hack.

Before Fouladi and Ghanoun could find any vulnerabilities, the researchers had to work out how the security was supposed to work, a challenge in itself. There's very little open-source code available for the unpublished standard, but by extending the OpenZ-Wave toolkit the pair were able to analyse over-the-air communications with a motion sensor and discovered it was vulnerable to a simple replay attack.

Even without understanding the protocol the pair just captured the legitimate signal sent to deactivate the sensor, perhaps by lurking near a target's house, then played back the recorded series of wireless packets to successfully switch off the sensor.

That shouldn't be possible - replay attacks are the most basic of penetrative techniques and any modern system should be immune to them, but for some reason the tested Z-Wave sensor wasn't.

More formidable was a Z-Wave door lock, as it should be. Commands sent to the lock from the network controller are encrypted using AES128, well beyond the reach of all but the best-funded government agencies, but as is so often the case it's the implementation, not the encryption, that proved to be flawed.

Raise your hand when you spot the non-deliberate mistake

An automated home will have a single Z-Wave network, operating in the low-frequency industrial, scientific and medical (ISM) band (868MHz in Europe and 908MHz in the US), and each network is secured with a unique network key.

That network key is created by the device that appoints itself as network controller (normally a home hub of some sort) and distributed to other devices when they join the network, encrypted using a global key hard coded onto every Z-Wave device.

Cryptographers should be blanching at that statement, fully aware that any shared secret is a vulnerability that won't stay secret for long. The Z-Wave global key is only used during network setup – meaning it is of no value to anyone attacking an established network even if it remains a concern in some circumstances. But it turns out the global key isn't necessary to hijack at least one model of lock.

When the lock is first set up, and receives the network key from the controller, the user is required to press a physical button on the bottom of the keypad to acknowledge the new device. But once installed the lock can reconnect to a controller (say, after a battery failure) without user interaction, and it turns out that it isn't very picky about the network controller to which it connects.

Our attacker just identifies a lock on the network and sends it a new network key from his own network controller; the fickle door lock happily forgets its previous attachment and stands ready to respond to new commands, suitably encrypted using the new key, such as "open the door, please".

Speaking to El Reg, the hacker team declined to name the manufacturers of the lock and the sensor, but said they'd both been informed and both had claimed the flaws were rare implementation errors and that they would shortly be fixed. Fouladi and Ghanoun aren't convinced.

More testing is needed, but the pair's hypothesis is that both companies are using example code provided in the Z-Wave software development kit, and that the example code is intended to be just that - an example not to intended for use in actual products. Without seeing the kit it's hard to be certain, and the Z-Wave Alliance (which maintains and sells the SDK) is apparently working on a new revision, but didn't respond to our inquiries on the matter.

Fouladi and Ghanoun will demonstrate all this again in London at 44Con in September. And, lest we forget, security through obscurity has, yet again, arguably proved to be worse than no security at all. ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.