Insteon and Wink home hubs appear to have a problem with encryption

Which is to say neither do it

Security researchers have discovered that two popular home automation systems are vulnerable to attacks.

The Insteon Hub and Wink Hub 2 are designed to connect various home products and manage automation, and the flaws represent another entry in the growing catalogue of IoT security shortcomings.

Rapid7 discovered two unpatched issues related to authentication and radio transmission security of the Insteon Hub. Firstly the account login and passwords for both Insteon services and the Hub hardware are stored unencrypted. In addition the radio transmissions between the hub and connected devices are unencrypted. This means malicious actors can easily capture the radio signals at any time to manipulate any device being managed via the Insteon Hub.

The same team uncovered two similar unpatched issues related to the Wink Hub 2. The authentication token used by the Wink Android application to authorise user access is not stored in an encrypted and secure way. Secondly when users log out of the Wink Android application, the authentication token is not revoked. This means that if a user loses their mobile device, a malicious actor could gain full access to the Wink Hub 2 remotely.

Rapid7 went public with its findings during a presentation at the DerbyCon event in Louisville, Kentucky, last week after first disclosing the flaws to the two affected manufacturers. El Reg contacted both Insteon and Wink for comment and will update this story as and when we hear more.

Ken Munro of security consultancy Pen Test Partners said what Rapid7 uncovered is typical of the flaws his team finds when they look into the security of IoT devices. Weak or default passwords, poor encryption and authentication problem are endemic in IoT devices.

"Bugs that have been around for years are only now being found," Munro said. "One hopes that Wink and Insteon will now carry out a thorough code review to see what else might be hiding in there." ®

Updated to add

In response to queries from El Reg, Wink clarified that the issues uncovered by Rapid7 were related to the Wink platform (software), not the Wink Hub (hardware). A spokesperson added: "Wink has issued a fix for the Wink Android app and we're in the process of developing one that will soon address the API vulnerability."


Biting the hand that feeds IT © 1998–2017