Here's a great idea: Why don't we hardcode the same private key into all our smart home hubs?
Another day, another appalling Internet of S**t security flaw
Smart home company Zipato hardcoded the same private SSH key into every one of its hubs, leaving its system open to hacking, researchers revealed this week.
The eggheads at security shop Black Marble demonstrated in a blog post how that flaw, combined with two related vulnerabilities, allows them to access the hub and devices connected to it. The upshot: they can open your front door with a laptop.
Smart home hubs are a relatively popular way to manage a range of otherwise incompatible smart home products, giving people a simple, single way of controlling everything. But that same approach can be a security nightmare if the hub itself isn't secure. And in this case, it was not.
Zipato's controller, which used the z-wave wireless standard, had two security holes in its API – local and remote - that the researchers was able to exploit. They rated both as critical. Combined with the somewhat baffling decision to hardcode the same private SSH key into every hub that provides root access to the device, and you have a recipe for disaster.
The key was extracted by simply imaging the hub's SD card: in appeared in the '/etc/dropbear/' folder and was called 'dropbear_rsa_host_key.' The folder was password protected but easily cracked with some readily available software.
With that private key, the researchers were then able to delve into the hub's inner workings and grab the device's scrambled passwords. They then discovered that the hub's API would accept the scrambled/hashed password, rather than requiring the actual username and password (this was the API vulnerability), and so it was relatively easy to pose as the owner of the hub and then command it to do what it is designed to do: turn things on and off.
Which, in the case of a smart lock, opens the door. A few lines of code and you're in. Due to the root access, even if the hub is set up for multiple users, a hacker would have access to all user accounts. Or, in other words, be able to open every door.
Welcome internet users
The hack works remotely due to the same flaw so if the hub is connected to the internet anyone in the world can theoretically open your front door. Which is less than ideal. If the hub is local only, you'd need to be on the same Wi-Fi network to exploit it.
There are an estimated 100,000 Zipato devices in around 20,000 residences, often installed by third party providers.
We don't want to be Latch key-less kids: NYC tenants sue landlords for bunging IoT 'smart' lock on their front doorREAD MORE
The researchers did the responsible thing and waited until the issue was patched before publishing exploit details. The company has put out a software update that should fix the API holes and has scrapped the single hardcoded SSH private key.
From now on, every new hub will have a unique key. And Zipato has ditched its ZipaMicro hub in favor of updated product. Which is all good, but you have to wonder why on earth the company used the same key for every device in the first place. That should be smart home product manufacturing 101.
Even big companies are vulnerable to these sorts of security flaws. In December, Logitech infuriated many of its customers when a third-party researcher discovered security holes in its API and it decided the best solution was to disable its external software interfaces altogether. As a result it cut off the meticulously built smart home setups of its customers, who made their displeasure known. Logitech backed down after an outcry and figured out patches to the holes.
The danger of hardcoded and default passwords is so significant that California passed a law last year that legally requires smart home manufacturers selling products in the state to include "a preprogrammed password unique to each device manufactured" or "a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time." It will come into force in January 2020. ®