Read Time: 5min

CRASH AND BURN

In this blog we will discuss discovering home automation systems in the wild. Gaining remote control of home devices was once a 1337 pipe dream famously seen in the "pool on the roof" seen in hackers, and recently more accuratly depicated in MrRobot .

Analysing banners from our "High Frequency Generator" NLP we discovered some data that appeared to be home automation information on port 8123.

After some more digging we found that the service we saw open was home assistant.

Home Assistant

Home assistant is an Open source home automation system to run on a rapberry pi or local server - https://www.home-assistant.io/

Homeassistant

The API had an option to require authentication which if set to False would allow full remote control of connected devices such as.

  • Door Locks
  • Alarm Sensors
  • Light Control
  • Location Info ( GPS )
  • Home Entertainment systems

We tweeted about this on August 12th 2018 , promptly the authors pushed a release August 29th 2018 which now forces auth Updating to this release is a non-breaking change (unless you had no API password configured)

https://www.home-assistant.io/blog/2018/08/29/release-77/

Of course there are still some examples of these in the wild which have not updated but this can be no longer considered an inherient issue on this platform.

This lead us to conduct some targetted research at home automation systems ...

Indigodomo

The mission of Indigo Domotics is to provide the most advanced do-it-yourself (DIY) smart home platform available. Their goal is to integrate the various automation protocols and the Internet of Things (IoT) into a "single synergistic platform". https://www.indigodomo.com/

Whenever the word synergy get's mentioned alarm bells ring.

Quick google we get the API and a GUI. In the server startup the option to require auth is set as default so credit to the indigodomo guys however we discovered that users couldn't help unchecking it.

Indigodomo

Getting bored of apis we went for the GUI using our scan platform looking at the default port 8176.

Indigodomo

Maybe them alarm bells from earlier were sleigh bells ?!?

In the open unauthenticated examples again we had remote control of the usual suspect devices.

openHAB

OpenHAB puts the user in the focus and allows him to do what he wants to do. It thus serves as an integration point for all your home automation needs and lets systems talk to each other across any vendor or protocol boundaries. https://www.openhab.org/

Apparently it takes a man to setup a home automation system ? ok .....

You know the drill

  • Google API
  • RTFM
  • Profit

OpenHAB

Hmmmmmmm ...... Real men use NAT ?!?

OpenHAB listens on port 8080. Scanning this port holds a number of false positives so your request and reponse parsing have to be on point to discover true OpenHAB instances. We chose to try out anam for this https://github.com/dutchcoders/anam . It's written by the dutch coders who also wrote the handy transfer.sh https://transfer.sh. which is highly recommended to be used on your own server ;-).

Again a haul of openHAB servers were discovered with full remote control over devices.

OpenHAB

OpenHAB servers tended to have MQTT open too ... We will revisit this at another time.

Real Alarm Bells

With home automation on the rise it really is going to become a valid risk to home security. Many systems we found had control of door locks, alarm sensors, security cameras. It is becoming a reality that you could be targetted when geo location information GPS is also given away so it is critical that home automation especially open source solutions start with solid enforced authentication enabled from default.

On the lighter side of things a simultaneous light show in homes across the world would certainly make the headlines.