Read Time: 5min
In this blog we will discuss discovering home automation systems in the wild. Gaining remote control of home devices was once a 1337 pipe dream famously seen in the "pool on the roof" seen in hackers, and recently more accuratly depicated in MrRobot .
Analysing banners from our "High Frequency Generator" NLP we discovered some data that appeared to be home automation information on port
After some more digging we found that the service we saw open was
Home assistant is an Open source home automation system to run on a rapberry pi or local server - https://www.home-assistant.io/
The API had an option to require authentication which if set to
False would allow full remote control of connected devices such as.
- Door Locks
- Alarm Sensors
- Light Control
- Location Info (
- Home Entertainment systems
We tweeted about this on August 12th 2018 , promptly the authors pushed a release August 29th 2018 which now forces auth
Updating to this release is a non-breaking change (unless you had no API password configured)
Of course there are still some examples of these in the wild which have not updated but this can be no longer considered an inherient issue on this platform.
This lead us to conduct some targetted research at home automation systems ...
The mission of Indigo Domotics is to provide the most advanced do-it-yourself (DIY) smart home platform available. Their goal is to integrate the various automation protocols and the Internet of Things (IoT) into a "single synergistic platform". https://www.indigodomo.com/
Whenever the word
synergy get's mentioned alarm bells ring.
Quick google we get the API and a
GUI. In the
server startup the option to require auth is set as default so credit to the indigodomo guys however we discovered that
users couldn't help unchecking it.
Getting bored of apis we went for the GUI using our scan platform looking at the default port
Maybe them alarm bells from earlier were sleigh bells ?!?
In the open unauthenticated examples again we had remote control of the usual suspect devices.
OpenHAB puts the user in the focus and allows him to do what he wants to do. It thus serves as an integration point for all your home automation needs and lets systems talk to each other across any vendor or protocol boundaries. https://www.openhab.org/
Apparently it takes a man to setup a home automation system ? ok .....
You know the drill
- Google API
Hmmmmmmm ...... Real men use NAT ?!?
OpenHAB listens on
port 8080. Scanning this port holds a number of false positives so your request and reponse parsing
have to be on point to discover true OpenHAB instances. We chose to try out anam for this https://github.com/dutchcoders/anam . It's written by the dutch coders who also wrote the handy
transfer.sh https://transfer.sh. which is highly recommended to be used on your own server ;-).
Again a haul of openHAB servers were discovered with full remote control over devices.
OpenHAB servers tended to have MQTT open too ... We will revisit this at another time.
Real Alarm Bells
With home automation on the rise it really is going to become a valid risk to home security. Many systems we found had control of
door locks, alarm sensors, security cameras. It is becoming a reality that you could be targetted when geo location information
GPS is also
given away so it is critical that home automation especially open source solutions start with solid enforced authentication enabled from default.
On the lighter side of things a
simultaneous light show in homes across the world would certainly make the headlines.