The idea of a smart home is becoming more and more mainstream nowadays. Previously appealing mostly to geeks and people who always buy the newest toys, smart home setups have become quite popular, and a basic setup can even be affordable.

One of our colleagues joined the smart home party and added some fancy, techie things to his new home. After he installed everything, he thought researchers from Kaspersky ICS CERT might have some fun playing with his new toy. Of course, security researchers’ idea of a good time is trying to break new toys. And, of course, they thought it was a marvelous idea. And, of course, they succeeded. And so, of course, here is the short story of how they hacked that smart home and what they were able to do with it once they were in.

Hacking begins

The setup is as follows: The house, in a remote location, has a Fibaro Home Center Lite smart hub, which is responsible for managing all of the smart things that are connected to it.

The smart things in the home include lights with a motion sensor that can automatically power on and off; a fridge, a stereo system, and a sauna heater that can be remotely manipulated and also turned on and off. Several smoke detectors and flood sensors, as well as a couple of IP cameras for monitoring the house are also connected to the same hub. And, of course, the heating system and the entrance door with a smart video doorbell, are managed from the hub as well.

All of that was connected to a home wireless network. What the security researchers knew was the model of smart home hub and its IP address.

How it works: Narrowing the attack surface

So, how do you attack a smart home? It usually goes as follows: The team of security researchers tries to jot down all possible attack vectors, thus modeling the so-called attack surface. And then they methodically test the most promising methods and cross them off one by one until they find an attack that actually works — one they can use to penetrate the network.

But some attack vectors are harder to exploit than others, and these also usually get cut in the process of modeling the attack surface — malefactors aren’t willing to waste time and effort trying to use them, and neither was the security researchers team. And some attack vectors have limitations — they require the attacker to stay physically close to their target, say, and these vectors are also of no particular interest in this case.

That’s why Kaspersky’s ICS CERT guys decided not to look at attacking the Z-Wave protocol — which the smart home hub uses to talk to the appliances — because it required the physical presence of the attacker near the house. They also discarded the idea of exploiting the programming language interpreter; the Fibaro hub used the patched version.

Eventually, they succeeded in finding a remote SQL-injection vulnerability, despite Fibaro’s significant efforts to avoid them, and a couple of remote code execution vulnerabilities in the PHP code (for more details, read Securelist’s report).

If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, which basically means getting full control over it. It’s worth noting that even the owner of the hub doesn’t have such access rights and thus won’t be able to override attackers’ actions. But first, attackers need to be able to send commands to the device.

The flip side of the smart home

What’s important about the Fibaro smart home is that it can be managed remotely from any location using the cloud. That means vulnerabilities might exist not only in the device itself, but also in the cloud that it uses, and the communication protocols it employs. As it turned out, a severe vulnerability was present in the Fibaro’s cloud, and it allowed the attackers to access all backups uploaded from all Fibaro hubs all around the globe.

That is how the security researchers team acquired backup data stored by the Fibaro Home Center located in this particular home. Among other things this backup contains a database file with a lot of personal information in it — the house’s location, geolocation data from the owner’s smartphone, the e-mail address used to register with Fibaro, information about the smart devices (Fibaro and non-Fibaro) in the owner’s house, and even the owner’s password.

The password, however, was stored properly, being hashed and salted. It could not be decrypted easily, and was of no use to the security researchers. It’s worth noting that if some of the other smart devices required passwords, these passwords were stored in the very same database without any encryption.

The team of security researchers then crafted a special version of the backup that contained a payload in a form of a PHP script that would execute arbitrary commands sent to it remotely. After that, they used a cloud function that let them send e-mails and SMS messages to the owner, telling him something had gone wrong with his smart home and that he needed to apply an update to restore proper function.

Of course, the infosec-savvy person who was already expecting an attack quickly realized that the request was really bait, but the average unsuspecting user probably wouldn’t. So, the smart home owner played along, and that is how the attackers got access to the smart hub, along with all of the smart devices it controlled. Most important, they also gained access to the home network.

What happens if a smart home gets hacked?

Once they’ve virtually broken into a smart home, attackers can control all of the smart appliances and devices connected to the home network. In this case, that means they could control the temperature in the house, turn on the sauna, play loud music from the stereo (something they actually did — they changed the alarm sound to a drum and bass track), print anything on a network printer and so on and so forth.

More important, they could remotely open the front door and disable security cameras and motion sensors — an easy way in to rob the house. And because they knew the coordinates of the owner’s phone, they could plan the operation for when he was far from home.

So, in general, having your smart home hacked may not hurt much, unless the attackers plan on robbing your house and hack it just to disable the security system. The lesson here is, when planning a smart home, don’t rely too heavily on its security features — they can be disabled.

We also must give some credit to Fibaro Group, which created a rather secure product — and also worked closely with our ICS Cert researchers to quickly patch the vulnerabilities they discovered. Fibaro Smart Home Centers have become more secure as a result of our little experiment, and we now consider them safe to use.