“Smart” homes are vulnerable, say hackers

by Heather Kelly, CNN Tech

Hacking into a $6,000 Japanese “smart” toilet and taking control of the bidet is a neat trick or a mean prank, but it’s not the type of security issue most people will ever have to worry about.

But what about a hackable front-door lock, motion detector or security camera?

The bluetooth-controlled Satis smart toilet was just one of the many connected devices that security researchers hacked at the Black Hat and Def Con computer security conferences in Las Vegas. They also opened front door locks, hijacked power outlets, took over the hubs that coordinate all the home-automation devices, and did some very creepy things with a toy bunny.

Manufacturers are rushing to connect everyday objects around the house to the Internet so people can do things like control them with smartphones. It’s already possible to remotely turn lights off and on or put them on a timer. Motion detectors can be connected to alarms, windows can text you when they’re opened, thermometers will know when you’re home or away and adjust the temperature accordingly. You can see a live stream of security cameras in your house from halfway around the world using mobile apps.

There’s even an oven that can be controlled with an Android app.

These devices are commercially available now and they’re making the smart home of the future a reality, but researchers warn that security for these devices isn’t being taken seriously enough by manufacturers or the people buying them.

The Jetstons never had to worry about an attack that turned Rosie the maid into a remote surveillance device, but we should.

In 2012, 1.5 million home automation products were shipped in the U.S. That number is predicted to soar to 8 million by 2017. One of the most popular wireless standards for these home automation devices is Z-Wave, and an estimated 5 million Z-Wave devices will be shipped this year in the United States.

A bunny goes bad

Security researchers say that connecting anything to a network opens it up for attacks, and they’re eagerly testing smart devices to find flaws and inform manufacturers.

Software engineer Jennifer Savage bought a cute bunny toy called Karotz for her daughter. The plastic bunny can be controlled from a smartphone app and is outfitted with a video camera, microphone, RFID chip a speakers. After testing the security of the toy, Savage was able to take control of the it from a computer and remotely watch live video, turning it into an unwitting surveillance camera.

The most obvious threat seems to be home security devices. A smart door lock is designed be opened with a PIN code or an app. Using a smartphone, you can change the code from anywhere — great for people with heavy Airbnb traffic.

At a Black Hat session, Daniel Crowley demonstrated how a third party can hack into a front-door lock and open it from a computer. He then asked for a random four-digit number from the audience and successfully changed the lock’s code. Crowley says that smart-lock technology is still way too immature to trust.

“If someone breaks into your house and there’s no sign of forced entry, how are you going to get your insurance company back?” he said.

In another talk, Behrang Fouladi and Sahand Ghanoun demonstrated a hack that opened a smart lock that used the Z-Wave protocol. They said that these types of attacks were difficult to detect and don’t leave much of a trail and said that by keeping their standards closed, Z-Wave made it difficult for security researchers to find and report flaws early.

Many manufacturers were responsive to the discoveries and are working to address the security flaws. But as a stream new connected devices continues to pop up in homes, so will new security holes.

Without increased attention to security of connected devices, burglars of the future won’t need crowbars and ski masks. They could monitor your home network or security cameras to see when you are out of the house, disable any motion detectors and pop open the front door with a few lines of code.