Technology has improved a lot and so have the tactics of hackers and cyber offenders. There’s no need to unlock doors or turn off lights manually any longer – hackers now have many other genius ways to get into people’s properties, thanks to the increasing numbers of connected devices in many houses.
Home automation systems provide an easy way for home owners to secure and oversee their property from a smartphone. These systems, however, have faults—they can be accessed by anyone. Even a novice can infiltrate one’s property from any location, even from another continent. When it comes to security gadgets, the security level of many of them does not necessary match the level of their convenience. A locksmith service can still contribute much more to one’s home security than many new smart locks.
According to a security researcher at the German firm Cure53, Maxim Rupp, two of the flaws lie in software, made by one of the biggest technology manufacturers in the US, Honeywell, of Morristown, NJ. Rupp goes on to say it’s very easy for anyone to access the Honeywell Tuxedo Touch web interface, which is used to control all connected parts in the house, such as thermostats, cameras, lights, shades and locks. He further added that the reason is a slackening in authentication.
How do Hackers Manage to Bypass Security?
It’s simple. A request is sent to a specific page on the Tuxedo Touch web interface, such as the one used for door locks, and the attacker would then bypass the username and password when the device asks for it, by dropping and intercepting requests with ” USERACCT=USERNAME:_,PASSWORD:_,”) and enter the page. Any computer geek can do this.
There is also another hacking method, known as the Cross-Site Request Forgery (CSRF) vulnerability, which means that a hacker could send an innocuous link to a Honeywell’s tech user that would force them to launch actions on Tuxedo Touch when logged in.
Rupp also noted that both flaws would allow a hacker to take control of interconnected components, such as temperature regulation, doors and security cameras.
He has been spending his days highlighting dangers that security systems are exposed to. On May 2015, he alerted the US CERT (Computer Emergency Response Team) about bugs that were present in products made by Honeywell Tuxedo Touch. CERT has issued an advisory, noting that the Tuxedo Touch Controllers that have been compromised could be used to operate home automation systems, such as locking and unlocking doors.
Rupp has concluded that vendors working on home automation technology set their main focus on market competition, rather than security related issues.
Further Research Findings
Behind all the controversies, Rupp isn’t the only one who has uncovered security flaws in security gadgets. A security researcher for Tripwire, Craig Young, found issues with the SmartThings Hub and the Wink Hub, MiOS Vera. These flaws could allow hackers to open locks without authorization, change alarm settings, access local area networks and find out when people are not at home.
Young was able to create a malicious web page that gave him access to a user’s home control system when his website was visiting. That was enough to grant full access of the system through different input validation failures on their web interface. In all cases, the users were not required to log-in—a hacker just had to get the user to load the malicious website.
Bottom line: when it comes to home security systems, even smart systems such as Google’s Nest has flaws. Based on the amount of technological resources, manufacturers can do a far better job in protecting people’s homes, rather than focusing on profits and market competition. Until it happens, it’s not a bad idea at all to rely on the old good locks that can be purchased in lock stores, or be installed by locksmith technicians.
The post Honeywell Home Security Leaks: Hackers Found Their Way In appeared first on Locks, keys, doors.