These smart home hubs put your house at risk of hacking

Tripwire discovers zero-day vulnerabilities in three popular smart home products

Hackers could take over your home by exploiting serious flaws in at least three smart devices on the market today.

Criminals could discover when you have left home, change your alarm settings, open locks, access LANs and even hijack smart hubs to launch DDoS attacks, according to cyber security firm Tripwire.

Its Vulnerability and Exposure Research Team (VERT) discovered zero-day flaws in three popular devices available on Amazon, the SmartThings Hub, Wink Hub and a product called Mios from another company called Vera.

All the products are hubs that connect various smart home devices and sensors together and also deliver notifications regarding their statuses to your smartphone, letting you control things like heating levels remotely.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

But Tripwire security researcher Craig Young said functionality has come at the cost of secure systems.

"Smart home hubs enable users to have control over the connected devices in their house, but they also open new doors for criminals," he said. "The threat is relatively low for now, but it will increase as malicious actors recognise how much information can be gained by attacking these devices."

While SmartThings and Quirky, the maker of Wink Hub, have released patches, Vera has not yet issued a patch, according to Tripwire.

Hackers could use malicious web pages to take full control of the Vera and Wink hubs, while the SmartThings hub was vulnerable to privileged attackers on the network, such as a telecom firm employee or a state-sponsored attacker.

"These devices can also be used as a gateway to inflict physical damage to a home, and ironically, they actually make homes less secure," said Lamar Bailey, director of research and development at Tripwire.

"For example, many of these devices interface with heating, ventilating and air conditioning controls. An attacker could turn off the heat on a freezing cold night while a family sleeps or worse, when the family is away for the weekend, causing pipes to freeze and burst."

Advertisement - Article continues below

The research firm has urged Internet of Things (IoT) vendors to issue patches, and stressed that customers must apply them regularly.

IT Pro has contacted all affected vendors and has received replies from SmartThings and Wink so far.

A spokeswoman for SmartThings said: "SmartThings was made aware of the issue and worked with a third party security firm to remedy it in full. The firmware update that fixed the issue was pushed automatically to all active hubs in early February 2015.

"This was a mandatory update and all active SmartThings Hubs have been updated. Any inactive hub that was not updated, cannot connect to the SmartThings service and is automatically redirected to an update server."

Advertisement
Advertisement - Article continues below

A Wink spokesman claimed Tripwire took measures to stop its product updating, saying: "In this particular example, Tripwire used an older version of the product and took deliberate extra measures to prevent it from updating to make a specific point. All Wink users received immediate updates to fix this vulnerability. All Wink Hubs from the factory and at our retail partners have been updated with the latest firmware and security measures, as well."

He added: "It is best practice to always keep the software on your connected products up to date.  These updates not only give you new features, but help keep your products secure. Wink makes frequent updates to our products and notifies users as soon as updates are available. With critical updates, users are required to update their Wink Hub before continuing to use their products. That ensures they always have the latest features and security measures installed."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/business/business-strategy/354304/ex-apple-cpu-architect-accuses-the-firm-of-invading-privacy
Business strategy

Ex-Apple CPU architect accuses the firm of invading privacy

10 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019