These smart home hubs put your house at risk of hacking

Tripwire discovers zero-day vulnerabilities in three popular smart home products

Hackers could take over your home by exploiting serious flaws in at least three smart devices on the market today.

Criminals could discover when you have left home, change your alarm settings, open locks, access LANs and even hijack smart hubs to launch DDoS attacks, according to cyber security firm Tripwire.

Advertisement - Article continues below

Its Vulnerability and Exposure Research Team (VERT) discovered zero-day flaws in three popular devices available on Amazon, the SmartThings Hub, Wink Hub and a product called Mios from another company called Vera.

All the products are hubs that connect various smart home devices and sensors together and also deliver notifications regarding their statuses to your smartphone, letting you control things like heating levels remotely.

But Tripwire security researcher Craig Young said functionality has come at the cost of secure systems.

"Smart home hubs enable users to have control over the connected devices in their house, but they also open new doors for criminals," he said. "The threat is relatively low for now, but it will increase as malicious actors recognise how much information can be gained by attacking these devices."

While SmartThings and Quirky, the maker of Wink Hub, have released patches, Vera has not yet issued a patch, according to Tripwire.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Hackers could use malicious web pages to take full control of the Vera and Wink hubs, while the SmartThings hub was vulnerable to privileged attackers on the network, such as a telecom firm employee or a state-sponsored attacker.

"These devices can also be used as a gateway to inflict physical damage to a home, and ironically, they actually make homes less secure," said Lamar Bailey, director of research and development at Tripwire.

"For example, many of these devices interface with heating, ventilating and air conditioning controls. An attacker could turn off the heat on a freezing cold night while a family sleeps or worse, when the family is away for the weekend, causing pipes to freeze and burst."

The research firm has urged Internet of Things (IoT) vendors to issue patches, and stressed that customers must apply them regularly.

IT Pro has contacted all affected vendors and has received replies from SmartThings and Wink so far.

Advertisement - Article continues below

A spokeswoman for SmartThings said: "SmartThings was made aware of the issue and worked with a third party security firm to remedy it in full. The firmware update that fixed the issue was pushed automatically to all active hubs in early February 2015.

"This was a mandatory update and all active SmartThings Hubs have been updated. Any inactive hub that was not updated, cannot connect to the SmartThings service and is automatically redirected to an update server."

A Wink spokesman claimed Tripwire took measures to stop its product updating, saying: "In this particular example, Tripwire used an older version of the product and took deliberate extra measures to prevent it from updating to make a specific point. All Wink users received immediate updates to fix this vulnerability. All Wink Hubs from the factory and at our retail partners have been updated with the latest firmware and security measures, as well."

Advertisement - Article continues below

He added: "It is best practice to always keep the software on your connected products up to date.  These updates not only give you new features, but help keep your products secure. Wink makes frequent updates to our products and notifies users as soon as updates are available. With critical updates, users are required to update their Wink Hub before continuing to use their products. That ensures they always have the latest features and security measures installed."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/355909/microsoft-issues-warning-about-new-ponyfinal-ransomware-attacks
ransomware

Microsoft issues warning about new PonyFinal ransomware attacks

3 Jun 2020
Visit/security/data-breaches/355908/amtrak-guest-reward-suffers-a-data-breach
data breaches

Amtrak Guest Reward suffers a data breach

3 Jun 2020
Visit/security/cyber-security/355903/brand-impersonation-and-form-based-attacks-are-rising
cyber security

Brand-impersonation and form-based attacks are rising

3 Jun 2020
Visit/security/ethical-hacking/355860/developer-scores-100000-bounty-from-apple-for-exposing-a-critical
ethical hacking

Developer scores $100,000 bounty from Apple for exposing a critical vulnerability

1 Jun 2020

Most Popular

Visit/security/ransomware/355891/nasa-it-contractor-ransomware-hack
ransomware

Ransomware collective claims to have hacked NASA IT contractor

3 Jun 2020
Visit/security/exploits/355866/critical-vmware-cloud-director-exploit-lets-hackers-seize-corporate
exploits

VMware Cloud Director exploit lets hackers seize corporate servers

2 Jun 2020
Visit/data-insights/data-science/355678/how-data-science-is-transforming-business
Sponsored

How data science is transforming business

29 May 2020