These smart home hubs put your house at risk of hacking

Tripwire discovers zero-day vulnerabilities in three popular smart home products

Hackers could take over your home by exploiting serious flaws in at least three smart devices on the market today.

Criminals could discover when you have left home, change your alarm settings, open locks, access LANs and even hijack smart hubs to launch DDoS attacks, according to cyber security firm Tripwire.

Its Vulnerability and Exposure Research Team (VERT) discovered zero-day flaws in three popular devices available on Amazon, the SmartThings Hub, Wink Hub and a product called Mios from another company called Vera.

All the products are hubs that connect various smart home devices and sensors together and also deliver notifications regarding their statuses to your smartphone, letting you control things like heating levels remotely.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

But Tripwire security researcher Craig Young said functionality has come at the cost of secure systems.

"Smart home hubs enable users to have control over the connected devices in their house, but they also open new doors for criminals," he said. "The threat is relatively low for now, but it will increase as malicious actors recognise how much information can be gained by attacking these devices."

While SmartThings and Quirky, the maker of Wink Hub, have released patches, Vera has not yet issued a patch, according to Tripwire.

Hackers could use malicious web pages to take full control of the Vera and Wink hubs, while the SmartThings hub was vulnerable to privileged attackers on the network, such as a telecom firm employee or a state-sponsored attacker.

"These devices can also be used as a gateway to inflict physical damage to a home, and ironically, they actually make homes less secure," said Lamar Bailey, director of research and development at Tripwire.

"For example, many of these devices interface with heating, ventilating and air conditioning controls. An attacker could turn off the heat on a freezing cold night while a family sleeps or worse, when the family is away for the weekend, causing pipes to freeze and burst."

Advertisement - Article continues below

The research firm has urged Internet of Things (IoT) vendors to issue patches, and stressed that customers must apply them regularly.

IT Pro has contacted all affected vendors and has received replies from SmartThings and Wink so far.

A spokeswoman for SmartThings said: "SmartThings was made aware of the issue and worked with a third party security firm to remedy it in full. The firmware update that fixed the issue was pushed automatically to all active hubs in early February 2015.

"This was a mandatory update and all active SmartThings Hubs have been updated. Any inactive hub that was not updated, cannot connect to the SmartThings service and is automatically redirected to an update server."

Advertisement
Advertisement - Article continues below

A Wink spokesman claimed Tripwire took measures to stop its product updating, saying: "In this particular example, Tripwire used an older version of the product and took deliberate extra measures to prevent it from updating to make a specific point. All Wink users received immediate updates to fix this vulnerability. All Wink Hubs from the factory and at our retail partners have been updated with the latest firmware and security measures, as well."

He added: "It is best practice to always keep the software on your connected products up to date.  These updates not only give you new features, but help keep your products secure. Wink makes frequent updates to our products and notifies users as soon as updates are available. With critical updates, users are required to update their Wink Hub before continuing to use their products. That ensures they always have the latest features and security measures installed."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020