International. Security researchers Chase Dardaman and Jason Wheeler found three security flaws in an intelligent center that, when chained together, could be abused to open a front door with a smart lock.
The report notes that security experts have long warned that adding an internet connection to a device increases the attack surface, making the devices less secure than their traditional counterparts. Smart home hubs that control a home's smart devices, such as water meters and even the front door lock, can be mistreated to allow homeowners into a tenant's home whenever they want.
In January, security expert Lesley Carhart wrote about her landlord's decision to install smart locks, forcing her to look for a new home. Other tenants and tenants have faced similar pressure from their landlords and even sued to retain the right to use a physical key.
Dardaman and Wheeler began investigating the ZipaMicro, a popular smart home hub developed by Croatian firm Zipato, a few months ago, but only published their findings once the flaws were fixed.
The researchers discovered that they could extract the hub's private SSH key for "root," the user account with the highest level of access, from the memory card in the device. Anyone with the private key could access a device without needing a password, Wheeler said.
They later discovered that the private SSH key was encrypted in each center sold to customers, putting at risk every home with the same center installed.
Using that private key, the researchers downloaded a file from the device that contained encrypted passwords used to access the center. They found that the smart hub uses a pass-the-hash authentication system, which doesn't require knowing the user's plaintext password, only the coded version. By taking the encrypted password and passing it to the smart hub, the researchers were able to trick the device into thinking they were the owners.
All an attacker had to do was send an order to tell the lock to open or close. With just a few lines of code, the researchers created a script that blocked and unlocked a smart lock connected to a vulnerable smart hub.
Worse, Dardaman said any apartment building that registered a primary account for all the apartments in his building would allow them to "open any door" from the same password hash.
The researchers acknowledged that their findings were not a perfect master key to everyone's homes. To exploit the flaws, an attacker would need to be on the same Wi-Fi network as the vulnerable smart hub. Dardaman said any center connected directly to the Internet would be exploitable remotely. The researchers found five vulnerable devices with Shodan, a search engine for publicly available devices and databases.
Zipato says it has 112,000 devices in 20,000 homes, but the exact number of vulnerable centers is not known.
Source: TechCrunch.
