With the holiday season around the corner, thoughts turn to a warm home brightened up by the twinkle of seasonal decorations. It’s always tempting to opt for the high-tech solution and control your festive lights with one of the growing number of home automation devices available. However, Symantec has found that some of these devices contain security flaws that could allow attackers to gain access to your home network. 

Two home automation hubs tested by Symantec had multiple security flaws that could potentially allow attackers to gain access to the hubs themselves and, by extension, to other devices connected to them.

A Pandora’s Box  
There is a huge range of smart home devices that could find their way into your house this holiday season including smart entertainment systems, smart thermostats, smart door locks, security alarm systems and more. Many of these smart home devices connect wirelessly to a central hub which lets you manage them all from a smartphone or web browser. We started our analysis with two smart power plug and hub combinations.

Smart hubs and security
The first hub we looked at uses Wi-Fi and its own radio protocol for communication. To ensure that the hub is running the latest version of its firmware, it periodically checks the internet for firmware updates. This is a good practice, as users are unlikely to manually update their IoT devices themselves and could potentially fall foul of unpatched, exploitable vulnerabilities.

However, in this case, the firmware updates were not digitally signed and were downloaded from an open Trivial File Transfer Protocol (TFTP) server. This could allow an attacker on the same network to redirect the device to a malicious TFTP server that could then send a malicious firmware update to the device. This would cause the complete setup to be compromised and other connected devices could also be attacked, as the attacker would have full control over the hub. 

The user can store this hub’s configuration details in a cloud service, allowing them to manage the device from the internet through any web browser. Unfortunately, the user’s account is protected by a simple, four-digit PIN code. This can be easily cracked with the tools available to today’s attackers. 

The second smart home hub that we tested was not much better. This one did not use any authentication method for commands that were sent in the internal network. If an attacker is on the same Wi-Fi network as the hub, then they could gain control of any device connected to the hub. They could even go a step further, as the hub had a remote code execution vulnerability, allowing the attacker to execute arbitrary commands with root privileges on the hub.

Smart protection
Security varies a lot with different smart home devices, so it is difficult to give generic advice to users. Here are a few points to consider when installing smart home devices:

• Only enable remote administration from the internet if you really need it
• Set a strong password for the devices where possible
• Use strong passwords and WP2 encryption to protect your Wi-Fi network
• Use trusted smart home brands from companies that invest in security

You should be vigilant when installing smart home devices and make sure that you understand the devices’ configuration settings. We at Symantec will keep our eyes open on the smart home device market and continue to inform vendors about discovered weaknesses in the devices we study.