The accumulation of automation and Internet-connected devices in many homes these days has led observers to coin the term smart homes. But as researchers take a closer look at the security of these devices, they’re finding that what these homes really are is naive.
The latest batch vulnerabilities to hit home automation equipment are in the Tuxedo Touch controller made by Honeywell, a device that’s designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet and researcher Maxim Rupp discovered that there are two vulnerabilities in the Tuxedo Touch that could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.
There are two separate vulnerabilities in the Tuxedo Touch: an authentication bypass bug and a cross-site request forgery flaw. The first vulnerability lets an attacker get around the authentication mechanism in the system.
“The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page. By intercepting and dropping requests containing the stringUSERACCT=USERNAME:_,PASSWORD:_, an unauthenticated user may bypass authentication and access restricted pages,” an advisory from CERT says.
What this means is that when the system asks a user for a username and password, she can simply ignore the request and access the restricted resources. Rupp, a German researcher who has disclosed vulnerabilities in other devices recently, including wind turbines, said via email that exploiting the vulnerability is exceedingly simple.
“It is really [easy] (in my opinion), the attacker with a low skill would be able to exploit this vulnerability remotely,” Rupp said.
He added that a quick search of Shodan revealed a few hundred vulnerable Tuxedo Touch devices, but he estimates there are probably many more.
“Shodan detects about 500 devices, of which about 450 are located in America. I think it is possible to detect about 1000 devices with a more thorough search,” he said.
The second vulnerability is a CSRF that can be exploited if there’s an authenticated user with an active session.
“Honeywell Tuxedo Touch Controller contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that these actions may include issuing commands to home automation devices controlled by the Tuxedo Touch Controller, such as unlocking or locking doors,” the CERT advisory says.
Honeywell has released a software update that fixes the vulnerabilities Rupp discovered.