These smart home hubs put your house at risk of hacking
Tripwire discovers zero-day vulnerabilities in three popular smart home products
Hackers could take over your home by exploiting serious flaws in at least three smart devices on the market today.
Criminals could discover when you have left home, change your alarm settings, open locks, access LANs and even hijack smart hubs to launch DDoS attacks, according to cyber security firm Tripwire.
Its Vulnerability and Exposure Research Team (VERT) discovered zero-day flaws in three popular devices available on Amazon, the SmartThings Hub, Wink Hub and a product called Mios from another company called Vera.
All the products are hubs that connect various smart home devices and sensors together and also deliver notifications regarding their statuses to your smartphone, letting you control things like heating levels remotely.
But Tripwire security researcher Craig Young said functionality has come at the cost of secure systems.
"Smart home hubs enable users to have control over the connected devices in their house, but they also open new doors for criminals," he said. "The threat is relatively low for now, but it will increase as malicious actors recognise how much information can be gained by attacking these devices."
While SmartThings and Quirky, the maker of Wink Hub, have released patches, Vera has not yet issued a patch, according to Tripwire.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Hackers could use malicious web pages to take full control of the Vera and Wink hubs, while the SmartThings hub was vulnerable to privileged attackers on the network, such as a telecom firm employee or a state-sponsored attacker.
"These devices can also be used as a gateway to inflict physical damage to a home, and ironically, they actually make homes less secure," said Lamar Bailey, director of research and development at Tripwire.
"For example, many of these devices interface with heating, ventilating and air conditioning controls. An attacker could turn off the heat on a freezing cold night while a family sleeps or worse, when the family is away for the weekend, causing pipes to freeze and burst."
The research firm has urged Internet of Things (IoT) vendors to issue patches, and stressed that customers must apply them regularly.
IT Pro has contacted all affected vendors and has received replies from SmartThings and Wink so far.
A spokeswoman for SmartThings said: "SmartThings was made aware of the issue and worked with a third party security firm to remedy it in full. The firmware update that fixed the issue was pushed automatically to all active hubs in early February 2015.
"This was a mandatory update and all active SmartThings Hubs have been updated. Any inactive hub that was not updated, cannot connect to the SmartThings service and is automatically redirected to an update server."
A Wink spokesman claimed Tripwire took measures to stop its product updating, saying: "In this particular example, Tripwire used an older version of the product and took deliberate extra measures to prevent it from updating to make a specific point. All Wink users received immediate updates to fix this vulnerability. All Wink Hubs from the factory and at our retail partners have been updated with the latest firmware and security measures, as well."
He added: "It is best practice to always keep the software on your connected products up to date. These updates not only give you new features, but help keep your products secure. Wink makes frequent updates to our products and notifies users as soon as updates are available. With critical updates, users are required to update their Wink Hub before continuing to use their products. That ensures they always have the latest features and security measures installed."