I found myself in the middle of an interesting dispute this week. On the one hand was a security company of good repute, Trustwave, whose researchers had analyzed a slew of smart home appliances and home automation systems ahead of a scheduled talk next week at the Black Hat Briefings. On the other hand was an up and coming maker of hardware for “smart homes” who was arguing, in essence, that his company’s tech savvy users didn’t need hand holding when it came to security.
Who should we believe?
First some context: home automation gateways are the next big thing in technology – key pieces of hardware (and software) that will allow a universe of intelligent devices within your home to talk to each other, to mobile devices (your phone) and to the larger Internet. Think of them like SCADA or industrial control system (ICS) hardware for the Laura Petrie set.
Needless to say: the researchers who studied the burgeoning market for smart appliances and home automation systems found the technology wanting.
In fact, The problems these researchers identified were the kinds of things we in the security industry were writing about 10 or 15 years ago: a lack of basic authentication requirements to access administrative interfaces, open ports that leave the devices discoverable to Internet scans, no privilege separation for user accounts, and hard coded passwords. In one example: a brand of “smart” toilet by a prominent Japanese firm has the same, hardcoded Bluetooth passcode, “0000,” which is (coincidentally) a common default sync passcode for many Bluetooth enabled devices, creating the possibility of a whole new category of “overflow” attacks.
More serious questions were raised about one brand of home automation gateway, the VeraLite, from the company Mi Casa Verde.
Trustwave researchers Daniel Crowley and David Bryan told me that their analysis of a VeraLite device revealed a number of serious security concerns. VeraLite devices communicate on home networks using the universal plug ‘n play *(UPnP) protocol – which does not natively support user authentication. That means that any user or device on a (home) network that tries to a VeraLite controller is assumed to be a trusted user.
There were other issues, too. When local authentication is implemented, VeraLite requires local authentication credentials and those for remote access to be identical, meaning that users who manage to crack the device locally would be able to use the same credentials to access it remotely. VeraLite devices contain a password file (/etc/passwords), accessible to all users, that contains password hashes for all other users, and MIOS uses a network of “forwarding servers” to broker remote user access to their devices, but each forwarding server is basically configured as an device with “hundreds of ports” open, each tunneling to a VeraLite device in the field. While Trustwave didn’t attempt to compromise the security of one of these forwarding servers, they posited that any attacker who did so would gain access to the administrative interfaces of any of the hundreds (or thousands) of VeraLite devices that used that server as a broker.
That all sounds pretty serious. Imagine my surprise, then, when Mi Casa Verde, the company that markets and sells MIOS’s VeraLite device, confirmed the bulk of what Trustwave reported about the Veralite and told me that, more or less, that’s how the device is supposed to operate.
“Yes, the ‘Mi Casa Verde Vera’ branded version of our gateway allows the owner to SSH into his Vera with root access, and thus he has complete access to the system,” Aaron Bergen wrote to me in an e-mail. “This is by design because Vera has a lot of power users that do all sorts of advanced things and want to have root access.” The company’s decision to forego secure by default configuration was akin to a mobile phone maker offering a "’geek-friendly’ version that lets the user get full read/write access to the file system and run his own code,” Bergen said.
Trustwave was never able to “demonstrate an actual vulnerability, ie (sp) something that would allow them to access someone else's system, they only demonstrated that they had full access to their own system as described in the docs,” he said. Further, Trustwave wanted Mi Casa Verde to “block our users from accessing their own Vera's,” Bergen argued. “But this would cause a furor among our community.”
Now, to be sure, Mi Casa Verde and the VeraLite do have a loyal following. And, in these early days, most customers for home automation gateways are pioneers and, thus, more likely to be technical and desirous of options to configure their hardware and software to their liking. But I think the myth of the discerning power user is just that – a myth, and a potentially destructive one at that.
After all, Trustwave wasn’t proposing that Mi Casa Verde lock down their devices – merely to give some thought to security during the development of their products, and to the possibility of a malicious actor after deployment. Doing so would necessitate configurations that were secure by default.
After all, Trustwave’s failure to “find a vulnerability” wasn’t a product of Mi Casa Verde’s iron clad protections, but merely a matter of law and ethics, the Trustwave researchers made clear. Simply put: they weren’t going to “go there.”
We’ve written about this before. Time and again, technologically sophisticated firms fail to provide adequate security not because they don’t understand the issues at hand, but because they fail to see their devices as the target of malicious actors.
But in talking up its sophisticated user base, Bergen is trying to have it both ways. Mi Casa Verde’s web site, after all, states that its goal is to “make the connected world a simpler & more affordable place.” “For too long,” Mi Casa Verde claims “smart home’ technologies have been too complicated & expensive for everyday people. There’s no reason why they should be. That’s why we started Mi Casa Verde… Our team is passionately devoted to making these technologies accessible to anyone.”
In short, I think that invoking the wrath of the “power user” on the one hand, while talking up your appeal to Ordinary Joe on the other is cynical. The issue revealed by Trustwave’s research and that of others puts the onus on Mi Casa Verde and other companies like it to provide default protections (like local authentication requirements) that raise the bar for would be attackers. Failing to do so would be a failure to understand the lessons of the past. And we all know what happens to folks who fail to do that!