LAS VEGAS – Hacking the grid took on new meaning at the DefCon hacker conference on Friday when two independent security researchers demonstrated two tools they designed to hack home and business automation and security systems that operate though power lines.
The automation systems let users control a multitude of devices, such as lights, electronic locks, heating and air conditioning systems, and security alarms and cameras. The systems operate on Ethernet networks that communicate over the existing power lines in a house or office building, sending signals back and forth to control devices.
The problem is that all of these signals are sent unencrypted, and the systems don’t require devices connected to them to be authenticated. This means that someone can connect a sniffer device to the broadband power network through an electrical outlet and sniff the signals to gather intelligence about what’s going on in a building where the systems are installed – such as monitor the movements of people in houses where security systems with motion sensors are enabled. They can also send commands through the network to control devices that are connected to it — for example, to turn lights on or off or to disable alarms and security cameras.
“None of the manufacturers have implemented really any security whatsoever on these devices,” said Dave Kennedy, one of the researchers. “It’s such an immature technology.”
Kennedy, aka Rel1k, and Rob Simon, aka Kc57, spent two months researching and designing their open-source tools to conduct the hacks. The tools focus on home-automation systems that are based on the X10 protocol, which doesn’t support encryption. They also looked at the ZWave protocol, which does support AES encryption, but the one device they found that was using it, implemented the encryption incorrectly – the key exchange was done in the clear so an attacker could intercept the keys and decrypt all of the communication.
The tools, which they’re releasing to the public, include the X10 Sniffer to determine what’s connected to the power network and monitor what the devices are doing, and the X10 Blackout, which can jam signals to interfere with the operation of lights, alarms, security cameras and other devices.
The researchers demonstrated the Sniffer and Blackout devices they designed that plug into a power socket inside or outside a house or even into an outlet in a house nextdoor, since signals can leak out from a house and carry for some distance. Kennedy said that while testing one of the devices from his house in Ohio, he picked up signals from home automation systems belonging to 15 neighbors.
The tools need to be preprogrammed with commands the hackers want to send. For example, the tools can be preprogrammed to send a jamming signal if a security system is triggered by someone opening a door or window. This would prevent an alarm from sounding and alerts being sent out to police and the property owner. The researchers are working on a GSM-enabled tool that would allow attackers to receive sniffed data remotely to their cell phones (currently the sniffed data is written to external storage) as well as send commands in real-time back to the tool via text messaging.
Thieves could monitor a house to determine when the occupants are generally gone based on signals indicating when lights are turned off, doors and windows are closed and the alarm system is enabled. Then they could send out jamming signals from the tool to disable motion sensors and alarms before breaking into the house. They could also completely fry the system by overloading it with rapidfire commands, though Kennedy acknowledged that this could potentially cause a fire.
The researchers said they hadn’t notified the makers of automation systems about the vulnerabilities in their systems, but said they are hoping their project will bring attention to the security problems.
Saturday, June 30, 2012
Hacking Home Automation Systems Through Your Power Lines