SlideShare a Scribd company logo

Home Automation Benchmarking Report

Synack
Synack

Synack completed a benchmarking test in a series of home automation devices from cameras to home automation controllers to thermostats. The devices were examined head to head to derive conclusions on the relative state of security across the board. Interested in what we found?

Technology
1 of 9
Download to read offline
www.synack.com Home Automation Benchmarking
Project Scope Cameras Thermostats Smoke / CO Home Automation Controllers Dlink DCS-2132L Ecobee First Alert SC9120B Control4 HC-250 Dropcam Pro Hive Kidde i2010S Lowes Iris Foscam FI9826W Honeywell Lyric Nest Protect Revolv Simplicam Nest Thermostat SmartThings Withings Baby Monitor
Cameras • All communications encrypted • No public services • Automatic firmware updates • No default credentials • Hardwired connection available • Public firmware is encrypted to some extent • Credential change required on first boot • Encrypted automatic updates • Lost communications alerting • Automatic firmware updates • No hardwired connection • No SSL pinning in mobile app • Communications default to unencrypted • Obfuscates, rather than secures data in transit • Publicly available firmware • Maximum 12 character passwords • Communications default to unencrypted • Obfuscates, rather than secures data in transit • Weak password policy • No certificate validation • Multiple communications are unencrypted • Credentials easily pulled from backups • Hard-coded shared password • Considerable network footprint BEST PRODUCT QUALITIES WORST PRODUCT QUALITIES *The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
Thermostats • All communications encrypted • Automatic firmware updates • Proper SSL usage / encrypted traffic • Public firmware is encrypted to some extent • Credential change required on first boot • Built on widely used platform • Automatic firmware updates • Encrypted communication • Weak password policy • Weak password policy • Easily guessable configuration token used • Lack of SSL pinning in mobile app • Insecure initial configuration • History of vulnerabilities across product lines • Not all traffic is encrypted • Moderate password policy BEST PRODUCT QUALITIES WORST PRODUCT QUALITIES *The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
Smoke and CO Detectors • Audible power loss notification • Encrypted network communication • Difficult to tamper with • Impossible to remotely hack, because it lacks connectivity • Impossible to remotely hack, because it lacks connectivity • Weak password policy • Custom configuration protocol / short pairing codes • Not applicable because this is not a “smart” device • Not applicable because this is not a “smart” device BEST PRODUCT QUALITIES WORST PRODUCT QUALITIES *The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
Home Automation Controllers • Encrypted communications • Strong pairing mechanics • Encrypted communications • Notified if goes offline • Strong password policy • Encrypted communications • Automatic firmware updates • Unsigned firmware • Custom remote management feature • Open ports • Hardcoded API keys • Weak password policy • Exposed telnet service • History of unpatched security issues • Built-in unauthenticated remote management feature • Moderate password policy BEST PRODUCT QUALITIES WORST PRODUCT QUALITIES *The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
Takeaways • Overall, IoT security is poor, with cameras scoring the lowest • With few exceptions, Nest leads the industry in security practices • A sinking tide incident will likely hit home automation • The industry needs some basic standards to set the bar
Areas to Watch Wi-Fi Jamming • With few exceptions, all Wi-Fi devices are susceptible to jamming • Diversification of used spectrum (2.5Ghz + 5 Ghz, etc.) reduces risk • Hardwired Ethernet options also reduce the risk • Jamming/network down incidents should result in a proactive alert to the user Password strength, Reuse, and Attack Resistance • Basic Password strength requirements should be enforced • Horizontal and vertical password guessing countermeasures should be implemented at application and network layers
Areas to Watch Unencrypted and unauthenticated communications • All communications should use bidirectional encryption • Unauthenticated servers, communications and services should not be allowed Misconfiguration of Encryption • Independent encryption architecture reviews should always be performed. There are thousands of ways to get it wrong, and only a handful of ways to get it right • SSL pinning should be used to prevent man-in-the-middle attacks • Certificate validation should always be performed against a 3rd party • Self-signed certificates should never be used

Recommended

introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
Adel Barkam
 
Security door lock system
Security door lock system Security door lock system
Security door lock system
Dinuka S.J Kuruppuarachchi
 
Business Models for Smart Homes
Business Models for Smart HomesBusiness Models for Smart Homes
Business Models for Smart Homes
Jeffrey Funk Business Models
 
Smart Speakers Introduction
Smart Speakers IntroductionSmart Speakers Introduction
Smart Speakers Introduction
Sourav Sadhukhan
 
Security in an embedded system
Security in an embedded system Security in an embedded system
Security in an embedded system
UrmilasSrinivasan
 
Making the Smart Home More Insightful
Making the Smart Home More InsightfulMaking the Smart Home More Insightful
Making the Smart Home More Insightful
Vectorform
 
Bag-in-Box na Indústria do Food Service
Bag-in-Box na Indústria do Food ServiceBag-in-Box na Indústria do Food Service
Bag-in-Box na Indústria do Food Service
Embaquim Indústria e Comércio Ltda
 
Smart Home / Smart Office
Smart Home / Smart OfficeSmart Home / Smart Office
Smart Home / Smart Office
Karl Seiler
 

Recommended

introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
Adel Barkam
 
Security door lock system
Security door lock system Security door lock system
Security door lock system
Dinuka S.J Kuruppuarachchi
 
Business Models for Smart Homes
Business Models for Smart HomesBusiness Models for Smart Homes
Business Models for Smart Homes
Jeffrey Funk Business Models
 
Smart Speakers Introduction
Smart Speakers IntroductionSmart Speakers Introduction
Smart Speakers Introduction
Sourav Sadhukhan
 
Security in an embedded system
Security in an embedded system Security in an embedded system
Security in an embedded system
UrmilasSrinivasan
 
Making the Smart Home More Insightful
Making the Smart Home More InsightfulMaking the Smart Home More Insightful
Making the Smart Home More Insightful
Vectorform
 
Bag-in-Box na Indústria do Food Service
Bag-in-Box na Indústria do Food ServiceBag-in-Box na Indústria do Food Service
Bag-in-Box na Indústria do Food Service
Embaquim Indústria e Comércio Ltda
 
Smart Home / Smart Office
Smart Home / Smart OfficeSmart Home / Smart Office
Smart Home / Smart Office
Karl Seiler
 
Audio and Video Solutions
Audio and Video SolutionsAudio and Video Solutions
Audio and Video Solutions
КРОК
 
Smart Home Automation - An Overview
Smart Home Automation - An OverviewSmart Home Automation - An Overview
Smart Home Automation - An Overview
Smart Automation
 
Smart car wheels
Smart car wheelsSmart car wheels
Smart car wheels
Shoaibraja74
 
Ip Cameras
Ip CamerasIp Cameras
Ip Cameras
irisZH21
 
Smart Hotel Solution
Smart Hotel SolutionSmart Hotel Solution
Smart Hotel Solution
Gyuhak Choi
 
Score Report CCNA
Score Report CCNAScore Report CCNA
Score Report CCNA
Md. Safayetul Islam Shipu
 
fire detection system
fire detection systemfire detection system
fire detection system
Shaik Suhail
 
Smart home applications in daily life
Smart home applications in daily lifeSmart home applications in daily life
Smart home applications in daily life
Sugata Mondal
 
Smart home solution
Smart home solutionSmart home solution
Smart home solution
tipo-lab
 
Renault Clio Estate
Renault Clio EstateRenault Clio Estate
Renault Clio Estate
Autoblog.it
 
home automation using raspberry pi
home automation using raspberry pihome automation using raspberry pi
home automation using raspberry pi
vatsal jat
 
Steganography
SteganographySteganography
Steganography
Khushbu Chudasama
 
Home automation ppt-kamal lamichhane
Home automation ppt-kamal lamichhaneHome automation ppt-kamal lamichhane
Home automation ppt-kamal lamichhane
Kamal Lamichhane
 
Principles of Optimization and Growth By Jeremy Epperson
Principles of Optimization and Growth By Jeremy EppersonPrinciples of Optimization and Growth By Jeremy Epperson
Principles of Optimization and Growth By Jeremy Epperson
Search Marketing Expo - SMX
 
Real Time Home Automation using Google assistant Iot project presentation
Real Time Home Automation using Google assistant Iot project presentationReal Time Home Automation using Google assistant Iot project presentation
Real Time Home Automation using Google assistant Iot project presentation
zihad164
 
16 camera cctv quotation bangladesh
16 camera cctv quotation bangladesh16 camera cctv quotation bangladesh
16 camera cctv quotation bangladesh
JamField Solution
 
Cognitive Buildings
Cognitive BuildingsCognitive Buildings
Cognitive Buildings
Kim Escherich
 
DashCam
DashCamDashCam
DashCam
Renante Layson
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
Nicholas Davis
 
Titmus Vision Screener TNO Occupatonal Slide Information
Titmus Vision Screener TNO Occupatonal Slide Information Titmus Vision Screener TNO Occupatonal Slide Information
Titmus Vision Screener TNO Occupatonal Slide Information
Henan Medical
 
Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
Synack
 
Table of content For My Home Automation report
Table of content For My Home Automation reportTable of content For My Home Automation report
Table of content For My Home Automation report
Naman Gautam
 

More Related Content

What's hot

Smart Home Automation - An Overview
Smart Home Automation - An OverviewSmart Home Automation - An Overview
Smart Home Automation - An Overview
Smart Automation
 
Home automation ppt-kamal lamichhane
Home automation ppt-kamal lamichhaneHome automation ppt-kamal lamichhane
Home automation ppt-kamal lamichhane
Kamal Lamichhane
 

What's hot (20)

Audio and Video Solutions
Audio and Video SolutionsAudio and Video Solutions
Audio and Video Solutions
 
Smart Home Automation - An Overview
Smart Home Automation - An OverviewSmart Home Automation - An Overview
Smart Home Automation - An Overview
 
Smart car wheels
Smart car wheelsSmart car wheels
Smart car wheels
 
Ip Cameras
Ip CamerasIp Cameras
Ip Cameras
 
Smart Hotel Solution
Smart Hotel SolutionSmart Hotel Solution
Smart Hotel Solution
 
Score Report CCNA
Score Report CCNAScore Report CCNA
Score Report CCNA
 
fire detection system
fire detection systemfire detection system
fire detection system
 
Smart home applications in daily life
Smart home applications in daily lifeSmart home applications in daily life
Smart home applications in daily life
 
Smart home solution
Smart home solutionSmart home solution
Smart home solution
 
Renault Clio Estate
Renault Clio EstateRenault Clio Estate
Renault Clio Estate
 
home automation using raspberry pi
home automation using raspberry pihome automation using raspberry pi
home automation using raspberry pi
 
Steganography
SteganographySteganography
Steganography
 
Home automation ppt-kamal lamichhane
Home automation ppt-kamal lamichhaneHome automation ppt-kamal lamichhane
Home automation ppt-kamal lamichhane
 
Principles of Optimization and Growth By Jeremy Epperson
Principles of Optimization and Growth By Jeremy EppersonPrinciples of Optimization and Growth By Jeremy Epperson
Principles of Optimization and Growth By Jeremy Epperson
 
Real Time Home Automation using Google assistant Iot project presentation
Real Time Home Automation using Google assistant Iot project presentationReal Time Home Automation using Google assistant Iot project presentation
Real Time Home Automation using Google assistant Iot project presentation
 
16 camera cctv quotation bangladesh
16 camera cctv quotation bangladesh16 camera cctv quotation bangladesh
16 camera cctv quotation bangladesh
 
Cognitive Buildings
Cognitive BuildingsCognitive Buildings
Cognitive Buildings
 
DashCam
DashCamDashCam
DashCam
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
 
Titmus Vision Screener TNO Occupatonal Slide Information
Titmus Vision Screener TNO Occupatonal Slide Information Titmus Vision Screener TNO Occupatonal Slide Information
Titmus Vision Screener TNO Occupatonal Slide Information
 

Viewers also liked

DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
Synack
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Gabriel Dusil
 
преимущества и недостатки интернета
преимущества и недостатки интернетапреимущества и недостатки интернета
преимущества и недостатки интернета
Ay_sel
 
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
Placeable
 
Blended learning
Blended learningBlended learning
Blended learning
Ay_sel
 

Viewers also liked (20)

Let's Hack a House
Let's Hack a HouseLet's Hack a House
Let's Hack a House
 
Table of content For My Home Automation report
Table of content For My Home Automation reportTable of content For My Home Automation report
Table of content For My Home Automation report
 
DEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 DevicesDEF CON 23: Internet of Things: Hacking 14 Devices
DEF CON 23: Internet of Things: Hacking 14 Devices
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningZeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanning
 
Electromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and YouElectromagnetic Hypersensitivity and You
Electromagnetic Hypersensitivity and You
 
Synack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick WardleSynack at AppSec California with Patrick Wardle
Synack at AppSec California with Patrick Wardle
 
Synack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation VulnerabilitiesSynack at AppSec California 2015 - Geolocation Vulnerabilities
Synack at AppSec California 2015 - Geolocation Vulnerabilities
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
 
преимущества и недостатки интернета
преимущества и недостатки интернетапреимущества и недостатки интернета
преимущества и недостатки интернета
 
A touch of sin (lee sweet wan)
A touch of sin (lee sweet wan)A touch of sin (lee sweet wan)
A touch of sin (lee sweet wan)
 
Documentary proposal
Documentary proposalDocumentary proposal
Documentary proposal
 
10 Passos para mudar sua vida completamente
10 Passos para mudar sua vida completamente 10 Passos para mudar sua vida completamente
10 Passos para mudar sua vida completamente
 
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
Leading in Local! Advance Auto Parts Discusses How To Win The Local Marketing...
 
Structural insulated panels price
Structural insulated panels priceStructural insulated panels price
Structural insulated panels price
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation Primitives
 
Curriculo atualizado
Curriculo atualizadoCurriculo atualizado
Curriculo atualizado
 
Blended learning
Blended learningBlended learning
Blended learning
 
me
meme
me
 
Giver (archetypes)
Giver (archetypes)Giver (archetypes)
Giver (archetypes)
 

Similar to Home Automation Benchmarking Report

Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Positive Hack Days
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
Business of Software Conference
 

Similar to Home Automation Benchmarking Report (20)

WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
 
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...
 
Network Security: Protecting SOHO Networks
Network Security: Protecting SOHO NetworksNetwork Security: Protecting SOHO Networks
Network Security: Protecting SOHO Networks
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat Management
 
Myles firewalls
Myles firewallsMyles firewalls
Myles firewalls
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
 
Recover Multi-Vendor Network Infrastructure in minutes
Recover Multi-Vendor Network Infrastructure in minutesRecover Multi-Vendor Network Infrastructure in minutes
Recover Multi-Vendor Network Infrastructure in minutes
 
Zero Trust for Private 5G and Edge
Zero Trust for Private 5G and EdgeZero Trust for Private 5G and Edge
Zero Trust for Private 5G and Edge
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
6-IoT protocol.pptx
6-IoT protocol.pptx6-IoT protocol.pptx
6-IoT protocol.pptx
 
HOME AUTOMATION USING INTERNET OF THINGS.pptx
HOME AUTOMATION USING INTERNET OF THINGS.pptxHOME AUTOMATION USING INTERNET OF THINGS.pptx
HOME AUTOMATION USING INTERNET OF THINGS.pptx
 
Home automation in kerala ,home automation in calicut , home automation
Home automation in kerala ,home automation in calicut , home automation Home automation in kerala ,home automation in calicut , home automation
Home automation in kerala ,home automation in calicut , home automation
 
Secure calling for IP telephony - webinar 2016, English
Secure calling for IP telephony - webinar 2016, EnglishSecure calling for IP telephony - webinar 2016, English
Secure calling for IP telephony - webinar 2016, English
 
Essential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access SecurityEssential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access Security
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Power Grid Communications & Control Systems
Power Grid Communications & Control SystemsPower Grid Communications & Control Systems
Power Grid Communications & Control Systems
 

More from Synack

DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
Synack
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
Synack
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
Synack
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
Synack
 
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Synack
 

More from Synack (12)

Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack cirtical infrasructure webinar
Synack cirtical infrasructure webinar
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
Gatekeeper Exposed
Gatekeeper ExposedGatekeeper Exposed
Gatekeeper Exposed
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
 
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItDEF CON 23: Stick That In Your (root)Pipe & Smoke It
DEF CON 23: Stick That In Your (root)Pipe & Smoke It
 
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
 
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
 
Synack at ShmooCon 2015
Synack at ShmooCon 2015Synack at ShmooCon 2015
Synack at ShmooCon 2015
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

Home Automation Benchmarking Report

  • 2. Project Scope Cameras Thermostats Smoke / CO Home Automation Controllers Dlink DCS-2132L Ecobee First Alert SC9120B Control4 HC-250 Dropcam Pro Hive Kidde i2010S Lowes Iris Foscam FI9826W Honeywell Lyric Nest Protect Revolv Simplicam Nest Thermostat SmartThings Withings Baby Monitor
  • 3. Cameras • All communications encrypted • No public services • Automatic firmware updates • No default credentials • Hardwired connection available • Public firmware is encrypted to some extent • Credential change required on first boot • Encrypted automatic updates • Lost communications alerting • Automatic firmware updates • No hardwired connection • No SSL pinning in mobile app • Communications default to unencrypted • Obfuscates, rather than secures data in transit • Publicly available firmware • Maximum 12 character passwords • Communications default to unencrypted • Obfuscates, rather than secures data in transit • Weak password policy • No certificate validation • Multiple communications are unencrypted • Credentials easily pulled from backups • Hard-coded shared password • Considerable network footprint BEST PRODUCT QUALITIES WORST PRODUCT QUALITIES *The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
  • 4. Thermostats • All communications encrypted • Automatic firmware updates • Proper SSL usage / encrypted traffic • Public firmware is encrypted to some extent • Credential change required on first boot • Built on widely used platform • Automatic firmware updates • Encrypted communication • Weak password policy • Weak password policy • Easily guessable configuration token used • Lack of SSL pinning in mobile app • Insecure initial configuration • History of vulnerabilities across product lines • Not all traffic is encrypted • Moderate password policy BEST PRODUCT QUALITIES WORST PRODUCT QUALITIES *The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
  • 5. Smoke and CO Detectors • Audible power loss notification • Encrypted network communication • Difficult to tamper with • Impossible to remotely hack, because it lacks connectivity • Impossible to remotely hack, because it lacks connectivity • Weak password policy • Custom configuration protocol / short pairing codes • Not applicable because this is not a “smart” device • Not applicable because this is not a “smart” device BEST PRODUCT QUALITIES WORST PRODUCT QUALITIES *The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
  • 6. Home Automation Controllers • Encrypted communications • Strong pairing mechanics • Encrypted communications • Notified if goes offline • Strong password policy • Encrypted communications • Automatic firmware updates • Unsigned firmware • Custom remote management feature • Open ports • Hardcoded API keys • Weak password policy • Exposed telnet service • History of unpatched security issues • Built-in unauthenticated remote management feature • Moderate password policy BEST PRODUCT QUALITIES WORST PRODUCT QUALITIES *The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.
  • 7. Takeaways • Overall, IoT security is poor, with cameras scoring the lowest • With few exceptions, Nest leads the industry in security practices • A sinking tide incident will likely hit home automation • The industry needs some basic standards to set the bar
  • 8. Areas to Watch Wi-Fi Jamming • With few exceptions, all Wi-Fi devices are susceptible to jamming • Diversification of used spectrum (2.5Ghz + 5 Ghz, etc.) reduces risk • Hardwired Ethernet options also reduce the risk • Jamming/network down incidents should result in a proactive alert to the user Password strength, Reuse, and Attack Resistance • Basic Password strength requirements should be enforced • Horizontal and vertical password guessing countermeasures should be implemented at application and network layers
  • 9. Areas to Watch Unencrypted and unauthenticated communications • All communications should use bidirectional encryption • Unauthenticated servers, communications and services should not be allowed Misconfiguration of Encryption • Independent encryption architecture reviews should always be performed. There are thousands of ways to get it wrong, and only a handful of ways to get it right • SSL pinning should be used to prevent man-in-the-middle attacks • Certificate validation should always be performed against a 3rd party • Self-signed certificates should never be used