I had the pleasure of attending DEF CON 22 conference in Las Vegas earlier in August 2014. I heard many interesting talks, one of which was too cool not to write about. The title was “Learn how to control every room at a luxury hotel remotely: The dangers of insecure home automation deployment” by Jesus Molina (slides available here; find Molina on Twitter @verifythentrust).
In this post I want to first introduce the talk and paraphrase some of what the speaker said. Then I’ll go on to talk about how we might better secure the kinds of infrastructures that Molina discussed. Molina opened and closed his session at DEF CON by asking this thought-provoking question: If I were to tell you that someone is able to control every appliance in your hotel room, would you move to another hotel tonight?
Molina had been staying at a five-star hotel in China when he noticed an iPad that was part of his room. The iPad was used to control various appliances in the room—TV, lights and blinds, to name a few. The iPad gave the guest full access to all of its applications and features, which enabled Molina to identify that it was connected to the hotel guest WiFi network. Guest networks are usually open at minimum to all hotel guests (hence the name).
Molina proceeded to investigate how the iPad was communicating with the appliances. Could he use it to control appliances in other rooms? Or better yet, could he reign over all hotel appliances from his notebook computer? Since the network was not secured and the iPad was communicating without using Transport Layer Security (TLS), Molina was able to see in clear text the communication between the iPad and the appliances.
After finding some online documentation about the home automation communication protocol used, he was able to use his notebook to send commands over the guest network and control the appliances in his room. He then decided to try to control appliances in other rooms, and he was again successful. If you are wondering how he verified control of other rooms, he called the front desk several times asking to change his room assignment (very clever). The story ends with Molina disclosing his discovery to the hotel and helping them secure their home automation infrastructure.
This is a typical example of integration between the Internet of Things (IoT) and mobile. Companies glue a mobile device as the front end of their Internet-connected devices and call it complete. Molina calls it “guerilla war deployment” because home automation communication protocols are either closed (as opposed to open source), insecure (rely on external security) or both. Molina was able to control 200-plus rooms at a five-star hotel in less than one day, but how alarming is this to you?
I have been reflecting on this and I wonder, what is the right way to secure this kind of infrastructure? In the rest of this post, I will point at a few possible solutions and their drawbacks (if any).
What if the hotel was to lock down the iPad so that the user could only access the home automation application? Is that enough? That certainly will prevent the somewhat curious person, but probably not the tenacious one. A mobile device left unattended, without hardened security, is at the mercy of the people around it.
What if the hotel had a separate network to facilitate communication between the mobile device and the appliances? Is that enough? That is certainly a great step in the right direction. Home automation protocols are still evolving, which means their security is rudimentary at best. Having a separate network for your “things” will allow for a great degree of control, such as enabling the TLS or SSL protocols and device-to-network authentication (device registration). However, doing this without also securing the mobile device, which acts as the entry point in the home automation system, could be ineffective.
Security must be placed closest to the thing you care about the most. If data is what you care about, then the data itself needs to be encrypted, not just everything around it. The challenges in a home automation system are the devices (“things”) attached. Each device has varying capabilities. Not all devices are able to do AES-grade encryption and decryption. This is a limitation that will always exist, which drives the need for multiple points of protection in such a system.
I close with the same question Molina asked: If I were to tell you someone is able to control every appliance in your hotel room, would you move to another hotel tonight? Connect with me on Twitter @tearoks and share your thoughts.