Profile

Cover photo
Roy Solberg
Works at NorApps
Lives in Bergen
146 followers|412,303 views
AboutPostsCollections

Stream

Roy Solberg

Shared publicly  - 
 
My dumb smart home
tl;dr It isn't that the home automation system HDL-BUS Pro has any security holes, it doesn't have any security. If your house, the hotel you're staying on or your business uses HDL you should definitely read on.

This spring I moved into my new house. When building a house in 2014/2015 you kind of feel obligated to make it a bit smart. Being a programmer it makes it a must. I looked into quite a few systems and protocols for home automation. Since this is a new building I preferred a cabled system instead of a wireless one. The electrical contractor for the house wasn't much updated on smart homes, but luckily they had a few electricians which knew and installs HDL-BUS Pro systems. So a bit coincidentally I ended up with HDL.

Long before the actual installation I went to a training for "programming" (configuring really) the system. I was very curious about the underlying protocol and how stuff worked under the hood. Luckily HDL is open about its buspro protocol - and that's a healthy sign - and I learned about and was given the specification for the internal communication between the components. This was when I first was a bit surprised about the lack of security. It's a straight forward simple protocol - and that's a good thing - but it completely lacks encryption, authentication and authorization.

HDL has a component called IP gateway which is a gateway between ethernet and the wired HDL components. The IP gateway is necessary to configure the components through the Windows application called HDL-BUS Pro Setup Tool. It also supports remote configuration from anywhere on the Internet.

Security precaution #1
If you have an IP gateway connected to your ethernet you want to make that a network that isn't reachable for unauthorized parties - meaning that both wired and wireless network shouldn't be available for anyone you don't trust. My neighbour was over the other day and casually asked "What's the password for the Wi-Fi?" Of course, I run the guest Wi-Fi in my house on a separate network so I could give him access. However, I suspect that most people (or businesses) with HDL don't realize the dangers and let anyone access the same network. If you want your IP gateway to be available via your Wi-Fi you want to make sure that the encryption, password and security in general is at a high level.

Security precaution #2
Very much like the precaution #1 regarding Wi-Fi and cabled ethernet, you should think twice if you have your ethernet available over your powerlines. What about that power outlet you have outside your house or just inside the garage?

Security precaution #3
With so many "trusted" devices connected to your Wi-Fi chances are that the security in or more of them have been comprimised. A typical home Wi-Fi for a family have several phones, tablets, laptops, TVs, and a video game console connected. Also with Internet of Things on the rise more and more units are allowed on your local network. If only one of those are compromised, someone could theoretically get access to your smart home. Considering precaution #1-3 you probably shouldn't have the IP gateway connected to the ethernet at all.

Security precaution #4
Do you have any outdoor sensors for e.g. temperature or motion connected to your system? Well, I don't think you should. What happens if someone hooks up an IP gateway and a computer on that unit or the unit's wires? Correct, they have full access to your system.

Security precaution #5
Being on a ethernet with a HDL system and recent version of the IP gateway's firmware lets you enable remote access. So, have you possibly had any unwelcome guests connected to your local network at some point? Have you checked if someone has enabled remote access to your system? Or maybe they just fetched the IP address, username and password from the IP gateway. Either way someone could access your system from remote at any desired time later on. My advice is to have the remote connection disabled.

Security precaution #6
If you have ever accessed your HDL system from remote through the IP gateway you should consider changing the login info and/or disable the remote access. As mentioned, HDL doesn't have any encryption, meaning that nearly anyone could possibly have picked up your login info when connecting through the Internet.

Security precaution #7
HDL has an SMS gateway that lets you text commands to the HDL system. Typically a set of phone numbers are whitelisted for sending commands. Commands can be something like "VACATION", "ALARM OFF", "OPEN GARAGE". It is very easy to spoof a phone number when sending a text. If someone knows - or guesses - the phone number you send commands from, so can they. If someone has/had access to the SMS gateway that someone could know the commands and even set up other commands.

Hacking scenario #1
So, what's the problem with having anyone connected to your HDL system either remotely or locally? Well, what if someone reads the status of the motion sensors? Then it could be possible to know if there's anybody home, maybe they could even make educated guesses about who's home depending on which areas that are in use. You don't post a sign outside your home telling potenial burglars that you aren't home, so you shouldn't let your smart home do that either.

Hacking scenario #2
Okay, somebody knows that noone's home, but you're protected by your smart home aren't you? Motion detectors, alarm sound, blinking lights, SMS warnings on intrusion. If someone has access to your HDL system they can easily turn this off. They could even turn it off, break in, turn the alarm system back on after leaving, and you wouldn't have a clue what happened.

Hacking scenario #3
If you have smoke detectors connected to the system any communication with the HDL system can be disabled.

Hacking scenario #4
Got your garage door connected to the system? Or even your front door? Well, you've probably figured it out by now. The doors can be opened (after disabling any alarms).

Hacking scenario #5
Someone could connect to your system and do vandalism like turning the heat on for full or control the blinds. Some things might be considered just a prank, but what if someone pushes the dimmers, relays and heating to the edge by either turning them on and off quickly or turning them to a 100%? Would it do damage to the components? Cause a fire?

Hacking scenario #6
Those previous five scenarios were the ones on top of my head. I'm sure you can think of a sixth and endless more yourself.

Conclusion
This isn't some zero-day vulnerability disclosure of HDL-BUS pro. The system is working as intended. These are just my observations, worries and security tips when dealing with HDL. Make your local network secure, consider not having an IP gateway connected, make sure wires and components aren't accessible for anyone who shouldn't have access. I wish they taught this on the HDL training.

For the ones of you trusting on your local network security I want to quote a great book I'm reading now - "Abusing the Internet of Things" by Nitesh Dhanjani: "As we add additional IoT devices to our homes, the reliance on WiFi security becomes a hard sell. Given the impact to our physical privacy and safety, it's difficult to stand by the argument that all bets are off once a single device (computer or IoT device) is compromised. Homes in developed countries are bound to have dozens of remotely controllable IoT devices. The single point of failure can't be the WiFi password. What's more, a compromised computer or device will already have access to the network, so a remote attacker does not need the WiFi password."

#hdl #smarthome #homeautomation #iot #security #hdl -bus #buspro #automation +HDL Automation 
5
1
Roy Solberg's profile photoDanijel Bratina's profile photoKetil Kristiansen's profile photo
6 comments
 
The security aspect is a common one for "legacy" bus systems (read: serial bus based ones), and I guess there are several factors - one being the limitations of bus devices in terms of even being able to do any meaningful encryption; another the added complexity of creating such a system in the first place, and actually getting the security bit right.

Until recently this hasn't really been an issue, since the systems have generally been confined to the inside of buildings, cabling all hidden inside walls and ceilings. These days we tend to expect being able to remote control everything (whether it makes sense or not - isn't the point of having a "smart house" to not need to fiddle with settings and such?), and just bridging such a control system to the 'net is, to put it bluntly, just plain dumb. As you point out, even connecting it to your home network can be a bad idea, since the current gateways have no security features (or even traffic filters) whatsoever.

Interesting bit about the new gateway being based on Zipato BTW - I tried asking about that about a year ago when I did the HDL courses but they wouldn't tell me back then :-)
Add a comment...

Roy Solberg

Shared publicly  - 
 
Spot the diff! Gotta love working with RTL.. #rtl #l10n #i18n
1
Add a comment...

Roy Solberg
owner

Diskusjon  - 
 
If you click the link at https://play.google.com/apps/testing/com.roysolberg.android.smarthome you get to try out the latest version of the Android app for HDL Buspro a little bit before everyone else. :)
1
Add a comment...

Roy Solberg

Shared publicly  - 
 
Had to get this code:deck from varianto25.com. It's really cool. :-)
1
Add a comment...

Roy Solberg

Shared publicly  - 
1
Add a comment...

Roy Solberg

Shared publicly  - 
 
Because a mouse and a keyboard is so boring. #windows #xp #fastandfurious
1
Add a comment...

Roy Solberg

Shared publicly  - 
 
Now, that was tempting... #hacking #airhockey #playforfree
2
Add a comment...

Roy Solberg
owner

Diskusjon  - 
 
You can get the latest beta version of the app going to https://play.google.com/apps/testing/com.roysolberg.android.datacounter
1
Add a comment...

Roy Solberg

Shared publicly  - 
 
Just saw the "terror alert app" from French government on http://www.theverge.com/2016/6/8/11881732/france-terrorism-alert-euro-2016-app . Seems like you can watch the URL https://3718fa66e6.optimicdn.com/alert_list.txt to pick up any alerts if you are looking to make your own implementation watching for alerts. #saip   #hack   #euro2016  
1
Add a comment...

Roy Solberg
owner

Diskusjon  - 
1
alaa nahas's profile photo
 
great :)

Add a comment...

Roy Solberg

Shared publicly  - 
1
Add a comment...
Roy's Collections
Work
Occupation
Mobile developer
Employment
  • NorApps
    Mobile developer, 2015 - present
  • EVRY Consulting
    Senior consultant, 2011 - 2015
  • Bouvet
    Consultant, 2007 - 2011
  • CoreTrek
    System developer/technical project manager, 2005 - 2007
Basic Information
Gender
Male
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Bergen
Links
Other profiles