The connected house you can control from the internet or your smartphone? They might be called a smart homes, but some of them have some very dumb vulnerabilities. In fact, some of the houses made smart by a company called Insteon were insecure enough that a Forbes reporter could hack them from the comfort of her living room.
Thanks to a glaring Insteon vulnerability, Forbes reporter Kashmir Hill she was able to access the houses of complete strangers. From San Francisco, she turned the lights of complete strangers’ houses in Oregon and Connecticut on and off, identified their homes’ physical locations, and could have done much worse:
Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search engines — meaning they show up in search results — and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.
Hill said she could find lots of sensitive information from eight different houses, including but not limited to IP address, children’s names, and even real-world locations. Yes, many systems are protected by password and username, but there’s no authentication beyond that.
In this case, Forbes is just talking specifically about Insteon, which is (hopefully) unique in the depth and breadth of its vulnerability. But if the connected home is going to be less of a trend and more of the norm, the companies that handle these systems need to take a cue and lock things down. It’s an alarming report, and you should head over to head over to Forbes to read the entire. [Forbes]
Picture: Shutterstock/Konstantin L