Home

now browsing by tag

 
 

A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices

So-called “smart” locks and alarms are proliferating across people’s homes, even though hackers have shown various weaknesses in their designs that contradict their claims to being secure.

Now benevolent hackers in the U.K. have shown just how quick and easy it is to pop open a door with an attack on one of those keyless connected locks. And, what’s more, the five-year-old flaw lies in software that’s been shipped to more than 100 million devices that are supposed to make the home smarter and more secure. Doorbells, bulbs and house alarms are amongst the myriad products from 2,400 different vendors shipping products with the flawed code. Tens of millions of smart home devices are now vulnerable to hacks that could lead to break-ins or a digital haunting, the researchers warned.

For their exploits, the researchers – Ken Munro and Andrew Tierney from Pen Test Partners – focused on the Conexis L1 Smart Door Lock, the $360 flagship product of British company Yale. As relayed to Forbes ahead of the researchers’ report, Munro and Tierney found a vulnerability in an underlying standard used by the device to handle communications between the lock and the paired device that controls the system. The flaw meant the communications could be intercepted and manipulated to make it easy for someone in the local area to steal keys and unlock the door.

The problematic standard was the Z-Wave S2. It provides a way for smart home equipment to communicate wirelessly and is an update from an old protocol, Z-Wave S0, that was vulnerable to exploits that could quickly grab those crucial keys. Indeed, they were “trivial” to decrypt, according to Pen Test Partners’ research.

Z-Wave S2 is more secure than S0. It comes with a method for sharing keys known as the Diffie-Helmann exchange; it’s a highly-regarded, tested method for ensuring that the devices shifting keys between one another are legitimate and trusted. But whilst the Yale device, purchased by Munro and Tierney just a couple of weeks ago and kept up to date, used that S2 protocol, the researchers found it was possible to quickly downgrade the device to the older, much less secure key-sharing mechanism.

During the period when a user paired their controller (such as a smartphone or smart home hub) with the device, Munro and Tierney could ensure the less-secure S0 method was used. From there, they could crack the keys and get permanent access to the Yale lock and therefore whatever building it was protecting, all without the real user’s knowledge. They believe they could carry out their attack, dubbed Z-Shave, from up to 100 meters away.

“It’s not difficult to exploit,” Munro said. “Software Defined Radio tools and a free software Z-Wave controller are all that’s needed.” In 2016, hackers created a free program designed to exploit Z-Wave devices called EZ-Wave.

Yale owner ASSA ABLOY said it understood the Z-Wave Alliance was conducting an investigation into the matter and was in close contact. ASSA ABLOY will also be conducting its own investigation, a spokesperson said, adding that it was “constantly updating and reviewing products in line with the latest technologies, standards and threats.”

No updates?

Munro told Forbes it should be possible to update many Z-Wave-based devices with a wireless update of both the app and the device. “However, it’s an issue with the Z-Wave standard, so would require a massive change by the Alliance, then an update pushed to all devices that support S2, which would likely stop them working with S0 controllers. And there are hardly any S2 controllers on the market. None in the U.K.,” he added.

Silicon Labs (SiLabs), the $4.5 billion market cap firm that owns the Z-Wave tech, admitted “a known device pairing vulnerability” existed. But it didn’t specify any upcoming updates and downplayed the severity of the attack, adding “there have been no known real-world exploits to report.”

The company referred Forbes to the first description of the S0 decryption attack, revealed way back in 2013 by SensePost, which determined the hack wasn’t “interesting” because it was limited to the timeframe of the pairing process. As a result, SiLabs said it didn’t see the S0 device pairing issue “as a serious threat in the real world” as “there is an extremely small window in which anyone could exploit the issue” during the pairing process, adding that a warning will come up if a downgrade attack happens. “S2 is the best-in-class standard for security in the smart home today, with no known vulnerabilities,” the spokesperson added, before pointing to a blog released by SiLabs Wednesday.

Munro said it would be possible to set up an automated attack that would make it more reliable. “It should be easy to set up an automated listener waiting for the pairing, then automatically grab the key,” he said.

The company said the problem existed because of a need to provide backwards compatibility, as a spokesperson explained: “The feature of S2 in question – device pairing – requires both devices have S2 to work at that level. But of course the adoption of this framework across the entire ecosystem doesn’t happen overnight. In the meantime, we do provide the end user with a warning from the controller or hub if an S0 device is on the network or if the network link has degraded to S0.”

Munro was flabbergasted at the vendor’s overall response. “After attempting responsible disclosure and getting little meaningful response, on full disclosure Z-Wave finally acknowledge that it’s been a known issue for the last few years. Internet of Things (IoT) devices are at their most vulnerable during initial set-up. S2 Security does little to solve that problem.”

advertisement:

The post A #Basic Z-Wave #Hack #Exposes Up To 100 #Million Smart #Home #Devices appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Helping #insureds reach #corporate levels of #cyber security’ at #home

Source: National Cyber Security News

Cyber security has become a top of mind issue for commercial organizations across the world. Most big corporations have strong disciplines and risk management procedures in place to ensure cyber resilience is tight. Unfortunately, the same cannot be said for a typical home network.

Poor cyber hygiene at home is the gateway that enables cyber criminals to get personal. An open home Wi-Fi connection versus a password protected system could make all the difference if a bad actor attempts to hack a personal bank account or bitcoin wallet.

High net worth (HNW) individuals with deep pockets are particularly at risk of personal cyberattacks. Member-owned PURE Insurance, which serves HNW clients, has developed an innovative cyber fraud offering to protect PURE members from falling prey to cybercrime.

PURE Starling, available as an add-on to homeowners’ insurance, provides broad coverage for fraud and cybercrime, including financial loss resulting from online and offline fraud, and services to help assess and respond to cyber extortion threats, remove malware and reinstall software after an attack.

“The issue of cyber insurance was born out of feedback from our PURE members, who were starting to express concerns about data security and the privacy of their personal information,” explained Martin Hartley, chief operating officer, PURE.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Is our #smart home #growing more #vulnerable to #hacks?

Source: National Cyber Security – Produced By Gregory Evans

As more of our cameras, speakers, thermostats and locks connect online, they’re increasingly open to meeting up with hackers.

Hackers have come up with new ways to break into your data — sending attacks through our appliances, locks, blinds and anything that connects to the internet. These are part of the so-called Internet of Things (IoT), and hacking attacks sent through these devices “became the preferred weapon of choice,” for starting denial of service attacks last year, says a new report from Arbor Networks, a security software company.

Read More….

The post Is our #smart home #growing more #vulnerable to #hacks? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hackers Obtained #Access to #NSA Employee’s Home #Computer, #Kaspersky Lab Reveals

Source: National Cyber Security – Produced By Gregory Evans

Kaspersky Lab has updated its investigation on the hacking of a home computer used by an NSA employee.

MOSCOW (Sputnik) — Kaspersky IT security company has announced that access to information on the home computer of the employee of the US National Security Agency (NSA) could have been obtained by an unknown number of hackers.

According to the Kaspersky Lab probe that is linked to media reports about the company’s software allegedly having been used to search and download classified information from the home computer of a NSA employee, the user’s computer was infected with Mokes backdoor, a malware that allows the hackers to obtain access to a device.

“The malware… was a full blown backdoor which may have allowed third parties access to the user’s machine,” the Kaspersky Lab has stated.

However, it is possible that Mokes was not the only malware that infected the computer in question, the company said, adding that while Kaspersky software on the computer was enabled, it reported 121 alarms on different types of malware.

“The interesting thing about this malware is that it was available for purchase on Russian underground forums in 2011. Also noteworthy is that the command-and-control servers of this malware were registered to a (presumably) Chinese entity going by the name ‘Zhou Lou’ during the period of September to November 2014,” the statement explained.

Allegations Against Kaspersky Lab

The internal investigation by Kaspersky Lab was launched after The Wall Street Journal reported in October that a group of hackers allegedly working for the Russian officials had stolen classified data through the National Security Agency (NSA) contractor, which used antivirus software made by the Russian software producer.

Shortly later, the New York Times reported that Israeli intelligence services have hacked into the network of Kaspersky, and warned their US colleagues that the Russian government was allegedly using Kaspersky software to gain access to computers around the world, including in several US government agencies.

Both reports came a month after the US Department of Homeland Security ordered state agencies and departments to stop using Kaspersky Lab software within the next 90  days, with the company’s CEO Eugene Kaspersky refuting all the allegations spread by the media regarding the Russian cybersecurity company’s involvement in spying on US users through its products and calling such claims groundless and paranoiac.

When commenting on the situation in an interview to Die Zeit newspaper, Eugene Kaspersky has, “There is a feeling that we just had been doing our job better than others, that we had been protecting our clients better than others … Probably, someone in the United States is very unhappy about it.”

Most recently, Wikileaks has revealed that the CIA had written a code to “impersonate” Russia-based Kaspersky Lab, which had been used at least three times.

READ MORE: WikiLeaks: CIA Wrote Code to ‘Impersonate’ Russia-Based Kaspersky Lab

Kaspersky Lab is one of the largest private cybersecurity companies in the world, with its technologies protecting over 400 million users and 270,000 corporate clients.

The post Hackers Obtained #Access to #NSA Employee’s Home #Computer, #Kaspersky Lab Reveals appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Email hacking fraud hits home renovators: ‘I paid £10,800 to a bogus builder’

Source: National Cyber Security – Produced By Gregory Evans

First came “solicitor fraud”, where conmen intercepted emails between property buyers and conveyancers and diverted huge sums to the wrong accounts. Now this form of life-destroying crime has widened out to embrace other, big-ticket transactions, including home renovations and building work. The mechanism is the same: fraudsters impersonate one or…

The post Email hacking fraud hits home renovators: ‘I paid £10,800 to a bogus builder’ appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Steps to protect home computer, laptop from new ransomware threat

Source: National Cyber Security – Produced By Gregory Evans

A new, inconvenient and potentially costly ransomware threat is a good reminder of the security steps consumers can take to protect home computers and laptops. The Petya ransomware is affecting companies and government systems worldwide. As computer security experts work to ascertain the particulars of Petya, simple measures can help…

The post Steps to protect home computer, laptop from new ransomware threat appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Men Found Snooping At Westport Home Busted On ID Theft Charges

Source: National Cyber Security – Produced By Gregory Evans

Men Found Snooping At Westport Home Busted On ID Theft Charges

A complaint from a Westport resident that a suspicious man was looking in his windows led to the arrest of two Bridgeport men on charges of identity theft and fraudulently purchasing cellphones, police said. The case began at about 4:05 p.m. Tuesday with a complaint about the suspicious person from…

The post Men Found Snooping At Westport Home Busted On ID Theft Charges appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Man pleads guilty to federal charges of having child porn at his Boise home

To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ Nickolas James Parnell, 27, lived in Boise when computers and DVDs with thousands of child pornography images were seized from his residence on two occasions in the past year, but he …

The post Man pleads guilty to federal charges of having child porn at his Boise home appeared first on Become007.com.

View full post on Become007.com

Personal home computers, laptops are just as prone to get hacked by ransomware

Source: National Cyber Security – Produced By Gregory Evans

Personal home computers, laptops are just as prone to get hacked by ransomware

Just because the recent cyber attack is focusing on big corporations, tech companies say your home computer is just as prone to these attacks. “Without calling dooms day, this is the one that’s does make a large-scale impact,” Timothy Harris with Modern Technology in Cape Girardeau, Missouri said. Harris is talking about WannaCry Ransomware. It is the most recent hacking-attack …

The post Personal home computers, laptops are just as prone to get hacked by ransomware appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Beware of hackers when using spy cameras at home, Hong Kong’s consumer watchdog warns

Source: National Cyber Security – Produced By Gregory Evans Hong Kong’s consumer watchdog has warned about the dangers of home surveillance cameras if users fail to take basic security steps to protect their privacy. The cameras have become popular in recent years with consumers looking to keep an eye … The post Beware of hackers […]

The post Beware of hackers when using spy cameras at home, Hong Kong’s consumer watchdog warns appeared first on AmIHackerProof.com.

View full post on AmIHackerProof.com | Can You Be Hacked?