When Your “Smart Home” Gets Hacked

smart home

Via Forbes, Kashmir Hill reveals that the “demonic house” horror archetype may soon be coming true:

“I can see all of the devices in your home and I think I can control them,” I said to Thomas Hatley, a stranger in Oregon who I had rudely awoken with an early morning phone call.

He and his wife were still in bed. Expressing surprise, he asked me to try to turn the master bedroom lights on and off. Sitting in my living room in San Francisco, I flipped the light switch with a click, and resisted the Poltergeist-like temptation to turn the television on as well.

Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices, so that their owners can turn these things on and off with a smartphone app or via the Web. Their systems had been made crawl-able by search engines – meaning they show up in search results — and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people’s homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.

Thomas Hatley’s home was one of eight that I was able to access. Sensitive information was revealed — IP addresses and even the name of a child; apparently, the parents wanted the ability to pull the plug on his television from afar. In at least three cases, there was enough information to link the homes on the Internet to their locations in the real world.

Trustwave’s Crowley and his colleague found security flaws that would allow a digital intruder to take control of a number of sensitive devices beyond the Insteon systems, from the Belkin WeMo Switch to the Satis Smart Toilet. Yes, they found that a toilet was hackable. You only have to have the Android app for the $5,000 toilet on your phone and be close enough to the toilet to communicate with it.

Another problem with some of the devices, such as the Mi Casa Verde MIOS VeraLite, is that once they’re connected to a Wi-Fi network, they assume that anyone using that network is an authorized user. So if you can manage to get on someone’s Wi-Fi network – which is easy if they have no password on it – you could take control of their home.

, , , , , , ,

  • Tchoutoye

    Smart devices, for dumb users.

  • Anarchy Pony

    Incidentally, is anyone else hyped for Watch Dogs?

  • bsackamano

    Yeah it’s coming, the scary master planned world of those “smart” IBM commercials. I think the workers “paradise” lasted about a month. Some day we’ll be like those Russian Gulag inmates that Solzhenitsyn describes as being remorseful about waiting until it was too late. At least if we can rob and steal and sellout our community enough we will be able to buy our way out of it, if you are of the correct race and attitude that is.

  • jasonpaulhayes

    For the first time since I’ve had a smart phone, I got a popup yesterday. It tried to get me… sneaky bastards, said something about a game for $99 and I immediately closed the browser and cleared the memory. Hope it worked but I guess I’ll find out on the next billing cycle. Smart Home, Smart Phone, Smart Car?