Month: May 2018

Millions of IoT Devices Vulnerable to Z-Wave Downgrade Attacks, Researchers Claim

Threatpost Security News May 25, 2018 0

The popular home automation protocol Z-Wave, used by millions of IoT devices, is vulnerable to a downgrade attack that could allow an adversary to take control of targeted devices, according to researchers.

Z-Wave is a wireless protocol used by 2,400 vendors; its wireless chipsets are embedded in an estimated 100 million smart devices ranging from door locks, lighting, heating systems and home alarms, according to Pen Test Partners, who released a report on the vulnerability on Wednesday.

According researchers, today’s Z-Wave systems are configured to support a “strong” S2 Z-Wave pairing security process. However, a proof-of-concept (PoC) attack demonstrates how a hacker could downgrade the higher S2 standard to a weaker S0 pairing standard, which allows an adversary to steal an encryption key and expose a device to compromise.

The PoC attack involved a hacker within RF range at the time a controller pairs with the IoT device.

“Z-Wave uses a shared network key to secure traffic. This key is exchanged between the controller and the client devices (‘nodes’) when the devices are paired. The keys are used to protect the communications and prevent attackers exploiting joined devices,” researchers explained.

A nearly identical pairing issue was identified by researchers at SensePost in 2013 (PDF), prompting Z-Wave owner Silicon Labs to develop the new pairing process S2. The problem with the old mechanism was “the network key was transmitted between the nodes using a key of all zeroes, and could be sniffed by an attacker within RF range,” researchers said.

But since the introduction of S2, a similar attack scenario has been devised by Pen Test Partners. “We have shown that the improved, more secure pairing process (‘S2’) can be downgraded back to S0, negating all improvements,” researchers said.

Researchers noted that when a Z-Wave device is using the weaker S0 security (and not the S2 flavor), the S2 controller will notify the user when S0 security is being used, after the fact. “We feel this will be ignored or overlooked,” researchers said.

On Wednesday, Silicon Labs posted a blog addressing the Pen Test Partners research, stating the PoC took advantage of a backwards-compatibility feature that allowed S2 devices to work on S0 networks. It also stated emphatically that this is not a vulnerability.

“It was a conscious choice of the Z-Wave Alliance to discount this non-vulnerability in order to offer partners and customers backwards compatibility so that they didn’t need to replace their gear,” said Lars Lydersen, senior director of product security at Silicon Labs, in an interview with Threatpost.

Lydersen said, an attack is extremely improbable given the requirements of specialized equipment, proximity to the RF network, forcing a controller reset and hacking the pairing session in the 20 milliseconds window it’s vulnerable to attack.

“The smart home controller or gateway will always notify the user if S2 is reverted to S0 during the installation process,” the post states.

How The Attacks Work

The attack exploits the fact that devices supporting the stronger S2 pairing use a type of programming “command class” code. That code is used in the process of communicating between the controller and IoT device during pairing.

“The node info command is entirely unencrypted and unauthenticated. This leads to us being able to spoof it, removing the COMMAND_CLASS_SECURITY_2 command class. The controller then assumes that the device does not support S2, and pairs using S0 security. The attacker can now intercept the key exchange, obtain the network key and then command the device,” researchers described.

In one attack scenario against a Yale Conexis L1 smart lock, researchers were able to use a controller and downgrade the device to the S0 pairing security. The PoC attack then allowed researchers to lock and unlock device at will.

Another attack scenario involves triggering an IoT device to send pairing data by replacing a battery making it possible for an adversary to “to sniff, modify and then send the data on.”

“The third method involves active jamming using an RFCat,” researchers wrote. RFCat is a USB radio dongle capable of transmitting, receiving and snooping radio frequencies. “An attacker can continuously listen for the node info from the genuine node. As soon as the home ID has been obtained, they can actively jam the rest of the packet, preventing the node info from being received.”

Pen Test Partners say the issue is a standards and implementation concern, and are critical of what they say is Silicon Labs lethargic response to securing its platform. “We’re not particularly happy that the Z-Wave Alliance appears to have been aware of the downgrade attack, but hasn’t really addressed it,” researchers wrote.

Despite the fact Silicon Labs doesn’t consider the pairing issue a vulnerability, the company said it plans on taking steps to further ensure its customers make informed decisions when downgrading. Johan Pedersen, product marketing manager, Z-Wave IoT, said it would soon change the way it notified customers that their device was going be downgraded using the S0 pairing method. “Instead of notifying customers that the pairing was going to take place after the fact, we will be notifying them of the pairing beforehand,” he said.

Pet Trackers Open to MITM Attacks, Interception

Threatpost Security News May 25, 2018 0

Family pets are near and dear to us, so smart collars and other devices for animals that track their locations are becoming popular; a world without the need for lost-pet flyers is after all a wonderful thing. The problem, according to researchers, is that these devices can leak sensitive information, like phone numbers, the pet’s location or home network details.

After examining several well-reviewed models, including Kippy Vita, the Nuzzle Pet Activity and GPS Tracker and the Whistle 3 GPS Pet Tracker & Activity Monitor, testers at Kaspersky Lab found several issues that should be of concern for Rover’s owners.

Bluetooth Blues

One common problem found in some of the trackers examined comes down to the use of Bluetooth Low Energy (BLE), which is custom-made for low-power IoT sensor applications. BLE essentially connects the pet-trackers to the owner’s smartphone, but unlike the full implementation of the Bluetooth spec, BLE doesn’t require authentication in order to pair devices.

“Authentication depends entirely on the developers of the device, and experience shows that it is often neglected,” researchers Roman Unuchek and Roland Sako said in a posting outlining their research this week.

For instance, the Nuzzle device uses a SIM card to transmit the pet’s GPS coordinates, directly connecting to a smartphone via BLE – without any authorization or access control. That means that any smartphone can connect to the tracker to control it access the pet’s location, along with device status information like temperature and battery charge (CVE-2018-7043).

The Whistle 3 meanwhile has BLE connection problems too. The gadget can transfer GPS coordinates via its built-in SIM card, via WiFi to its server (if the owner provides a WiFi network password) or directly to the owner’s smartphone via BLE. On the latter point, the device waits for a certain sequence of actions to be performed before it pairs with a phone, but the sequence is simple for a third party to deduce and reproduce, thus gaining access to the device.

After that, the tracker is ready to receive and execute commands that do not contain a user ID, which means that anyone can send them; a hacker could, for instance, ask for device coordinates.

An exception on the BLE front was the Link AKC tracker. While it monitors the pet’s location via GPS and transfers coordinates via a built-in SIM card to a phone directly via BLE, it makes use of a user ID to verify the rights of the mobile app to interface with the tracker. The tracker also checks the smartphone’s MAC address as another layer of user confirmation.

“The developers did everything right in terms of securing the connection to the smartphone,” the researchers said. “We couldn’t find any major problems, which is rare for devices with BLE support.”

Also, the Kippy Vita device does not interface directly with the smartphone at all, so the BLE issue was not in question, and, uniquely, it uses SSL pinning. Neither Tractive nor the Weenect WE301 communicate directly with a smartphone wither, but rather transfer pet coordinates to the server via a built-in SIM card. This helps the devices’ security postures immensely.

MITM Issues

Beyond the BLE pitfall, some of the trackers have shared flaws stemming from certificate handling and data-transfer mechanisms. Just one of the tested Android apps (the Weenect WE301) verifies the certificate of its server, making the rest vulnerable to man-in-the-middle (MITM) attacks.

On top of not verifying certificates, many of the apps (including Nuzzle, Link AKC and the Whistle 3) the either store unencrypted data, or transfer the unencrypted data to logcat files. That data can include the app’s authorization token, the pet’s location and user registration data (including name and email address). Thus, a hacker mounting a MITM offensive can intercept the data transfers or peer into files.

Kippy Vita’s Android app meanwhile encrypts important data before saving it to its own folder, but it does log the data that is transmitted to the server.

Two of the devices studied managed to avoid being assigned CVEs: Tractive and the Weenect WE301. However, here too, the Android apps don’t verify the server certificate and they store authentication tokens and pet movement data in unencrypted form.

The logging problem is somewhat mitigated given that in Android 4.1 and newer versions, only some system apps or apps with superuser rights can read the logs of other programs.

“It should be noted that this data is not so easy to steal, since other apps cannot read it,” the researchers said. “But there are trojans that can steal data from other apps by exploiting superuser rights.”

Other Problems

Two of the trackers can be disabled or hidden from owners.

For instance, it’s possible to install modified software on the Nuzzle tracker by simply changing the checksum in the DAT file – this can be used to cause the device to stop working. And perhaps worst of all, an attacker can conceal the location of the pet simply by connecting to the tracker using a smartphone.

“To save battery power, the gadget does not transmit coordinates via the mobile network if they have already been sent via BLE,” Unuchek and Saco said.

An attacker can also hide the Whistle 3 from the pet owner; if a hacker continuously transmits a command for the device location, the gadget will not send location data via the SIM card, since it will assume that such data has already been received directly. Also, it transmits data to the server without any authentication, so an attacker could substitute alternate pet coordinates.

Connected things are burrowing further and further into our everyday lives, with everything from thermostats to Amazon Echo to washer/dryer sets and beyond now offering convenience and safety apps for consumers to make their lives easier – and more hackable. The pet-tracker class of connected gadgets adds one more layer of vulnerability to the proceedings, but calling attention to the flaws could be a wake-up call to the manufacturers.

(Image courtesy of Link AKC)

The Apple Store in Atlantic City, New Jersey is closing its doors

Dan Uff May 25, 2018 1

It is very rare to see Apple announcing the closing of one of its stores, but it seems that the company is doing just that.

The Apple Store in Atlantic City, NJ., USA will be shutting its doors for good.

In a statement, an Apple spokesperson told Bloomberg that the closure was due to a "sharp decline in tourism." "We have made the difficult decision not to extend our lease," said the spokesperson.

Apple says that all of the store's employees will be offered other jobs within Apple. "We look forward to serving our Greater Atlantic City customers through our southern New Jersey, Delaware Valley, and Greater Philadelphia area stores," read Apple's statement.

The last store that Apple closed was located in Simi Valley, California, which Apple shut down in September 2017 due to low sales and issues with customer traffic.

Women says her Amazon Echo recorded her conversation and then sent it to one of her contacts

Dan Uff May 25, 2018 0

[KIRO Channel 7]: A Portland family contacted Amazon to investigate after they say a private conversation in their home was recorded by Amazon's Alexa -- the voice-controlled smart speaker -- and that the recorded audio was sent to the phone of a random person in Seattle, who was in the family’s contact list.

"My husband and I would joke and say I'd bet these devices are listening to what we're saying," said Danielle, who did not want us to use her last name.

Every room in her family home was wired with the Amazon devices to control her home's heat, lights and security system.

But Danielle said two weeks ago their love for Alexa changed with an alarming phone call. "The person on the other line said, 'unplug your Alexa devices right now,'" she said. "'You're being hacked.'"

That person was one of her husband's employees, calling from Seattle.

To read the rest of the story, including video and a response from Amazon, click here.