Hacking Smart Homes


Kashmir Hill, a reporter for Forbes, found out just how easy it is to hack a smart home. By “Googling a very simple phrase,” Hill was presented with a list of homes with automation systems from a well-known company. “[The] systems had been made crawl-able by search engines,” says Hill, and because the now discontinued systems didn’t require users to have a username or password the search engine results, once clicked, allowed her full control of the system. Hill contacted two of the homes she found online and, once she had asked for permission, demonstrated her ability to switch on and off lights in the homes. Hill also had the ability to control a range of other devices in the homes. This is just one example of the potential security issues surrounding home automation systems.

Home automation, the automation of things like lighting, heating, door and window locks, and security cameras  is a relatively new, but rapidly growing market currently worth US$1.5 billion in the US alone. But as with any new technology, there will inevitably be potential security risks.

Security researchers will give two separate presentations at the Black Hat 2013 security conference on security vulnerabilities in home automation systems. One of the presentations will discuss a vulnerability in a proprietary wireless protocol, Z-wave, that is used in a range of embedded devices such as home automation control panels, security sensors, and home alarm systems. The flaw allows for the encrypted communication of a Z-wave device to be intercepted and used to disable other Z-wave devices. A second talk, ‘Home Invasion 2.0,’ will present vulnerabilities discovered after several popular home automation systems were looked at. “We looked over somewhere in the range of 10 products and only found one or two that we couldn’t manage to break. Most didn’t have any security controls at all,” said Daniel Crowley of SpiderLabs. Many of the devices allow the user to download an app for their phone that allows them to control the automated system remotely. The researchers found that many systems used no authentication when communicating between the mobile device and the home system, creating opportunities for a malicious actor to take control.

Approximately three percent of homes in the US currently have home automation systems installed, but that number is set to grow, with some analysts projecting an increase that will see it reach double digits in the next few years.

In the rush to adopt new and exciting technology, keeping that technology secure may sometimes be placed low on the list of priorities. Hopefully, the vulnerabilities uncovered by this and other research will help highlight the importance of good security.

Pwned again: An exclusive look at Pwnie Express’ newest hack-in-a-box

Ready to quietly mug your network: the Pwn Plug R2.
Pwnie Express

Tomorrow at the Black Hat security conference in Las Vegas, the Pwnie Express will officially unleash Pwn Plug R2, the next generation in its arsenal of penetration testing and hacking hardware. Ars got an exclusive rundown in advance on the device from Dave Porcello, founder and CEO of Pwnie Express.

The new Pwn Plug looks less like a DC power supply plug—the form factor of its predecessor—and more like a small Wi-Fi access point or router. But inside, it's really a Linux-powered NSA-in-a-box, providing white hat hackers and corporate network security professionals a "drop box" system that can be remotely controlled over a covert Internet channel or a cellular data connection.

"Some people will use these for physical penetration tests," Porcello said. "They can go into a bank branch or a retail store, or even a corp office, and pretend to be a telecom technician or someone from the power company or whatever and drop it under someone's desk, or in a wiring closet, or behind a printer." And for other applications, such as corporate security auditing, Porcello said, "it's just as useful to send to remote sites without having to travel—a corporate security manager can just ship a box out to a retail store and have a store manager or branch manager just plug it in."

Read 15 remaining paragraphs | Comments


Yet Another Bunch of Malicious Apps Found on Google Play


In a recent blog entry we covered how scammers continue to publish malicious apps on Google Play and how the Android app market is struggling to keep itself clean.

In many cases it is difficult to quickly identify any malicious intent of applications and in-depth analysis is often required to be truly safe—a challenge for Google Play’s publishing process to prevent malicious apps from slipping through.

Symantec Security Response has discovered 14 applications, all published by the same developer, that allow the developer to create connections to any website of their choosing. The malicious component runs in the background as an Android service and communicates to a number of command-and-control servers that wait for developer instructions on how to build HTTP requests. The remote-control component accepts a broad number of options and may be well suited to generate revenue through abuse of pay-per-click services.

The following applications published on Google Play contain this malicious component:

  • com.cyworld.ncamera
  • com.kth.thbdvyPuddingCamera
  • com.tni.pgdnaaeTasKillerFull
  • com.greencod.wqbadtraffic
  • com.teamlava.nbsbubble
  • com.bestappshouse.vpiperoll2ages
  • com.ledong.hamusicbox
  • com.ktls.wlxscandandclear
  • maxstrom.game.hvihnletfindbeautyhd
  • org.woodroid.muhflbalarmlady
  • com.lxsj.rbaqiirdiylock
  • com.neaststudios.wnkvprocapture
  • com.gamempire.cqtetris

These infected applications are mostly in popular categories like games and accessories, such as a camera app for instance.

Symantec detects these apps as Android.Malapp and notified Google of their presence. The apps have been removed by Google. We recommend installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device. For general safety tips for smartphones and tablets, please visit our Mobile Security website.

Introducing App Reputation for Android Apps

McAfee has always been in the forefront of finding new ways to secure our customers against threats and risks posed by mobile devices. As part of this quest, we have introduced the concept of app reputation as part of our latest release of McAfee Mobile Security (MMS Version 3.1) released on 18th July 2013. From a consumer perspective, we have empowered our twin features of security and privacy by app reputations in this release.

What is app reputation?

We assign a rating to an android app based on two vectors of trust (security) and privacy (data exposure). As part of trust (security), we measure the amount of trust that could be attached to an app based on security considerations. Privacy (data exposure) reputation measures the propensity of an app to access/share and expose personal data. These reputations are based on the results of an automated analysis and are impacted by multiple factors including age, prevalence, source, etc.

How is Trust (Security) reputation different than Privacy (Data Exposure) reputation?

While the concept of security is the same for all users, risk to an individual’s privacy is appreciated differently in different cultures. Furthermore, unlike safety and security, which are intuitive to most of us, the concept of privacy is a trained behavior leading to different responses to privacy risks based on an individual’s context. At McAfee, we appreciate this and it reflects in our design. Hence the goal of privacy reputation is to provide information and avoid taking a uniform decision for all users, unlike what we do in trust reputation.

As the following screenshot indicates, we provide the data exposure score range, category score range, our observations about the app, and information related to ad libraries.

App Reputation

What are Notable apps?

Notable apps are those behaving outside of their category’s normal behavior. We understand that some categories of apps have a need to access more personal information than others. For example, a social media or a communication app would have a better case for accessing personal data than a calculator (productivity) app. So if a calculator apps tries to access personal data normally not accessed by other apps in its category, it may be classified as a notable app.

This is the first blog in a series of posts on app reputation.