Two security researchers announced on Tuesday that they were able to hack into a popular smart home security device after discovering a series of flaws that would allow a tech-savvy intruder to unlock a front door. The researchers revealed their findings only after the security flaws had been fixed, but the company has reportedly since discontinued the device in favor of a newer product.
Security researchers Chase Dardaman and Jason Wheeler say that they have discovered a series of flaws in a popular smart home hub that could allow an intruder to open a front door, according to a recent report by TechCrunch.
In new research published on Tuesday, Dardaman and Wheeler reveal that they have found three security flaws that can be chained together and used to unlock a front door. The security researchers reportedly began looking into one of the Zipato smart hubs months ago, but only released their findings after the flaws had been fixed.
“When we first got our hands on the smart lock and hub we thought of attacking it in three different senarios[sic],” said the security researchers, “First, could we unlock the door remotely without having access to anything beforehand. Second, if we were an apartment resident with this solution could we take data off the device in order to unlock all the other residents’ front doors.”
“Lastly, could we find a vulnerability or misconfiguration that would allow an attacker to unlock the door on the same network,” added Dardaman and Wheeler, “During our research we were able to prove that two of these methods of attack were viable and if we had more time might have proven all three to be feasable[sic].”
The report added that security experts have warned that incorporating an Internet connection to a security device will make it less secure than traditional devices, and noted one security expert, Lesley Carhart, who wrote about her security concerns after her apartment building switched to smart locks.
As for Dardaman and Wheeler, they found that any apartment complex with one main account registered for all the apartments in a building would allow for a hacker to “open any door” using the same “password hash” — an authentication system that doesn’t require knowing a password, but can be used to easily “trick” a device into thinking the hacker is the homeowner.
Dardaman and Wheeler were able to discover that the smart hub uses a “pass-the-hash” system after extracting the hub’s private SSH key for the user account with the highest level of access. This meant that anyone with access to the private key would be able to access a device without needing a password.
“All an attacker had to do was send a command to tell the lock to open or close. With just a few lines of code, the researchers built a script that locked and unlocked a smart lock connected to a vulnerable smart hub,” noted TechCrunch.
The report added that Zipato chief executive Sebastian Popovic told TechCrunch that each smart hub now comes with a unique private SSH key, and that the company has also since discontinued the ZipaMicro — the particular hub on which Dardaman and Wheeler had tested their hacking abilities.
The security researchers did, however, concede that their ability to hack the device did not mean that they had discovered a master key into everyone’s homes, noting that an attacker would need to access the same WiFi as the security device.
Dardaman also mentioned that any hub connected directly to the internet could be exploitable from a remote location.
“We want to show that there is a risk to this kind of tech,” said Dardaman, “and apartment buildings or even individual consumers need to know that these are not necessarily safer than a traditional door lock.”