You need to secure home and office automation hardware, too

My wife really doesn’t like wires. She wants her phone wirelessly charged, she uses Wi-Fi for networking, and is looking forward to controlling our whole house wirelessly. I’m a bit skeptical of the latter as there are multiple standards and I’d hate to invest in something that turned out to be the Betamax of home automation.

Then there’s the security issue.

At 2016 Shmoocon two researchers – Joseph Hall and Ben Ramsey – presented a paper on attacking the home automation protocol Z-Wave. Z-wave is a protocol for locks, security systems, electrical outlets, thermostats, and other home devices to communicate with each other. It works well in homes as it uses a frequency (900 MHz) that penetrates walls and floors well.

The Z-Wave protocol provides for encryption using AES, so the communication between devices to be secured. That way, people can’t unlock your front door or start your coffee without your permission. Unfortunately not all devices using Z-Wave turn on that encryption as Hall and Ramsey found out. They used software-defined radio (electronics that can be made to control specific hardware to define radios to the programmer’s specification) to analyze Z-Wave communication. They found out that of 33 devices tested, only nine supported encryption.

Being able to start my coffee at midnite instead of 6AM isn’t such a big deal and I doubt any attackers would try. I also doubt they’d bother to play with my thermostat. But there are attacks that could be harmful. My mother turned out to be right when she told me not to keep turning the lights on and off so fast or they’d burn out. I was pretty young then, and the lights were incandescent. But as the researchers noted, one can turn off fluorescent lights quickly and they will burn out in just a few hours. If one could do that in an industrial or office setting at night, it would make for an expensive denial-of-service attack on the hardware. That was part of their point.Z-Wave logo

But what about motors or other devices? Could power cycling them at a specific rate damage those?

As more and more devices are connected to each other and to our phones and tablets (i.e. the Internet of Things) the potential for physical damage becomes more of a concern. While it is unlikely that individuals will be the targets, commercial and industrial sites would be prime targets for some attackers. Clearly more research is needed and Hall and Ramsey created tools to help with that, at least for Z-Wave (other protocols such as ZigBee and X10 are in use, too).

I love the idea of wireless communication and control of devices. But I want a secure infrastructure not just for my home, but for commercial environments as well. It is essential for manufacturers to deploy, and users to enable if necessary, encryption and other security features.

Please use the comments below to share your thoughts and experiences with automation and the Internet of Things.


To your safe computing,
John McDermott

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.