Crestron Hack
As home automation becomes more and more popular, hackers and security experts alike are turning their attention to these systems, to seeThis week at DefCon, a pair of researchers demonstrated just how vulnerable home automation systems can be. Carrying out their research independently, Kennedy and Rob Simon came to the same conclusion – that manufacturers of this immature technology have barely spent any time or resources properly securing their wares.The researchers built tools that focus on the X10 line of home automation products, but they also looked at ZWave, another commonly used protocol for home automation communications. They found that ZWare-based devices encrypted their conversations, but that the initial key exchange was done in the open, allowing any interested 3rd party to intercept the keys and decrypt the communications.While you might initially assume that attacks are limited to the power lines within a single house, Kennedy says that the signals leak well beyond the confines of your home, and that he was able to intercept communications from 15 distinct systems in his neighborhood without leaving his house.Posted in, Tagged, Post navigation. The biggest problem would be if the house is running a X10 based security system.That would be a major security risk. Controlling the lightning would probably only be annoying.I have my own home automation system running but I use hacked remote wall outlets. These pose the same security risks, therefore they only control lightning and non important utilities like my external monitor and my TV.
The security system and other security features all run of WiFi where the communication itself is encrypted, validated and authorized/verified (so even local sniffing is impossible). My safe is modded with remote control but that is using the classic rolling code like the one being used in cars. Seems to me the hassle of gaining access to a target’s neighbour’s house’s electric supply to hack the target’s home automation is higher and less likely to work than gaining access to the target’s house and plugging directly into an external light or power fitting.However, it was interesting to see that Z-wave is supposed to be encrypted but negotiates the key in the clear. That’s the sort of useful research that we need more of.You can imagine someone thinking “It’s an encrypted system, I can safely control my garage door and security system with it.” and then being upset when they find out the encryption in more like encraption. The way this is usually done in the context of hotels and offices (probably the most security conscious use cases, and the specific case with which I’m familiar), the devices are configured into a network in a remote location inside a Faraday cage.
So, while the key is transmitted in the open, it’s not getting past the cage. Then, the devices get shipped out to the hotel and installed by their electricians into a given room (that’s actually the primary benefit of this process, it simplifies the process for the client). Once it’s in the room, it’s secure. Until the power goes out not all X10 and ZWave systems can survive power failures without being reconfigured. Negotiating keys in the clear has NOTHING to do with convenience except on the part of the developer and the hardware manufacturer.
You can do DH type key negotiations that are very convenient and transparent to the user, but no manufacturer wants to spend that kind of money putting the hardware/firmware in place to do it. Just not cost effective for them. And besides, if you get burgled, the home owner’s insurance covers it, not the device manufacturer, so they have no incentive.
Although the bit about Z-Wave is interesting (and disappointing), they focus more on X10.“None of the manufacturers have implemented really any security whatsoever on these devices,” said Dave Kennedy, one of the researchers. “It’s such an immature technology.”Anyone with the ability to think for themselves will realize that this statement is false. I don’t have a problem with them analyzing security. Analyzing the security of X10 is like flogging a dead horse, because there is none.
I’m surprised this was even considered worthy of a DefCon demonstration.What I have a problem with is them releasing tools to disrupt an X10 system.My X10 system has served me well for almost ten years. I know its limits, so I don’t use it for security, or connect anything which could burn down the house. Yet I still have 34 modules.
It does what I need it to do. The rare failure is usually easy to repair, and the modules are cheap enough you can keep spares on hand. There is no reason it can’t serve me for another ten years, and I would like it to; rather than invest time and money in a new system that would be better spent elsewhere.Unless of course some malicious person were to intentionally disrupt it. And thanks to these “researchers” releasing their tools to persons unwilling or unable to come up with their own, that just became more likely.It was not necessary for them to do that to simply demonstrate a vulnerability.Though it.may.
have been necessary for them to do that to successfully get a presentation spot at DefCon. If so, that is a purely selfish motive on their part; to value their own fame over the investments and security of every X10 owner, even if that security is only through obscurity. At first I thought x10 would be a great idea since the signal is trasmitted over power lines because the WIFIi hacking tools out there are pretty great and living in FL I wouldn’t have to worry about how WIFI doesn’t particularly like to travel through concrete walls. I even figured that I could put some kind of blocker at the breaker box to prevent signal leakage. After less than 15 mintues of research I found that the signals have zero security and realized that any middle school kid, if so inclined, could easily hack the x10 system. Considering the internet has been around and building a global knowledge base about electronics and hacking them for 20yrs there is no excuse for such an insecure system. Of course based on X10’s website, I can confidently say that there are no more forward thinkers associated with that product.
I think it is irresponsible to not very publicly disclose on the packaging that the product should not be used with security systems, garage doors, ovens, refridgerators, freezers etc. Instead of promoting those exact uses. I’ve been trying to find it all day with no success, but there was a guy who designed and built the solution to this problem for X10. My memory of exactly how it works is poor, so no point in discussing the error of the method since my recollection is probably wrong. Hopefully somebody else will remember it and find the link.All commands begin with a multi-digit PIN code. The PIN code is just X-10 commands. So with a desk commander it might be module 2 on, module 3 off, module 2 off.
Note these commands will NOT be acted upon by any module because a listening device jams all commands until a valid PIN is received.The listener sits on the powerlines. When it hears an X-10 command, it immediately sends out interference that blocks a module from getting the complete command. If the first x commands are the correct PIN code, then it allows the subsequent commands to propagate without interference.The obvious hole is that an attacker could hear the PIN code and replicated it. I believe the hole was addressed but again I don’t remember all the details.
Just to cover a bit more because a lot of this was covered in the presentation but hard to cover in an article:1. The X10 RF communications use the same mechanism just through RF and are just as easy to jam/intercept/stop. Most of the motion sensors/alarm systems use this, we did not show it live as RF jamming is illegal and we aren’t lawyers.
So in the case of home alarm systems, they are equally as vulnerable with no security mechanisms in place to protect against it.2. To Gearloose’ comment: That was specifically outlined in the talk that the latest homeplug rev supports AES while older versions supported 56 bit DES. I specifically mentioned the Netgear 500 AV which supports randomized key exchanges by pushing the pair button, the others leverage default passwords. Many of the vendors aren’t levering FIPS-compliant based key exchanges so yes they do exchange the keys in an insecure format that can be intercepted. There are some that tout FIPS-verified based implementations.3. Z-Wave is by almost all means all unencrypted and extremely easy to sniff/intercept/inject into the mesh network. There were only front-door locks that we were able to find leveraging AES.
To the gentlemans comments above, they leverage a mesh network so if you use an antenna and can have a transmit strength great enough to encompass one device you can communicate with all of the devices, not just one.4. This is only the tip of the iceberg, we’re working on Crestron, Lutron, Insteon, Control4, and others which all leverage some form of the open protocols. We are all for responsible disclosure, in the case of X10/Z-Wave it was a bit different as we were specifically targeting a standard versus a manufacturer.
In the cases of commercial implementations we would follow a release cycle and ensure that the issues identified were remediated before any type of release to the public. If it wasn’t possible to fix the devices then we wouldn’t release the information.5. In most cases neighborhoods are setup with a single transformer distributed in multiple houses, in my area was able to see 15 which to me seems insane but the normal should hopefully be around 3-4.6.
To clear anything up on this, we used a Teensy device which is a small microcontroller soldered to an X10 controller with onboard flash memory via the Arduino programming language to send the signals. We then soldered a GSM based chip onto the device and interface with the Teensy and a SDMounted flash drive that would intercept communications over the powerlines then send those via text messages. So essentially when someone powered the lights on, triggered a motion sensor, or anything else home-automation based on the system it would send it over text messages, then you could send a text message back to the device to start the blackout if you wanted.
We haven’t published this specific implementation/code but only the blackout/sniffer modules.To Chris’ comments above, I normally don’t comment on completely inaccurate and not researched statements, but the equipment used is 100 percent wrong. No serial, no computer, no CM11A. We used a hand soldered modified Arduino-based device. You miss the point about X10, we are releasing information about the standard which is broke, like anything else X10 is antiquated which is why we are off to other pastures with the more commercial product sides.On Chris’ point about disclosure: I don’t know what to tell you, I’ve been in this business for over ten years and believe in responsible disclosure. At this point there is nothing to do around contacting/notification around standards. If it would have been a specific vendor/manufacturer things would have transpired quite differently.
Case in point last year when we found exposures in PowerShell, we contacted Microsoft 8 months before we even came close to releasing information about it. Please stick to what you’re good at:-)Hope that clears some of it up. Let me know if anyone has any questions about it!Thanks,Dave. Dave, thanks for coming in adding more clarity to the conversation.4. “If it wasn’t possible to fix the devices then we wouldn’t release the information.” It’s not possible to fix X10 because the devices are not upgradeable.“the point about X10 is the standard is broke.” No, it’s not. The standard was not designed nor intended to ever be secure.
The manuals even talk about your neighbors being able to control your lights. The standard does exactly what it was designed to do and nothing more or less. So I think characterizing is as “broke” is inaccurate.
It’s like saying clear glass is insecure because you can see through it.You might say that since the protocol is used for a security system that it is implied the protocol is secure. The security systems came much later in X10’s life, likely at the behest of some suit in Marketing, and used a known non-secure protocol. So really it’s the security system that’s broken, not the protocol. Thanks for the response! Always good to hear different views and opinions.Stating that a protocol was never designed to be secure is the crux of the argument. The systems are being used in home automation systems without the implications that it could be potentially damaging as far as security goes.
I never stated that X10 a secure protocol or that it was touted that way, but it is for sure broke as far as security goes. The fact that security systems were designed and implemented in homes is the point of the argument. Why are we using this technology still or at least put something around it for protection.So back to the point: “the point about X10 is the standard is broke.” No, it’s not.” I’m back to yes it is, from a security perspective its absolutely broke. What about creating our own control units. Surely there must be a very low power 8 bit microcontroller we could use that we could pull out of sleep in microseconds. Then we just need an ASIC transceiver for electric wires.
Chirp the signal to wake the microcontroller and then use the microcontroller to decode a signal command. We could use any encryption we wanted as well as being able to update the firmware for better security as time goes on. If we could fit the microcontroller and other components within the size of a matchbox that would be ideal. Then start another kickstarter project to produce sockets and switches with relays.
I can already see such units being extended for in device control.The thing I most want is low power(watch battery efficiency). What good are smart devices if each of the 50 smart device electronics draw one watt a piece. That’s not a bad idea but I think it is treading a tad closely to reinventing the wheel.Anything plugged into line power really should be UL certified. That costs money and time. And I don’t want to plug anything into my outlets that isn’t UL certified and hasn’t been designed by somebody with extensive experience in line-power circuits. I don’t want my house to burn down.The existing solutions have UL certification, a long history of safe operation, or both.
They are also either not meant to be secure and make no bones about it, or can be secure when used correctly.The only advantage of a reinvention project that I can see is the reduced quiescent power draw. X10 modules and controllers are fat power pigs by modern standards.
I don’t know how good Visteon or Z-Wave products are. I haven’t researched them because X10 does what I need and is dirt-cheap even considering the long-term extra energy use.As for saving power on a microcontroller, there are several that have very low power use during sleep modes. I think there was an article yesterday on EEV blog or similar demonstrating that.
E-Control 2 (IP control via a computer) is not actually 'discontinued,' but effectively updated and is now referred to more commonly as 'XPanel'. Please see the product page for latest information.With its introduction in 1998, Crestron e-Control revolutionized the control system industry and quickly established itself as the standard for IP-based control. Continuing its thrust as the leader in control system innovation, Crestron pushed the capabilities of e-Control to the next level with the development of e-Control 2. Utilizing a Microsoft® ActiveX® foundation, e-Control 2 provides a fully transformable platform through Crestron VT Pro-e® GUI design software. The result is a suite of inspired solutions called XPanel.Within VT Pro-e, Crestron touch screen GUI design software, there are four XPanel options: XPanel EXE, XPanel IE, XPanel PDA and XPanel Emulator. All are compatible with any Ethernet-equipped 2 or 3-Series control system, which support DHCP/DNS for the ultimate integration of IT and AV.XPanel IEXPanel IE provides web browser based control using ActiveX to attain true Crestron touch screen behavior.
XPanel IE web pages are hosted on the control system, allowing on-the-fly control from any connected PC simply by launching Internet Explorer® and entering the IP address (or URL) of the control system.XPanel IE files are created just like touch screen files using Crestron VisionTools® Pro-e GUI design software. Touch screen files can be converted directly to XPanel IE in one easy step. The look and function of touch screen files created in VT Pro-e are replicated precisely in XPanel IE. Even subpages, multi-mode buttons, animations, object effects, transparencies and fonts appear and behave identically to those on an Isys® touch screen. For the end user, this means a consistent control experience whether using the system touch screen or the web browser on a remote computer.XPanel IE is designed for speed, employing embedded 'Smart Loading' technology. When a computer connects to the control system web server for the first time, the complete XPanel IE project is downloaded and stored in the computer's cache memory.
All subsequent connections are resultantly instantaneous. XPanel IE files are not lost when the temporary Internet files folder is cleared. Smart loading also checks for updates upon each new connection, and downloads new files only when an update is found.All ActiveX objects downloaded as part of an XPanel IE Web page are digitally signed for security. And like all e-Control applications, XPanel IE is fully compliant with firewalls and other common network security measures.XPanel EXEXPanel EXE provides ultra fast and secure control through an executable application rather than web pages. The runtime executable loads directly onto one or more specific computers and runs from the desktop or start menu. Just like XPanel IE, XPanel EXE files are created using VT Pro-e GUI design software so they look and function just like an Isys touch screen. Since the executable resides and runs on the controlling PC, there is no load time so all functions are instantaneous.
Even over the Internet, XPanel EXE offers the fastest IP-based control solution available.XPanel EXE eliminates the hassles associated with web browsers, eliminating any chance of accidentally surfing away from the critical control screens or being interrupted by pop-ups. The 'Always On Top' option prevents the XPanel EXE GUI from getting lost behind other applications.If necessary to support mobile usage, the executable file may be hosted for download by authorized users from a secure server.XPanel EmulatorXPanel Emulator allows the control system programmer to easily generate an executable file that emulates the entire flow and function of an Isys touch screen or e-Control 2 XPanel project right on any Windows® PC. Button presses, page flips, subpages, and feedback can all be simulated to provide a complete real-time demonstration, fully navigable by any untrained user.
There's no special 'viewer' software required. An XPanel Emulator file can be delivered through email and run easily from the Windows desktop, providing a convenient instrument for sales demonstrations, consultant submittals, user training, and final signoffs. This product may be purchased from an authorized Crestron dealer.
Crestron Block Inbound
To find a dealer, please contact the Crestron sales representative for your area. A list of sales representatives is available online at or by calling 800-237-2041.Specifications subject to change without notice. Crestron is not responsible for errors in typography or photography.Crestron, the Crestron logo, e-Control, VisionTools, VT Pro-e, and Isys are trademarks or registered trademarks of Crestron Electronics, Inc. In the United States and other countries.
Microsoft, Windows, Internet Explorer, and ActiveX are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Crestron disclaims any proprietary interest in the marks and names of others. ©2011 Crestron Electronics, Inc. This product may be purchased from an authorized Crestron dealer.
Crestron Hackathon
To find a dealer, please contact the Crestron sales representative for your area. A list of sales representatives is available online at or by calling 800-237-2041.Specifications subject to change without notice.
Crestron is not responsible for errors in typography or photography.Crestron, the Crestron logo, e-Control, VisionTools, VT Pro-e, and Isys are trademarks or registered trademarks of Crestron Electronics, Inc. In the United States and other countries. Microsoft, Windows, Internet Explorer, and ActiveX are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Crestron disclaims any proprietary interest in the marks and names of others. ©2011 Crestron Electronics, Inc.