The first talk at 2016 Shmoocon was a great one. Joseph Hall and Ben Ramsey presented their work hacking Z-Wave, a network that has been gaining a huge market share in both consumer and industrial connected devices. EZ-Wave uses commodity Software Defined Radio to exploit Z-Wave networks. This is not limited to sniffing, but also used for control with the potential for mayhem.
If you’re looking for Home Automation appliances, you might want to check out the Wink Hub. It’s fifty bucks, and has six radios on board: WiFi, Bluetooth, Z-Wave, Zigbee, and 433MHz Lutron and Kidde. That’s an insane amount of connectivity in a very cheap package. It’s been pwnzor3d before, but dinnovative has a much better solution for getting root on this device.
Earlier methods of rooting the Wink involved passing commands via URLs – something that’s not exactly secure. The new method leverages what’s already installed on the Wink, specifically Dropbear, to generate public keys on the Wink hub and getting that key onto another computer securely. The complete exploit is just a few lines in a terminal, but once that’s done you’ll have a rooted Wink hub.
Even though the Wink hub has been rooted a few times before, we haven’t seen anything that leverages the capabilities of this hardware. There isn’t another device with a bunch of IoT radios on the market for $50, and we’re dying to see what people can come up with. If you’ve done something with your Wink, send it in on the tip line.
Home automation keeps popping up here at Hackaday, so [Cristian Zatonyl] decided to share his Raspberry Pi-based system with us. This build takes a firm stance on the “automated” side of the automation vs. control debate we had last week: no user input necessary. Instead, [Cristian] relies on geofencing to detect whether he has driven outside the set radius and automatically turns off the lights and locks his door.
The build takes advantage of Z-Wave products, which are your typical wireless remote-control gadgets, but tacks on a third-party “RaZberry” board to a Raspi to give it control over off-the-shelf Z-wave devices. The final step is the integration of a custom iOS app that keeps tabs on the geofence boundaries and signals the Pi to control the lights and the front door lock.
[Cristian’s] tutorial covers the basics and admits that it’s a proof of concept without any security features. Judging by his other YouTube videos, however, we’re sure more developments are underway. Check out the video below for a demonstration of the system, then feel free to speculate on security concerns in the comments. Our article on Z-wave security from a few years ago might be a good starting point.