Home Automation Systems Easily Hacked Via The Power Grid

x10_home_automation_hacked

As home automation becomes more and more popular, hackers and security experts alike are turning their attention to these systems, to see just how (in)secure they are.

This week at DefCon, a pair of researchers demonstrated just how vulnerable home automation systems can be. Carrying out their research independently, [Kennedy] and [Rob Simon] came to the same conclusion – that manufacturers of this immature technology have barely spent any time or resources properly securing their wares.

The researchers built tools that focus on the X10 line of home automation products, but they also looked at ZWave, another commonly used protocol for home automation communications. They found that ZWare-based devices encrypted their conversations, but that the initial key exchange was done in the open, allowing any interested 3rd party to intercept the keys and decrypt the communications.

While you might initially assume that attacks are limited to the power lines within a single house, [Kennedy] says that the signals leak well beyond the confines of your home, and that he was able to intercept communications from 15 distinct systems in his neighborhood without leaving his house.

40 thoughts on “Home Automation Systems Easily Hacked Via The Power Grid

  1. X10 signals are isolated by transformers. This guy got lucky(or unlucky), and shares his mains with 15 other users at least… Wouldn’t want to live there…

    I live on a rural street and have my own 8KV>240v transformer. No one sees my X10 but me. And if they walk up to my house to connect to one of my power outlets that’s a different type of security problem.

    They don’t need to crack my x10 stuff to see what lights I have turned on. (They can just use their eyes.)

    1. Not to mention that a $17 whole house X10 blocker solves that problem as well. Most pro installers will add one if they have issues with noise on the line – blocks any signals in or from the neutral feed on the junction box.

    2. Unless you’re in a rural neighbourhood, chances are that you share a pole pig with at least one or two other neighbours. There’s nothing to feel sorry for the guy about, the power company is saving a significant amount of money by using one properly sized step-down transformer rather than a dozen or more smaller ones.

    3. @raidscsi: Do you use any wireless X10? Don’t even have to plug into your house to access your stuff if you do. Just have to try 15 house codes.

      I use X10 in my house, but not for anything that could be dangerous if turned on or off without my knowledge.

      X10 isn’t meant to be secure, it’s meant to be convenient. The worst an attacker could do it turn on and off my lights, fans, and an air conditioner. Annoying, but not a “security” threat by any measure.

  2. Also on a more positive note, this hardware would be cool to have to diagnose X10 communications issues. From time to time I have problems getting signals from one phase to another. (seems to work best with the 240 HVAC compressor running)

  3. The biggest problem would be if the house is running a X10 based security system.
    That would be a major security risk. Controlling the lightning would probably only be annoying.

    I have my own home automation system running but I use hacked remote wall outlets. These pose the same security risks, therefore they only control lightning and non important utilities like my external monitor and my TV. The security system and other security features all run of WiFi where the communication itself is encrypted, validated and authorized/verified (so even local sniffing is impossible). My safe is modded with remote control but that is using the classic rolling code like the one being used in cars.

  4. Seems to me the hassle of gaining access to a target’s neighbour’s house’s electric supply to hack the target’s home automation is higher and less likely to work than gaining access to the target’s house and plugging directly into an external light or power fitting.

    However, it was interesting to see that Z-wave is supposed to be encrypted but negotiates the key in the clear. That’s the sort of useful research that we need more of.
    You can imagine someone thinking “It’s an encrypted system, I can safely control my garage door and security system with it.” and then being upset when they find out the encryption in more like encraption.

    1. The way this is usually done in the context of hotels and offices (probably the most security conscious use cases, and the specific case with which I’m familiar), the devices are configured into a network in a remote location inside a Faraday cage. So, while the key is transmitted in the open, it’s not getting past the cage. Then, the devices get shipped out to the hotel and installed by their electricians into a given room (that’s actually the primary benefit of this process, it simplifies the process for the client). Once it’s in the room, it’s secure.

      1. Until the power goes out… not all X10 and ZWave systems can survive power failures without being reconfigured. Negotiating keys in the clear has NOTHING to do with convenience except on the part of the developer and the hardware manufacturer. You can do DH type key negotiations that are very convenient and transparent to the user, but no manufacturer wants to spend that kind of money putting the hardware/firmware in place to do it. Just not cost effective for them. And besides, if you get burgled, the home owner’s insurance covers it, not the device manufacturer, so they have no incentive.

  5. FYI Typically a single line transformer is shared between 4 service entrances. So your home automation system is accessible from at least 3 of your neighbor’s homes. PLC’s typical low bit rate also makes them more venerable to attacks as you don’t need very sophisticated equipment to capture the data… X10 just needs a TDA5051 and a level shifter and you can dump data directly to terminal.

  6. Although the bit about Z-Wave is interesting (and disappointing), they focus more on X10.

    “None of the manufacturers have implemented really any security whatsoever on these devices,” said Dave Kennedy, one of the researchers. “It’s such an immature technology.”

    Anyone with the ability to think for themselves will realize that this statement is false. X10 isn’t immature, it’s *outdated*; having been around virtually unchanged for 37 years now.

    “The tools, which they’re releasing to the public, include the X10 Sniffer to determine what’s connected to the power network and monitor what the devices are doing, and the X10 Blackout, which can jam signals to interfere with the operation of lights, alarms, security cameras and other devices.”

    This class of hacker commonly releases such “tools” under the guise that they’re performing an invaluable service to us by forcing manufacturers to update, improve, and secure their products; rather than admitting to malicious or anarchist purposes.

    But again, anyone with the ability to think for themselves will realize this excuse doesn’t apply here. No security updates to X10 are feasible. It was never designed with security or firmware updates in mind, and is too old to warrant any changes.

    The only reason X10 is still used is because you can put together a home automation system using it so inexpensively compared to any modern alternative. That alone makes it *valuable* despite its shortcomings, by giving people who otherwise couldn’t afford or wouldn’t consider home automation an opportunity to benefit from it.

    I use a massive X10 system myself (34 modules) which would be very expensive to replace. And I have donated a large amount of time educating and helping others with successfully setting up X10 systems.

    So now these guys come along and release their “tools”. As far as hardware, this only requires a CM11A transceiver, a serial cable, and a portable computer with a serial port. Software is a simple program that runs on a portable computer, that records, plays back, or continuously spams X10 commands. Not exactly rocket science. I’m familiar with X10 programming and could recreate their “tools” in less than an hour.

    But thanks to these researchers, now any script kiddie neighbor or thief with double-digit IQ has a turn-key solution for messing with X10 systems.

    Thanks.

    1. But thanks to these researchers, now any script kiddie neighbor or thief with double-digit IQ has a turn-key solution for messing with X10 systems.

      Like you say at the beggining, the problem is not the researchers but the ancient protocol. Dont blame the researches for analyzing security on 37 year old stuff.

      1. I don’t have a problem with them analyzing security. Analyzing the security of X10 is like flogging a dead horse, because there is none. I’m surprised this was even considered worthy of a DefCon demonstration.

        What I have a problem with is them releasing tools to disrupt an X10 system.

        My X10 system has served me well for almost ten years. I know its limits, so I don’t use it for security, or connect anything which could burn down the house. Yet I still have 34 modules. It does what I need it to do. The rare failure is usually easy to repair, and the modules are cheap enough you can keep spares on hand. There is no reason it can’t serve me for another ten years, and I would like it to; rather than invest time and money in a new system that would be better spent elsewhere.

        Unless of course some malicious person were to intentionally disrupt it. And thanks to these “researchers” releasing their tools to persons unwilling or unable to come up with their own, that just became more likely.

        It was not necessary for them to do that to simply demonstrate a vulnerability.

        Though it *may* have been necessary for them to do that to successfully get a presentation spot at DefCon. If so, that is a purely selfish motive on their part; to value their own fame over the investments and security of every X10 owner, even if that security is only through obscurity.

        1. At first I thought x10 would be a great idea since the signal is trasmitted over power lines because the WIFIi hacking tools out there are pretty great and living in FL I wouldn’t have to worry about how WIFI doesn’t particularly like to travel through concrete walls. I even figured that I could put some kind of blocker at the breaker box to prevent signal leakage. After less than 15 mintues of research I found that the signals have zero security and realized that any middle school kid, if so inclined, could easily hack the x10 system. Considering the internet has been around and building a global knowledge base about electronics and hacking them for 20yrs there is no excuse for such an insecure system. Of course based on X10’s website, I can confidently say that there are no more forward thinkers associated with that product. I think it is irresponsible to not very publicly disclose on the packaging that the product should not be used with security systems, garage doors, ovens, refridgerators, freezers etc. instead of promoting those exact uses.

  7. About the zwave thing, it doesn’t sound like a horrible thing, as really how often does one pair their devices? like one in their lifetime?

    These devices aren’t long range, I say odds are unlikely that someone would be monitoring and recording your transmission within 150 feet while you pair your devices.

    1. It depends on the failure rate of the individual devices. Some things like door switches (e.g. we shut off the AC in a room when the door opens, huuuuge energy savings) have fragile reed-switches inside of them. This is also why we do smart, switchable wall-plug modules instead of smart, switchable light bulbs like Google is pushing http://inhabitat.com/google-unveils-brilliant-android-controlled-led-light-bulb/. Not only is it more robust, it works with any of your existing electrical appliances, not just one light bulb.

  8. There *is* a security implication to being able to turn your lights on and off remotely…

    If (hypothetically) I turn all your lights off and I don’t see any come back on more or less instantly, I’ve got some pretty good evidence you’re not at home so I know I won’t get shot at when I burgle your house…

    1. If I’m not home all my lights are off anyway.

      If somebody is counting on lights being on or off as a security measure, or even being at home as a security measure, their “security” has already failed.

      1. You missed Richard’s point. In your response, you suggest that (paraphrased) “Lights left on when not home” is a poor security device. True, and it is.

        But what Richard said was, he could remotely detect if the premises were OCCUPIED or not. If a crime depended on the victim being home, this is potentially more sinister.

      2. Looking at it a second time, you are correct, Pants. My brain jumbled Richard’s post as saying “evidence you are home, or not” which could be parsed differently. If you are paranoid like me, anyways :-)

  9. I’m glad to see people doing research on topics and devices like this. Also glad to see HaD reporting information on it so I can see all the great comments from people with actual knowledge. Thanks.

  10. The company that used to use annoying web popups as a marketing technique doesn’t do security well? What a surprise!

    In my case, if I’m on the computer hacking, or on the couch watching TV, and the light in the other room goes off, I might not notice :-) (Or I might only notice if it startles the cat.)

  11. I’ve been trying to find it all day with no success, but there was a guy who designed and built the solution to this problem for X10. My memory of exactly how it works is poor, so no point in discussing the error of the method since my recollection is probably wrong. Hopefully somebody else will remember it and find the link.

    All commands begin with a multi-digit PIN code. The PIN code is just X-10 commands. So with a desk commander it might be module 2 on, module 3 off, module 2 off. Note these commands will NOT be acted upon by any module because a listening device jams all commands until a valid PIN is received.

    The listener sits on the powerlines. When it hears an X-10 command, it immediately sends out interference that blocks a module from getting the complete command. If the first x commands are the correct PIN code, then it allows the subsequent commands to propagate without interference.

    The obvious hole is that an attacker could hear the PIN code and replicated it. I believe the hole was addressed but again I don’t remember all the details.

  12. I use a X-10 security system because its inexpensive,but it does not use the power lines for its code,it uses RF to communicate with its senders,and the codes it uses are not the same as the power line codes,it does have its own built in alarm,and can communicate with the power line codes to turn on external devices such as lights and other sirens,it also has a phone dialer that can call a few numbers and play messages over the phone line,as for turning off all the lights to see if anyone is home,just put a light or a few perminently on without hooking to the X-10,that way a potential hacker won’t know for sure,I also have most of my lights on motion detectors with timing on the inside and outside of my house so nobody can predict if the house is occupied,also have camera recording system the same way.

  13. It may seem from the artcile that *all* power line communication is insecure. In fact, the commonly spread Homeplug AV standard has 128 bit AES encryption which cannot be broken in a reasonable amount of time. It also does *not* exchange unencrypted keys unless you are foolish enough to leave the default password active.

  14. Just to cover a bit more because a lot of this was covered in the presentation but hard to cover in an article:

    1. The X10 RF communications use the same mechanism just through RF and are just as easy to jam/intercept/stop. Most of the motion sensors/alarm systems use this, we did not show it live as RF jamming is illegal and we aren’t lawyers. So in the case of home alarm systems, they are equally as vulnerable with no security mechanisms in place to protect against it.

    2. To Gearloose’ comment: That was specifically outlined in the talk that the latest homeplug rev supports AES while older versions supported 56 bit DES. I specifically mentioned the Netgear 500 AV which supports randomized key exchanges by pushing the pair button, the others leverage default passwords. Many of the vendors aren’t levering FIPS-compliant based key exchanges so yes they do exchange the keys in an insecure format that can be intercepted. There are some that tout FIPS-verified based implementations.

    3. Z-Wave is by almost all means all unencrypted and extremely easy to sniff/intercept/inject into the mesh network. There were only front-door locks that we were able to find leveraging AES. To the gentlemans comments above, they leverage a mesh network so if you use an antenna and can have a transmit strength great enough to encompass one device you can communicate with all of the devices, not just one.

    4. This is only the tip of the iceberg, we’re working on Crestron, Lutron, Insteon, Control4, and others which all leverage some form of the open protocols. We are all for responsible disclosure, in the case of X10/Z-Wave it was a bit different as we were specifically targeting a standard versus a manufacturer. In the cases of commercial implementations we would follow a release cycle and ensure that the issues identified were remediated before any type of release to the public. If it wasn’t possible to fix the devices then we wouldn’t release the information.

    5. In most cases neighborhoods are setup with a single transformer distributed in multiple houses, in my area was able to see 15 which to me seems insane but the normal should hopefully be around 3-4.

    6. To clear anything up on this, we used a Teensy device which is a small microcontroller soldered to an X10 controller with onboard flash memory via the Arduino programming language to send the signals. We then soldered a GSM based chip onto the device and interface with the Teensy and a SDMounted flash drive that would intercept communications over the powerlines then send those via text messages. So essentially when someone powered the lights on, triggered a motion sensor, or anything else home-automation based on the system it would send it over text messages, then you could send a text message back to the device to start the blackout if you wanted. We haven’t published this specific implementation/code but only the blackout/sniffer modules.

    To Chris’ comments above, I normally don’t comment on completely inaccurate and not researched statements, but the equipment used is 100 percent wrong. No serial, no computer, no CM11A. We used a hand soldered modified Arduino-based device. Check out http://www.prjc.com. You miss the point about X10, we are releasing information about the standard which is broke, like anything else X10 is antiquated which is why we are off to other pastures with the more commercial product sides.

    On Chris’ point about disclosure: I don’t know what to tell you, I’ve been in this business for over ten years and believe in responsible disclosure. At this point there is nothing to do around contacting/notification around standards. If it would have been a specific vendor/manufacturer things would have transpired quite differently. Case in point last year when we found exposures in PowerShell, we contacted Microsoft 8 months before we even came close to releasing information about it. Please stick to what you’re good at :-)

    Hope that clears some of it up. Let me know if anyone has any questions about it!

    Thanks,

    Dave

    1. Dave, thanks for coming in adding more clarity to the conversation.

      4. “If it wasn’t possible to fix the devices then we wouldn’t release the information.” It’s not possible to fix X10 because the devices are not upgradeable.

      “the point about X10 [is the standard is broke].” No, it’s not. The standard was not designed nor intended to ever be secure. The manuals even talk about your neighbors being able to control your lights. The standard does exactly what it was designed to do and nothing more or less. So I think characterizing is as “broke” is inaccurate. It’s like saying clear glass is insecure because you can see through it.

      You might say that since the protocol is used for a security system that it is implied the protocol is secure. The security systems came much later in X10’s life, likely at the behest of some suit in Marketing, and used a known non-secure protocol. So really it’s the security system that’s broken, not the protocol.

      1. Thanks for the response! Always good to hear different views and opinions.

        Stating that a protocol was never designed to be secure is the crux of the argument. The systems are being used in home automation systems without the implications that it could be potentially damaging as far as security goes. I never stated that X10 a secure protocol or that it was touted that way, but it is for sure broke as far as security goes. The fact that security systems were designed and implemented in homes is the point of the argument. Why are we using this technology still or at least put something around it for protection.

        So back to the point: “the point about X10 [is the standard is broke].” No, it’s not.” I’m back to yes it is, from a security perspective its absolutely broke.

  15. What about creating our own control units. Surely there must be a very low power 8 bit microcontroller we could use that we could pull out of sleep in microseconds. Then we just need an ASIC transceiver for electric wires. Chirp the signal to wake the microcontroller and then use the microcontroller to decode a signal command. We could use any encryption we wanted as well as being able to update the firmware for better security as time goes on. If we could fit the microcontroller and other components within the size of a matchbox that would be ideal. Then start another kickstarter project to produce sockets and switches with relays. I can already see such units being extended for in device control.

    The thing I most want is low power(watch battery efficiency). What good are smart devices if each of the 50 smart device electronics draw one watt a piece.

    1. That’s not a bad idea but I think it is treading a tad closely to reinventing the wheel.

      Anything plugged into line power really should be UL certified. That costs money and time. And I don’t want to plug anything into my outlets that isn’t UL certified and hasn’t been designed by somebody with extensive experience in line-power circuits. I don’t want my house to burn down.

      The existing solutions have UL certification, a long history of safe operation, or both. They are also either not meant to be secure and make no bones about it, or can be secure when used correctly.

      The only advantage of a reinvention project that I can see is the reduced quiescent power draw. X10 modules and controllers are fat power pigs by modern standards. I don’t know how good Visteon or Z-Wave products are. I haven’t researched them because X10 does what I need and is dirt-cheap even considering the long-term extra energy use.

      As for saving power on a microcontroller, there are several that have very low power use during sleep modes. I think there was an article yesterday on EEV blog or similar demonstrating that.

Leave a Reply to Sean McBethCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.