Major Security Vulnerabilities in Smart Home Devices Could Allow Hackers to Unlock Doors

A now-discontinued smart home hub had flaws that allowed researchers to hack into the device without even knowing the plain-text password put in place by the owner.

• By Haley Samsel
• Jul 05, 2019

Confirming the worst fears of homeowners everywhere, two security researchers have discovered several vulnerabilities in a recently discontinued smart-home hub, including the ability to unlock front doors remotely using SSH keys.

In research published Tuesday, Chase Dardaman and Jason Wheeler detail how they were able to exploit three major security flaws in a smart home hub called ZipaMacro. The pair did not publish their findings until the issues were fixed by Zipato, the firm that sells the hub.

The vulnerabilities, first reported by TechCrunch, included the ability to extract the hub’s private SSH key from the memory card on the hub. Wheeler was able to get a hold of the “root” key — the account with the highest level of access that allows anyone to access a device without needing a password.

The researchers later found that the private SSH key was coded into every smart hub sold to customers, putting everyone who owned the product at risk of being hacked, according to TechCrunch.

Using the key, they were able to download a file from the device containing scrambled passwords to the hub. As they tried to access the hub, they realized that the product used a “pass-the-hash” authentication system, TechCrunch reported. This system doesn’t require a specific plain-text password — just the scrambled version.

In turn, Wheeler and Dardaman could take the scrambled password and use it to unlock the smart hub, effectively getting around the security measures put in place by Zipato. A savvy attacker could do the same, easily locking and unlocking doors using a simple script sending a command to the smart hub.

After reviewing the research, Kevin Bocek, vice president of security strategy and threat intelligence at machine identity protection provider Venafi, called smart home controllers using the same hardcoded SSH identity a “massive security risk.”

“In this case, an attacker with access to the scrambled version of the SSH key instantly gets access to every device; it’s like winning an exploit jackpot,” Bocek said. “It can literally provide attackers with the ability to unlock your home.”

Hacking into the hub would require an attacker to be on the same WiFi network as the device, the researchers found. However, any devices connected directly to the internet would have been vulnerable to attacks.

Zipato fixed the flaws within a few weeks of learning of them from the researchers and has since discontinued the product in favor of newer products, TechCrunch reported. But the vulnerabilities are still concerning given the popularity of smart home devices around the world. Nearly 36 million such devices will be sold in the United States alone in 2019, according to an estimate from Statista.

Bocek said most organizations do not understand the risks connected with SSH keys, leading them to make mistakes that they then have to scramble to fix.

“We’ve seen the same kinds of problems in the Emergency Response system in the U.S. and we know that one in four Amazon clouds has a backdoor with SSH keys,” Bocek said. “The scale of this problem is enormous; every IoT device, cloud service and container has a key that cyber attackers are more than willing to exploit.”