Thread vs. OpenThread | Home Automation—Can Someone Hack my SmartHome?
Yes, no, maybe? Home automation security concerns and vulnerabilities to be on the lookout for or to consider avoiding completely.
#include <chrono> #include <thread> #include <iomanip> #include <unistd.h> #include <net/if.h> #include <sstream> #include <stdio.h>
Well it’s open source, so it’s should be safe right?
Is anything safe? Sure, as long it’s displayed with a mesmerizing fancy video with the perfect font and high quality photo/videos to grab your attention, it sure is—says most consumers that rely on such product marketing tactics disguised as “being in the know”, first in tech club, or, maybe certain financial brackets that persuade the targeted viewer to invest in commercial products to simplify their lives.
Now introducing: OpenThread, manged by Google —
902–928 MHz worth of Kb frames zapping through the air ready to sniffed and fondled; well hopefully its being transmitted with at least WP3 from node to node; depending on your setup topography — but if not you got CBC-MAC (CCM) 128-bit AES block cipher backing you up from a distance stranger, neighbor or delivery person right? Well what about: AdProx, ANSI C18, Bluetooth® 4.2+, FIPS 180-4, FIPS 186-4, FIPS 971, FIPS 198-1, IEEE 754-2019, SIGMA, SPAKE2+, SRP, Verhoeff ECC, X.501, X.509, X.520, X.680, X.690?
Recommend | Xybercraft ™
I mean hey you have Bypass Jam Detection, and C/TSMA. OTBR uses IPTables and IPSec to avoid explicit inbounds kernel parameters so you should be fine right? No, not really.
15% of consumers (on a good day) don’t even graze such information.
Assuming you were persuaded by a reseller employee or those .com big shots advertising their affiliate links that always seem to have favor from your favorite search engine’s top results, then just plug and play your new Thread toys and enjoy the easily installed assisted living; like changing the temperature on your thermostat that's 20 feet away.
Hate to say it but *clears throat* you probably weren’t even guided to dedicate the MQTT-SN (Message Queuing Telemetry Transport - Sensor Network) TLS (Transport Layer Security) to TCP Port 8883 incase some kind of reconfiguration happens and you are or the average consumer may also suffer from:
Stealing Cached Tokens Spoofing Congestion Wake-up Wave Attacks Trash Injections Disconnect Wave
But I thought it was using something like 6LoWPAN? 6LoWPAN you say? Ah yes, (IPv6 Neighborhood Discovery) alone, can suffer from:
NS/NA Spoofing (Neighbor Solicitation/Advertisement Spoofing) NUD Failure (Neighbor Unreachability Detection) DAD DoS (Duplicate Address Detection DoS Attack) Malicious Router Default Router Killed Good Router Goes Bad Spoofed Redirect Message Bogus On-Link Prefix Bogus Address Config Prefix Parameter Spoofing Replay Attacks and Remotely Exploitable Attacks Remote ND DoS (Neighbor Discovery DoS Attack)
“LoWPAN Broadcast method of derivation of Interface Identifiers from EUI-64 MAC addresses is intended to preserve global uniqueness when possible. However, there is no protection from duplication through accident or forgery, the MTU size for IPv6 packets over IEEE 802.15.4 is 1280 octets.
Link-layer security (another aspect) imposes further overhead, which in the maximum case 21 octets of overhead in the AES-CCM-128; versus 9 and 13 for AES-CCM-32 and AES-CCM-64, respectively.
It is still possible to use self-identifying mechanisms, such as Cryptographically Generated Addresses (CGA) — It may also be possible to learn the identities of any routers using various kinds of heuristics, such as testing the node's ability to convey cryptographically protected traffic towards a known and trusted node somewhere in the Internet. Methods like these seem to mitigate (but not completely block) some of the attacks outlined.
“802.15.4 provides some capability for link-layer security. Users are urged to make use of such provisions if at all possible and practical. Doing so will alleviate some threats stated above.”
But wait there’s more, Billy Mays voice
(Section Added: 2023) Have you heard about the creep move from Amazon? The Amazon company shuts down owned personal device/product(s) of a customer, named Brandon Jackson on May 25th this year. Brandon is an Engineer for Microsoft and was accused of being racist to a delivery driver… Amazon disabled his smart home system for a week, and similar situation can happen to anyone, isn’t that crazy? More like creepy, these positions are in control by individuals who are in more control then you are, disabling his stuff isn’t that criminal, sure but if you factor in Mr. Robot rouge actors, or upset employees.
CoAP vulnerabilities fall within “WebSockets and CoAP over TLS-secured WebSockets, TLS Binding for CoAP over TCP depending on the PreSharedKey, RawPublicKey, or Certificate, which still opens doors to a few other attacks like these:
Parsing the Protocol and Processing URIs Proxying and Caching Risk of Amplification IP Address Spoofing Attacks Cross-Protocol Attacks Constrained-Node Considerations
Datagram Transport Layer Security (DTLS) has a few known vulnerabilities linking with subsets of its protocol but Denial of Service was the main one to consider if the devices did not use cookie exchange then there’s on-path attacks which can Black-hole traffic or produce:
Reflection attacks NAT Rebinding Etc., Etc..
I always says it’s not the ones with a criminal background you have to worry about it’s actually the ones without. Not to mention equality, so consider linking your fridge, toilet, air consigning unit, mailbox, windows, doors and all the other important things around the house to a system that you purchase and only have limited access to. Imagine in the future (god forbid) a home being unable to open and you being stuck inside, or worse your kids, or a toilet not wanting to flush because some software engineer didn’t finalize a few lines of code because it was 3:28 on a Friday. A little exercise has never hurt anything, and it never will, unless you’d like to discuss “Wolfs Law” relating to the future of developments like Matter.
Recommend | Xybercraft ™
First it was GPS, then our voice with microphones on use all day, then a camera in our face 16 hours at that; which evolved to infrared photogrammetry that secretly tracked our eye movement and reactions even in low light. To later just cover up all the retrieved data with “animal faces, or filters.” Rollout after rollout we see updates to convey hidden tactics, from keystrokes, to heartbeats.
These attacks aren’t just someone in your home, some can be exploited tunneling through your network, basic attacks like DOSing to even advanced attacks like swapping Root CA files.
And you couldn’t tell you were a victim unless you kept original logs and monitored activity regularly because some behavior can even avoid detection. To think that this 802.15.4 technology is so old and basically out of date, and how the (public) world still relies on AES. The mentions I brought to point may be updated in the future; I do use a few home products myself but I take preventative measures, like limiting features I dont need.
Automation is cool trust me I love technology, but it’s actually scary, and we’re slowly handing over our lives;
There are also biclique, brute, rainbow, related-key attacks on the radar for AES-128 to 256. You can run your own code with Wireshark using (Pyspinel) to analyze packets to either see how they work; what node is sending to what or to check for irregular activity. To be practical I’d consider purchasing a “next-generation” (hardware) firewall (NGFW) for your home network, regularly turn off the Wi-Fi at night before bed, use the longest password possible, reduce your over reach of Wi-Fi range meaning if you can connect to your Wi-Fi from the street, then so can anyone else. There are also options like OpenWRT to help buff you link-layer which and alleviate some of the concerns mentioned and encrpyted your transsmissions.
Summary
This wasn’t to scare you it was to inform you. Finally I also didn’t mention all Thread affiliated product vulnerabilities or the safeguards you can take to help mitigate your threats in this post alone, again I am a consumer of these products, so this isnt to hate on the teams behind the tech — browse my publications on securing your home automation if you have a SmartHome, or plan on it.
@OpenThread, @CSA, @IETF, @Google, @ANSI, @ISO,
Recommend | Xybercraft ™