www.synack.com

Home Automation Benchmarking

Project Scope

Cameras Thermostats Smoke / CO Home Automation Controllers

Dlink DCS-2132L Ecobee First Alert SC9120B Control4 HC-250

Dropcam Pro Hive Kidde i2010S Lowes Iris

Foscam FI9826W Honeywell Lyric Nest Protect Revolv

Simplicam Nest Thermostat SmartThings

Withings Baby Monitor

Cameras

• All communications encrypted

• No public services

• Automatic firmware updates

• No default credentials

• Hardwired connection available

• Public firmware is encrypted to some extent

• Credential change required on first boot

• Encrypted automatic updates

• Lost communications alerting

• Automatic firmware updates

• No hardwired connection

• No SSL pinning in mobile app

• Communications default to unencrypted

• Obfuscates, rather than secures data in transit

• Publicly available firmware

• Maximum 12 character passwords

• Communications default to unencrypted

• Obfuscates, rather than secures data in transit

• Weak password policy

• No certificate validation

• Multiple communications are unencrypted

• Credentials easily pulled from backups

• Hard-coded shared password

• Considerable network footprint

BEST PRODUCT QUALITIES

WORST PRODUCT QUALITIES

*The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.

Thermostats

• All communications encrypted

• Automatic firmware updates

• Proper SSL usage / encrypted traffic

• Public firmware is encrypted to some extent

• Credential change required on first boot

• Built on widely used platform

• Automatic firmware updates

• Encrypted communication

• Weak password policy • Weak password policy

• Easily guessable configuration token used

• Lack of SSL pinning in mobile app

• Insecure initial configuration

• History of vulnerabilities across product lines

• Not all traffic is encrypted

• Moderate password policy

BEST PRODUCT QUALITIES

WORST PRODUCT QUALITIES

*The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.

Smoke and CO Detectors

• Audible power loss notification

• Encrypted network communication

• Difficult to tamper with

• Impossible to remotely hack, because it lacks connectivity

• Impossible to remotely hack, because it lacks connectivity

• Weak password policy

• Custom configuration protocol / short pairing codes

• Not applicable because this is not a “smart” device

• Not applicable because this is not a “smart” device

BEST PRODUCT QUALITIES

WORST PRODUCT QUALITIES

*The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.

Home Automation Controllers

• Encrypted communications

• Strong pairing mechanics

• Encrypted communications

• Notified if goes offline

• Strong password policy • Encrypted communications

• Automatic firmware updates

• Unsigned firmware

• Custom remote management feature

• Open ports

• Hardcoded API keys

• Weak password policy

• Exposed telnet service

• History of unpatched security issues

• Built-in unauthenticated remote management feature

• Moderate password policy

BEST PRODUCT QUALITIES

WORST PRODUCT QUALITIES

*The qualities outlined for each product are a result of individual product analysis conducted in isolation from other products examined in this research.

Takeaways

• Overall, IoT security is poor, with cameras scoring the lowest

• With few exceptions, Nest leads the industry in security practices

• A sinking tide incident will likely hit home automation

• The industry needs some basic standards to set the bar

Areas to Watch

Wi-Fi Jamming

• With few exceptions, all Wi-Fi devices are susceptible to jamming

• Diversification of used spectrum (2.5Ghz + 5 Ghz, etc.) reduces risk

• Hardwired Ethernet options also reduce the risk

• Jamming/network down incidents should result in a proactive alert to the user

Password strength, Reuse, and Attack Resistance• Basic Password strength requirements should be enforced

• Horizontal and vertical password guessing countermeasures should be implemented at application and network layers

Areas to Watch

Unencrypted and unauthenticated communications• All communications should use bidirectional encryption

• Unauthenticated servers, communications and services should not be allowed

Misconfiguration of Encryption• Independent encryption architecture reviews should always be performed. There are

thousands of ways to get it wrong, and only a handful of ways to get it right

• SSL pinning should be used to prevent man-in-the-middle attacks

• Certificate validation should always be performed against a 3rd party

• Self-signed certificates should never be used