Honeywell Home Controllers Open To Any Hacker Who Can Find Them Online

Trailrunner7 writes: Security issues continue to crop up within the so-called "smart home." A pair of vulnerabilities have been reported for the Tuxedo Touch controller made by Honeywell, a device that's designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet. Researcher Maxim Rupp discovered that the vulnerabilities could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.

Why do you need this stuff on the internet at larg

[Anonymous Coward]

At home, sure, using a tablet to access and program the temperatures on your AC is fine.

But that is your intranet, and securing that should be an obvious practice.

And I can barely guess why you would want your locks handled that way, though in terms of security, a mechanical key is hardly inherently better than a digital one.

Re:

[umghhh]

The home control allows for instance turning heating/AC on when coming home from holidays earlier than expected - for this, a normal user would use his mobile and web interface or an app. If this is done over vpn then it is (in theory) not exposed but I have serious doubts if normal users would expect vpn to be be necessary for it. In any case it was apparently not in the cards to use vpn.
There are other uses too. Clearly they are not a must but if you can control some of the house functions from your pho

Re:

[Anonymous Coward]

NAT is not security.

Unless you're the odd one who doesn't allow internet access to your intranet.

Or you're the really odd one with real IPs on your intranet, in which case, I hope you trust your firewall!

Re:

[MrL0G1C]

No, but it adds an considerable element of security. If you disagree with me then feel free to attack my PC via the internet, it's IP address is 192.168.1.60

Re:Why do you need this stuff on the internet at l

[bjwest]

No, but it adds an considerable element of security. If you disagree with me then feel free to attack my PC via the internet, it's IP address is 192.168.1.60

Hey! How dare you use my printer as your PC. No wonder it takes forever to process and print a PDF file.

Re:

[TWX]

Hey! How dare you use my printer as your PC. No wonder it takes forever to process and print a PDF file.

And here I thought that was just because it was old and only has 2mb RAM in it...

Re:

[KGIII]

I bought the domain localhost from a buddy. It works. The good news is that, for an extra $20, he configured it for me.

Re:

[suutar]

I wouldn't go as high as "considerable"... it adds one hop to "push" attack methods - an attacker has to take over your router. I'd put that somewhere between trivial and substantial extra security (non-inclusive).

Re:

[TsuruchiBrian]

If you really thought NAT was secure, you'd give out your WAN IP.

Re:

[Beardo the Bearded]

If I decide to go out drinking and I'm out late, I can use my phone to tell my furnace to heat up my house before I get home. Normally it goes to 16C after 10pm, which is when I'm normally in bed. This way, when I get home buzzed / wasted, my house is nice and comfy.

Also the Honeywell controllers require fingerpoking to change outside of a subset of their normal range. I can't use remote to change outside of 4.5C to 32C... uh, okay, that's a little more range than I would have expected. Voice limits me

Re:

[cascadingstylesheet]

though in terms of security, a mechanical key is hardly inherently better than a digital one.

Well, at least random Russians would have to fly over here first, and get through the INS. At least they used to have to ...

Re:

[Rob Lister]

First: What is not noted in the OP is the statement at the end of the article that [this] vulnerability has been fixed. This article interested me in that I recently installed one of their fancy wifi-enabled thermostats, the VisionPRO 8000. I was a little disappointed that I had to access it through their site rather than locally but it is nice to be able to control it from my office computer. I can't imagine I'll ever have the need to access it when away from home. I don't see much risk inasmuch as the wo

Re:

[TWX]

This is exactly why I have never gone for "smart controls" like this. Liftmaster is equally stupid with their "MyQ" system on the Liftmaster, Chamberlain, Craftsman, and several other brandings applied to their garage door openers; you have to use Liftmaster's stuff through their servers to control your garage door opener in your house. It literally serves to act as an advertising revenue stream for them if they so choose.

Re:

[CreatureComfort]

I'm at work. The plumber shows up at my house at 10 a.m. I verify his identity and arrival with my front of house cameras. I talk to him remotely via the door intercom, disable the security alarm, and unlock the front door for him. I monitor his work and actions with my internal cameras and watch him leave. I remotely lock the door behind him and re-arm the security system. All the video is watched in a small window in the corner of one of my monitors, while I still get real work done. All without ha

Re:

[TWX]

Sorry, I really don't want cameras in my bathrooms, and given the risky nature of operating high-temp torches I'd rather be there in person. I've seen a couple of instances at friends' houses where the plumber accidently set-fire to the paper outer layer on the drywall.

Re:

[TsuruchiBrian]

Speaking of cameras in your bathrooms, the one in your master bathroom toilet bowl needs a new battery.

Re:

[suutar]

What, and miss an opportunity to telecommute?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ripvlan]

Similar to my question. I don't understand how these things are on the internet - what does that mean? I haven't been able to find technical details.

If I have a basic home firewall (e.g. Netgear) - with uPNP disabled - are these things on the "internet?" Are these devices found via portscan?

I went through this when looking at baby monitors. I only want to use them in my house - on the local WiFi. Are these things tunneling out to "the cloud" and are accessible through another channel? Can they be b

Re:

[sjames]

I can imagine a few good reasons *IF* security is tight enough. For example, many people don't know in advance when they will return home. It might be nice to bump the heat up or the AC down when they're on their way. Some people get 'lock anxiety' when they are out (OMG, did I forget to lock the door). Now they can be sure.

The key is to make sure it is secure. My preference would be a firewall rule on the router that allows me to ssh to a designated box that then allows me to control the home systems. Make

Re:

[TsuruchiBrian]

Not to mention the fact that even if locks were perfect, windows aren't that hard to break.

Welcome to the Internet of Things

[sinij]

In the IoT world, the Internet browses you!

Please upgrade

[penguinoid]

Please upgrade to my patented Honeypot Home Controllers.

Amateur level fail

[Nuitari The Wiz]

"The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page."

You'd think that a company like Honeywell would know better about security, especially as they have a whole cyber security division...
This is like the pages that had a crappy javascript password which you could read by seeing view source, if you knew the keyboard shortcut (right click would be blocked on javascript).

Mistakes an amateur would make.

Re:Amateur level fail

[SeaFox]

"The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page."

You'd think that a company like Honeywell would know better about security, especially as they have a whole cyber security division...

I'm sure they don't see any reason to expend such resources on the consumer space.
That expertise is reserved for getting government contracts.

Re:

[umghhh]

Come to think of it - the lax security may have been a government contract.

Re:

[umghhh]

You mean, they charged bookkeepers (of limited brain capacity) with design and architectural responsibilities? Seems to be normal corporate practice.

Need to start including USB keys

[gurps_npc]

Every secure wireless device - such as a router or NEST etc, should come with a cheap USB drive - 1 GB drives go for less than $2 now, in quantity.

When you get the device, plug the USB into the device and press a button. It would randomly generate a key and save it to that USB drive.

Now to connect anything to that device you have to plug the USB drive into it, transferring the password key,

Re:

[ArcadeMan]

How about adding a button on the device? To modify anything, you need to hold the button. And it's a momentary push button, not a switch, so the user can't leave it enabled.

Re:

[SeaFox]

How about adding a button on the device? To modify anything, you need to hold the button. And it's a momentary push button, not a switch, so the user can't leave it enabled.

That sounds too much like WPS. And we know how that came out.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bjwest]

And it's a momentary push button, not a switch, so the user can't leave it enabled.

Yeah, Scotch has a fix for that.

this Internet of Things is getting old

[turkeydance]

how about the Internet of We Will Not Pay for, and obviously, do not care to have Robust Security for our Systems.

New meaning

[ArcadeMan]

This brings a new meaning to "Honey, I'm home".

As in, the hacker is in your home via the Honeywell Home Contr... yeah ok never mind.

Re:New meaning

[someone1234]

Also a new meaning to Homeowners :D

Re:

[Beardo the Bearded]

It's actually "Hello, thermostat." "I'm home."

"Okay"

IoT?

[ArcadeMan]

More like Internet of Trash.

We've now advanced enough to consider X10 to be better than the new technology.

unlocking doors or modifying the climate controls

[fustakrakich]

Does it feel warm in here? [ew.com]

Does this surprise anyone!?

[aaarrrgggh]

I still don't get why people do not assume this is the case by default. While being far from a networking guru, this is what pushed me into learning about how to configure VLANs and OpenVPN so I could put these things into appropriate jails. While I don't doubt I have made errors in configuring the firewall for outbound traffic, it is at least better than nothing, and what testing I can think to do seems to work.

Ubiquity might be able to make some money with a security appliance that automates and simplifi

Re:

[umghhh]

I am for well educated and well meaning fellow humans that use reason, are considerate and have enough time and competence to do all this. Unfortunately most of us humans are stupid, incompetent and lazy and that is not even so bad. The fact is - a tool that requires you to jump a lots of loops to make it work is good for a hobbyist but not for a busy person with multitude of obligations. This is a design failure that may have dire consequences thus it belongs to be fixed. Possibly the home network design n

Common problem across industry

[Anonymous Coward]

As someone "in charge" (Systems Architect) of how many of our product lines are secured on the network (obviously not Honeywell), most people in the field would not believe how much time I waste explaining to people over and over and over again that I will not "simplify" the authentication protocols by getting rid of (strong security practices) just because we use SSL. Its an ongoing fight to keep things strong against a thousand little pushbacks from developers, product management, marketing, sales, and legal. Posting anon as its still in progress, comes up at least once a week.

Regulation needed?

[golodh]

Given the natural tendency of companies to (deliberately) skimp on security and the fact that offering decent security isn't likely to emerge by itself in the marketplace, it's clear that we're looking at a deluge of consumer electronics that control real-world equipment and is dead easy to break into,

I think that security in the consumer sphere is worth having (for our society as a whole) even if nobody (in the market) wants to do it.

So I was wondering if this (security for electronic equipment that co

Re:Common problem across industry

[RobinH]

It's sad but I fight the same battle almost every day regarding safety systems in factory automation. There are specific regulations and best practices that we have to follow in order to determine that a machine is safe for an operator to use, and it falls under the heading of "big E" Engineering, as in the type you need to have a license to certify. We put a lot of effort into making the machine both provably safe, but we also have to make it recover nicely from an abrupt shutdown if someone opens a guard door, etc. Everyone from management, to the engineering staff, to the operators themselves who use the equipment constantly gripe about how much effort we have to put into the safety systems, even when it's their own life that's at risk. Almost every discussion involves someone saying, "why can't we just tell people not to stick their hand in the machine?" The answer, of course, is that the rules are different for a machine that starts and stops automatically, than it would be, e.g., for a table saw or a drill press with an on/off switch. The rules are different precisely because people do stick their hands into machines that are stopped. Engineers are professionals who accept people as they are, not as we wish they could be.

Really we could solve the security problems in "IoT" devices by applying the same strict Engineering principles that we do to safety systems in factory automation. You would do this by functionally separating the part of the system responsible for security from the rest of the system, having certified parts that you can purchase that are rated to various industry best practice security standards, and then having a licensed professional engineer review and sign off on the design. Guess what though... it would cost more money. However, I believe there are certain products, where there's a risk to the public, that should be legislated to require this kind of certification.

BSG had it right: Safe Network = No Network

[millertym]

I have a hard time thinking of anything more obvious than the fact that "smart " are technology security disasters waiting to happen. With the current architecture of the internet and networking from the top down there is nothing truly safe. Especially consumer grade at home tech built with technology plebeians in mind.

Call me old fashioned but I see enough at work and stories online every day to commit to keeping my home, appliances, vehicles, and anything else possible off the internet.

Re:

[DNS-and-BIND]

Now if anyone knew what BSG was, your comment might make sense. No, we do not all watch the same anime movies that you do. Please express your thoughts in plain speech, thanks!

Re:

[KGIII]

You are confusing nerds with geeks. Nerds may not watch television at all. Geeks watch BSG, pretend to be nerds, and bite the heads off chickens.

Re:

[TsuruchiBrian]

As long as you are not storing all the security clearance info for the united states in your smart thermostat, I think it will be fine. The chinese will be able to mess with your temperature and turn on and off your lights with impunity. They can probably also try to unlock my doors during the brief periods of time when my wife hasn't already left them unlocked.

I would love to see these devices be better secured, but I think the reason they aren't is *because* of the lack of potential harm that is possibl

No shit ...

[gstoddart]

Wow, you mean commercial products designed to connect to the internet have absolutely crap security?

Well, color me fucking surprised and shocked.

No, wait, the other one .. where I point out these companies are either incompetent or indifferent to security, have no penalties or liability, and have products rushed out the door by asshole CEOs and marketing people who don't give a damn about security.

This is precisely why I look at pretty much every damned product which wants to connect to the internet, or has an app for your smartphone and think "oh hell no".

Trusting this shit is idiotic, and quite frankly, I'm beyond the point of sympathy for people who buy this shit. It's insecure so that it can be convenient. Pretty much at least weekly we see an entire class of products has pretty much zero security. And we're a long way away from being able to trust them.

Just stop buying this crap.

Re:

[AmiMoJo]

I'm beyond the point of sympathy for people who buy this shit.

You have rather high expectations of the average consumer. They see, say, an IoT light bulb. The box says they can control it with their smartphone, and that it's "secure". Just like their car claims to be safe, that the milk they drink says its safe, like the anti-tamper seals on bottles are supposed to be secure.

People can't be experts on everything. They probably had to have their ISP set up their router or them, and have no idea that they even have a home network. It's not their fault, it's our fault. W

Re:

[gstoddart]

You have rather high expectations of the average consumer.

You know what, I don't ... I have exceedingly low expectations of them. I simply don't give a crap any more if people buy this stuff and get hacked.

I tell people I know about the risks, the rest I stopped caring about.

It's not their fault, it's our fault. We need to make products that are secure by default

And for that, I lay the blame squarely at the feet of corporations for not giving a damn, and lawmakers for not holding them accountable.

Yes, I k

Re:

[KGIII]

Nothing is hack proof if it has a connection. Nothing... Not one thing ever.

Well...

[JustAnotherOldGuy]

I know I'm shocked that consumer-grade gear is wide open to misuse over the web and that no one bothered to think about security when designing it, how about you?

Hack or feature?

[guruevi]

The thing has an entire API unauthenticated to whoever is able to connect to it (https:///system_http_api/).

It's well documented that the point is not to have these things port-forwarded on your router but to be controlled through their proprietary gateway which comes with a monthly fee. Sure you can surf to it on your local network but that's more of a convenience and a lot of features the API exposes are not in the GUI.

The controller accessible from the Internet

[nickweller]

"There are two separate vulnerabilities in the Tuxedo Touch: an authentication bypass bug and a cross-site request forgery flaw."

So, yet another demonstration of the dangers of putting an embedded web server on the device. All so as they can be advertised as easily configurable through a browser and the end user won't have to read an instruction booklet.

It is easy to identify

[hlavac]

It is very easy to identify vulnerable/backdoored hardware - it has the word "smart" somewhere in the name!

Honeywell

[nospam007]

Honeywell, never again be afraid not to find somebody who will open the door for the contractor when you at work.
With our system, anybody with access to Google can open your front door.
Also not only you will be able to see the babysitter masturbating, the other 7 billion people will be able to watch too.

but ... but ...

[cascadingstylesheet]

... I can use If This Then That with it! And control my home appliances with Facebook! What could go wrong?

already patched

[babboo65]

This initial vulnerability was identified by Honeywell over 6 months ago and a patch was available and distributed shortly after. The recently reported vulnerability is also patched. http://www.tuxedotouchtoolkit.... [tuxedotouchtoolkit.com]

It does call into serious question about the reasonable approach of making every aspect (security, appliances, climate control, entertainment, etc...) accessible, controlled, and vulnerable to network attacks. It is no longer just a concern of having a wireless access point in your home - it i