How not to implement smarthome security – Connected A/C

December 17, 2017 1 comment

Recently I added a few Mitsubishi minisplit A/C systems to my home and because I travel a lot (and I’m incredibly lazy) wanted to be able to control them from my phone (and the couch). I’ve had previous history with the Honeywell RedLink system (which requires yet-another-hub) and was pleased to find that mini-splits with native wifi connectivity are available.

My installer had never set up such “new” technology so this week he arrived with a number of tiny plug-in boxes, and the installer training video to connect up my units.

Halfway through following the steps on the video, the app presents us with an “Enter Installer Pin” challenge – cool I think, “some security at least to stop…”

what exactly?

I’ll get to that topic later – but needless to say, the pin wasn’t mentioned in the training video, nore the one-page install guide in the package.

Never to be defeated, I turn to my trusty advanced hacking toolkit and universal IoT password finder..

google.com

A search for “Mitsubishi installer pin” yields some helpful results – one, in particular, catches my eye, since it’s hosted on that vendor’s support URL

Here’s a picture of the result – note how helpfully they put the pin in bold text!

Installer Pin

So strike one and two for this vendor –

  1. never use a fixed pin, for anything!
  2. never print your passwords, especially not in public-facing documentation

I’ll let the 9999 pin pass, given it’s not in the top 10 of most common pin codes (it’s #11) – http://www.datagenetics.com/blog/september32012/

So, back to the question of what exactly the installer pin is protecting? Mostly, it’s protecting the homeowner from adding a new unit to their online account, and it’s protecting them from being able to re-link a unit if for some reason it loses connection. In my case, there were no “dangerous” options I could mess around with – and reading the documentation, it seems that the installer protected options are really a crutch for a system which should be able to learn for itself what options are present and configure itself automatically.

So for me, the “installer pin” protects my installer, otherwise, I’d be able to configure my A/C unit without him. He’s a nice guy, but I don’t want to be scheduling a site-visit every time I change my wifi password.

This seems to be a trend within the Air Conditioning industry – for example, Honeywell’s Redlink Gateway (which is effectively plug-and-play) also should only be installed by a “trained experienced service technician” – at least with these gateways the PIN is unique and printed on the bottom of the device.

As an aside, the Honeywell VisionPro Thermostat also has installer-only options protected by a code, which also is printed on the back of the clip-on device. But if you’re REALLY lazy and don’t even want to unclip it, there’s a menu option on the screen which will helpfully tell you the code.

Believe me – The Redlink gateway takes 30 seconds to install and configure, and you don’t need any “AC training” to understand how to link a thermostat to a mobile app.

Honeywell Redlink Gateway Pin Code

I’m not very tolerant of this kind of “protectionist” behaviour – how many people paid a few hundred dollars for someone to plug in a hub, or “add” their minisplit head unit to their online account – things which require no expertise, have no risk, and generally should be automatic?

How successful would Nest have been if it required a service call to install?

Did you pay for someone to add a trivial IoT device to your home? Comment below.

Advertisements

Buying or selling a smarthome? Watch out for amnesia!

November 10, 2016 Leave a comment

Moving, 1988 - Richard Prior

With everyone, including Realtors talking about “smart homes” I’m not sure there’s anyone who’s involved in a home transaction who’s not aware that “smartness” is a compelling selling feature.

So much so, that the realtor company Coldwell Bankers teamed up with CNET a few months ago to define exactly “what a smart home is” – some criteria their members can use to decide whether your home is worthy of the title.

Simply, they define a smart home as one with internet-connected HVAC or security, plus something else, like connected lighting, audio, watering systems or safety systems.

Yes, a home with Sonos music and a Ring doorbell would be considered smart.

The problem is – much of the current generation of consumer smart technology is likely to be taken by the previous owner when they vacate. Read more…

Categories: SmartHome

It be that time o’ year again – 19th September, International Talk Like A Pirate Day

September 19, 2016 Leave a comment

2000px-flag_of_edward_england-svgWell ye scurvy land-lubbers, it’s that day again – t’ infamous Parlay Like A Pirate day.

http://talklikeapirate.com/

Tho’ its origins be clouded in mystery (well, unless you visit the website anyway) It’s become a globally celebrated phenomenon.

So much so that I be inclined t’ see how fast I could code up one o’ my infamous VBScript classes t’ help yonder less able translate their words.

Here it be in its full glory – yonder incredible, 17minute VBScript pirate speak class.

Read more…

Categories: Everything Else Tags:

SafeSkies TSA Master Key reverse engineered

July 25, 2016 Leave a comment

tsa-master_keys-travelsentry_xmas-2-100673378-large-idge

Another of the seemingly secure “TSA” approved luggage locks has fallen to good old fashioned reverse engineering.

According to SafeSkies Locks writer Steve Ragan, the key and the story behind how it was reverse-engineered using a number of store purchased locks was disclosed at a lockpicking conference.

If you remember, in 2015 a large number of TSA master keys became available after a picture of them was shared online, leading to the lockpicking community demonstrating how easy it is to convert an image into a working key. Now you can find the 3D files online to print your own.  Read more…

Categories: Everything Else

Realtors define “smart home” – but there’s a catch.

July 19, 2016 2 comments

Coldwell Banker teamed up with CNET to define what a smarthome really is – but they didn’t pay any attention to what is in my opinion the most important fact to smarthome buyers.

What technology is transferred to the new owners? 

Their examples include very transitory things, like smart TVs and entertainment systems which you would normally expect to leave with the original owner.

And, they don’t cover the difficult process of how exactly do you transfer control of permanent things like your HVAC system to new owners? Do you give them your user name and password? Can they even set a new user name?

For the more complex integrated systems – is it even possible to transfer control over without giving them “your account”? – after all, you don’t want to move into your new smarthome and find you have to set up all the automation again.

Of course for the original owner, if you give someone your account – are you able to set up a new one for your new home? Does the new owner get to see all the logs from your residence?  Read more…

Categories: SmartHome Tags: ,

NY State vs Microsoft – Part 5

July 17, 2016 Leave a comment

(You can find the previous part 4 of this topic here)

This week there was another progression in the infamous and long running Microsoft vs State of NY case – the one if you remember where the New York, USA court is demanding that Microsoft Ireland aquise to a subpoena issued in the USA.

Well this week the Second Circuit court of appeals agreed with Microsoft USA that the USA had no jurisdiction over assets within Ireland:

§ 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign server.

A great writeup of the case can be found at Lawfareblog.

This case can still be raised to the Supreme Court, but since there are other legal methods for the USA to request the assistance of the law authorities in other countries, the door is finally closing on trying to impose domestic law on USA companies with assets in other countries.

The current global data economy and the 1986 Electronic Communications Privacy act are woefully out of step, but this decision is the right one to support the global technology industry.

After all – if a court in the USA can compel the release of data from Ireland, surely a court in China can compel the release of data stored in the USA?

 

Smarthome Survey Shows Safety Is No.1 Concern

March 31, 2016 Leave a comment

Smart Home Survey
After surveying nearly 10,000 individuals crossing every continent, it’s obvious that concerns around personal data are the most pressing issue in adoption of smart home technology – more than 90% of people had concerns about cybersecurity.

People also had strong opinions on how things should be secured, with passwords being the most disliked option. It seems the future smart home will use fingerprints, voice and even eye scans instead.

Despite these concerns though, people are generally positive about “smarting up” their living spaces – 75% of participants expect to see real benefits, and were especially interested in smarter lighting, kitchen appliances and heating systems.

And, driving good design, 82% of our participants wanted “a single integrated security package” – another reason for the smarthome industry to drive towards consolidation.

You can find more information in the Atlantic Council smart home report, at http://www.atlanticcouncil.org/publications/reports/smart-homes-and-the-internet-of-things

Categories: SmartHome Tags: ,