Proprietary home automation platforms spring security leaks

1 September 2013 by Steve Blum
, , , ,

Open source makes it harder to open doors.

The open source versus proprietary platform debate is moving into the home automation sector. Z-Wave is a proprietary protocol for wirelessly managing home devices, including locks, sensors and security cameras. It’s been hacked by two network security professionals who wanted to see if it’s really as secure as advertised.

It is and it isn’t.

Behrang Fouladi and Sahand Ghanoun took over a Z-Wave motion sensor using an idiot-simple trick – intercept a wireless command, record and replay it – and defeated a lock with only a little more effort. They didn’t say which one they electronically picked, but from the description I’d guess it was a Yale Z-Wave lock.

However, the exploit didn’t seem to rely on a vulnerability of the core Z-Wave protocol. Instead, it appears that the manufacturers were lazy in the way they implemented it. It’s hard to tell, though, because Z-Wave specs aren’t published.

Which is where the debate begins. Keeping the details as secret as possible means the bad guys have to sit patiently and take one guess after another as they try to crack the protocol. Which many are willing to do. Publishing the details – which doesn’t mean giving it away for free – gives the good guys a chance to comb through the code and find weak spots.

The classic example is proprietary Microsoft Windows versus open source Linux. Historically both have had vulnerabilities, but any problems with Linux have been quickly found and fixed, while Windows has fallen prey to countless attacks. The Linux community reliably treasures people who find problems and tell the world, Microsoft’s response is unpredictable.

The commercial advantage to a proprietary system is that the code is an asset and investing in developing and marketing it can bring a big return on investment – that’s how Bill Gates became the richest man on the planet. On the other hand, given an even start, open source operating systems can be quickly adopted and enthusiastically backed by manufacturers and services providers. That’s why Android is the world’s dominant smart phone platform.

Home automation has been held back by its reliance on proprietary technology and attempts at vertical control of the market. Removing the mystery and attaching familiar brand names will build consumer comfort and confidence, and reduce confusion. What this market sector needs is an open source platform nurtured by geeks and productised by mainstream manufacturers.