Home hubs are a double-edged sword when it comes to security. They let you access any device in the home. At the same time, anyone who breaches the hub’s security can also do the same. This makes a central hub key in defending a smart home, as a compromised hub is a critical flaw in any setup.
Unfortunately, ESET IoT Research has recently found that three home hubs have severe security flaws. As such, owners of these home hubs should consider updating or replacing their devices as soon as possible.
Which Home Hubs Are Affected?
As mentioned in the news report, the affected hubs are the following: the Fibaro Home Center Lite, the Homematic Central Control Unit (CCU2) and the eLAN-RF-003.
Fortunately, the authors of the report also informed each manufacturer of this weakness, and each one has released updates to patch the flaw. As such, if you own any of the aforementioned devices, please ensure it gets a firmware update as soon as possible.
What Flaws Were Discovered?
The flaws that were found weren’t uniform across all the devices. As such, each one has its own problems unique to it.
Fibaro Home Center Lite Vulnerabilities
For the Fibaro, the research team found multiple flaws. One of them was the ability to create an SSH backdoor on the home hub and use it to control it remotely.
Fibaro stored encrypted usernames and passwords in a database which hackers couldn’t see. However, they did have the ability to delete and replace the password with their own.
The home hub also used outdated encryption to store the root password for accessing the admin panel, which was the same for all Fibaro devices. As such, once hackers opened the encryption brute force, they had access to the password.
Homematic Central Control Unit (CCU2)
For the Homematic, researchers found a way to execute code at the root level on the home hub. This meant a hacker could learn how to do anything they like with the hub, including controlling connected devices.
The researchers discovered that they could change the root password, enable SSH, and start an SSH daemon to establish a connection.
Unfortunately, the eLAN had some very glaring faults that made it past testing. For example, the webpage GUI uses HTTP instead of HTTPS, meaning snoopers could read the data being transferred.
It would also accept commands without requesting the user’s login credentials, thus negating the need for a username or password. If the hacker did want this, they could trick the hub into handing over the details.
The Importance of Smart Hub Security
As you can see, these flaws are pretty worrying. If a hacker did manage to get their hands on a device via the above methods, they could use it to cause a lot of trouble.
This is the reason consumers should ensure they’re buying only the most secure products on the market and practice safe usage of said products.
In the past, we’ve seen home cameras hacked and smart bulbs used as launchpads for further attacks. These were bad enough – if a hub was attacked instead, the damage could have been far worse.
Staying Safe With IoT
With the recent reports of the crippling weaknesses of the above home hubs with known security flaws, owners should either update them as soon as possible or replace them with different hubs to prevent a security issue. This news is another reminder of how important IoT security is and why standards are important.
In light of these attacks, now is a great idea to learn how to secure your IoT devices.