How to Update Firmware on Honeywell Tuxedo Touch

At the 2015 Intelligent Defense European Technical Inquiry Conference in June, Tripwire security researcher Craig Immature presented
Smart Home Invasion
and revealed goose egg-day flaws in the “brains” of Internet of Things platform hubs such as
SmartThings
hubs,
Wink
hubs, and MiOS
Vera. The Wink and Vera products “contained
disquisitional remotely exploitable flaws.” Young
warned
that “if non addressed, smart home flaws can give ascension to a new type of ‘smart criminal’ able to example victims without being seen. Once a target is chosen, it is possible to unlock doors and disable security monitoring.”

Co-ordinate to Tripwire’southward
Smart Home Invasion video, Young performed a security assessment on the three best-selling smart hubs on Amazon; he constitute all three to have critical security flaws that could “lead to unlocked doors and unsolicited access into a person’south home network.”

Young
explained:

Access to dwelling hubs can not simply let the burglar enter your abode without tripping alarms, but it also gives them access to a wealth of information about when people are at home and where they might be in the house. Connected devices like motion sensors and cameras give a clear picture of what’s going on within the house but even information like when the garage door is opened each day or when lights are turned on and off expose aspects of a target’s schedule. In effect, this opens the door for prospective thieves to example targets from the comfort of their cloak-and-dagger lair.

The threats are not express to local burglars and thieves either. Compromised Internet nodes take intrinsic value for hackers looking to disguise the source of attacks or simply steal bandwidth. Equally with the many other embedded devices that comprise the Internet of Things, attackers will naturally be looking to attack these systems and install backdoor software for apply in spam and DDoS campaigns. These types of attacks can lead to increased Cyberspace costs via bandwidth overage charges while besides exposing internal devices to farther attack.

“Vulnerable versions of Vera and Wink could be attacked through HTTP requests,” Young
added. “These requests may come from a malicious web folio (every bit demonstrated at IID on the Vera), a telephone app on the LAN, or a malicious user on the LAN directly connecting to the vulnerable device. In the example of Vera, the assaulter can straight supply commands to run on the Vera’s embedded operating system. In the case of Flash, the assailant would inject SQL commands to trick SQLite into creating a PHP script on the device. A subsequent request can then trigger execution of the PHP code with root permissions.”

The SmartThings hub had the to the lowest degree serious vulnerability, as information technology was vulnerable to improper document validation. The holes in both SmartThings and Wink were patched, only that means the user must apply the patches. In the example of SmartThings, a mandatory update was pushed out in February. A spokesperson
said, “Any inactive hub that was not updated cannot connect to the SmartThings service and is automatically redirected to an update server.”

Tripwire

Keeping firmware upwards-to-date, connecting your devices to their own divide network, and removing HTTPS access were suggested by Tripwire equally best practices to reduce vulnerability. “HTTP interfaces expose a very large attack surface and should be isolated from untrusted nodes or disabled if possible.”

CERT warns users to update Honeywell Tuxedo Affect controller firmware

Honeywell’s tagline for Tuxedo Touch is “Smart house. Safe abode.” But if a production has “horrible” security holes so “safe” doesn’t seem true. Cure53 security researcher Maxim Rupp is warning how “remarkably simple” it is for anyone to access some other person’southward “Honeywell Tuxedo Touch web interfaces, used to control all connected parts of the home, including cameras, thermostats, lights, locks and shades.”

Concluding month, Rupp told the world that hundreds of solar lighting systems and wind turbines were vulnerable to hacking. ISC-CERT and then
released
an informational for Sinapsi eSolar lite plaintext password vulnerabilities, for a cross-site request forgery (CSRF) vulnerability in
XZERES 442SR wind turbines
and an insecure credential vulnerability in
RLE Nova-Current of air turbine. On Friday, July 24, CERT
warned
Honeywell users, “Compromised Tuxedo Touch on Controllers may exist leveraged to operate home automation devices, such every bit unlocking or locking doors.”

Honeywell

Regarding Honeywell, Rupp
told
Forbes that attackers could exploit a CSRF vulnerability by sending a link to a Honeywell user that would allow the assaulter to launch actions on Tuxedo Touch and so long every bit the user was logged in.

“Slack authentication” is a more serious vulnerability in Honeywell, as Rupp warned that:

an attacker could send a request to a specific page on the Tuxedo Touch interface, such as the one used to lock the doors, and when the device asked for a username and password, the attacker could simply ignore the demand (by intercepting and dropping requests containing the cord “USERACCT=USERNAME:_,PASSWORD:_,”) and admission that page. As it’south possible to browse the spider web for Tuxedo Touch devices to detect the related web interface, anyone could hands find and attack a Honeywell-powered home where patches haven’t been applied.

CERT
advised
users to patch these holes by
updating to the latest version
of Honeywell’s domicile automation kit. Honeywell told users to download the new software onto an SD card then use the SD card to update Tuxedo Impact firmware.