Insteon' False Security And Deceptive Documentation

Presented at DEF CON 23 (2015), Aug. 7, 2015, 1 p.m. (60 minutes)

Insteon is a leading home automation solution for controlling lights, locks, alarms, and much more. More than forty percent of homes with automation installed use Insteon.

For the last fifteen years, Insteon has published detailed documentation of their protocols-documentation that is purposely misleading, filled with errors, and at times deliberately obfuscated. As my research over the last year has revealed, this sad state of affairs is the direct result of Insteon papering over the fact that it is trivial to wirelessly take control, reprogram, and monitoring any Insteon installation.

Worse still, the embedded nature of the Insteon protocol coupled with devices that do not support flash updates means that there are no current fixes or workarounds short of ripping out the Insteon products.

I will be presenting my research, and releasing tools demonstrating the vulnerabilities throughout the Insteon home automation system.

Presenters:

• Ryan Gooler
  Ryan Gooler (@jippen) is a cloud security guy, known for luck, sarcasm, and getting into things. Avid lockpicker, lover of cats, and disrespector of authority.
• Peter Shipley - Security Researcher
  Peter Shipley has been working with security for over 30 years. In the late 80's he wrote one of the first network security scanners and maintained one of the first bug databases ( later used to seed similar lists at CERT and llnl.gov ). Around the same time Peter co-founded UC Berkeley's OCF (Open Computing Facility). In the mid 90's Peter Shipley became a founding member of cypherpunks & setup up one of the first official PGP distribution sites. In '98 (DEF CON 6) Peter Shipley did a independent security research on war-dialing, exposing a significant security problem that was being ignored in most corporate environments making phone security. At DEF CON 9 Peter Shipley introduced wardriving to the world. Recently Peter has written and released several APIs using python to link various networked automation appliances via REST and other interfaces. Peter Shipley currently manages for a dot-com by day, and helps raise two kids by night.

Links:

• https://defcon.org/html/defcon-23/dc-23-speakers.html#Shipley
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 slides/DEF CON 23 - Peter Shipley - Insteon - False Security and Deceptive Documentation - Slides.mp4
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video/DEF CON 23 - Peter Shipley - Insteon - False Security and Deceptive Documentation - Video.mp4
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 slides/DEF CON 23 - Peter Shipley - Insteon - False Security and Deceptive Documentation - Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video and slides/DEF CON 23 - Peter Shipley - Insteon - False Security and Deceptive Documentation - Video and Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video/DEF CON 23 - Peter Shipley - Insteon - False Security and Deceptive Documentation - Video.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video and slides/DEF CON 23 - Peter Shipley - Insteon - False Security and Deceptive Documentation - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=dy1LTQLmPtM

Similar Presentations:

• DerbyCon 1.0 (2011) / Pentesting over Powerlines
• Black Hat USA 2013 / Honey, I'm Home!! - Hacking Z-Wave Home Automation Systems