Aside from providing broadband for home-automation systems, the so-called X10 and ZWave broadband-over-power technology is also used in businesses and process-control environments, exposing all communications over those protocols, says David Kennedy, who developed the open-source Social-Engineer Toolkit. "They are being widely used in businesses and a lot in access-control systems," he says. "We need to bring more exposure to this attack vector."
The tools -- which are now part of the Social-Engineer Toolkit Version 2.0 -- include the X10 Sniffer and X10 Blackout devices. The X10 Sniffer detects which devices are on the broadband power network, and can even track the movement of people in the house or office. The devices plug into a nearby outlet, such as a neighbor's home or an outside outlet on the building.
Kennedy and Simon also are putting the final touches on a single X10 hacking tool that both sniffs and disables lights or other devices via cell phone. The tool would allow an attacker to send a text message ordering a light to be turned on or off, or to jam or disable all systems running on the home-automation system.
"You could plug it into the next-door neighbor's outlet or at the [target] house, and it has sniffing and jamming capabilities," Kennedy says. "It sends you a text message saying these are all of the devices, and then you can send the device a text message with a 'kill' command."
The tool, which will be released within the next couple of weeks, also provides information on which device is turned on, or whether a window sensor is tripped, for instance, Simon says.
"All we have to do is walk up to the house, plug the device in, and it turns the lights out, none of the sensors work, and we walk out," Kennedy says.
The power-over-broadband hacking tools contain the so-called Teensie microcontroller device, programmed to emulate a keyboard, and an SD card soldered onto the Teensie.
The underlying problem is that X10 technology, which is also used for HVAC systems, motion sensors, electronic door locks, and cameras, has no encryption, so data is sent in the clear.
Kennedy says Zwave power-over-broadband technology supports AES encryption, but he and Simon have yet to find any devices that actually implement it. "It's possible to sniff those encryption keys when initializing the devices and inject packets," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.