Hacking Homes Through The Power Lines
X10 is a communication standard for communicating between home automation devices. It is primarily used over power lines, providing brief frequency bursts to initiate, for example, On and Off controls. At this year's DefCon, researchers showed how X10 can be manipulated by a remote third party.
Researchers Dave Kennedy and Rob Simon from SecManiac built their own devices, starting with something called the Teensy, which has been used previously to manipulate remote mice and keyboards. Using the programmable Teensy as a base, the duo created two new tools, the X10 Sniffer and the X10 Blackout.
The researchers demonstrated the Sniffer and Blackout devices they designed that plug into a power socket inside or outside a house or even into an outlet in a house nextdoor, since signals can leak out from a house and carry for some distance. Kennedy said that while testing one of the devices from his house in Ohio, he picked up signals from home automation systems belonging to 15 neighbors.
The tools need to be preprogrammed with commands the hackers want to send. For example, the tools can be preprogrammed to send a jamming signal if a security system is triggered by someone opening a door or window. This would prevent an alarm from sounding and alerts being sent out to police and the property owner. The researchers are working on a GSM-enabled tool that would allow attackers to receive sniffed data remotely to their cell phones (currently the sniffed data is written to external storage) as well as send commands in real-time back to the tool via text messaging.
Thieves could monitor a house to determine when the occupants are generally gone based on signals indicating when lights are turned off, doors and windows are closed and the alarm system is enabled. Then they could send out jamming signals from the tool to disable motion sensors and alarms before breaking into the house. They could also completely fry the system by overloading it with rapidfire commands, though Kennedy acknowledged that this could potentially cause a fire.
The duo demonstrated the security of the X10 (60 Hz, non-encrypted, either wireless or over powerlines) vs Z-Wave (900 MHz, encrypted using AES), another communications standard used for home automation. While they said Z-Wave systems are more secure, they hoped to have a Z-Wave sniffer out soon
The researchers also mentioned but did not expand upon other choices for home automatic communication such as Crestron, Lutron (433 mhz), Zigbee (2.4ghz, 915 MHz, and 868 MHz), and Insteon, citing that in some cases these are proprietary systems.