Security of Control4 System

[joed]

Please guys - I agree more security = nice ... but it's not really necessary. Your arguments aren't really valid - do a little research on hacking and hackers and you'll see clearly what I'm talking about.

I have been in networking for 12 years and focusing on security for 8. I don't claim to have all the answers, but I do think i have good question. I also agree that the level of security should be consistent with what you are trying to secure. In my opinion my home automation system should have more security than I currently see in C4. That is why i started this thread.

[jbs]

The joke is on you, I haven't aired up the tires on my Huffy in years!

My parents apparently didn't like me enough to get me a Huffy. I think I had a Royce Union. Given that the www.royceunion.com is available I'm guessing the brand didn't do so well . . .

[RyanE]

You forgot that they could also raise and lower your temperature

Bzzt. Thanks for playing.

My thermostats are Aprilaire Communicating thermostats, that communicate to the controller over a serial RS485 link.

RyanE

[RyanE]

Shawn, per my post above, if I were a bad guy I'd find it far more interesting to write malware that affected people's actual terrestrial lives than something that just moved around bits on their computer.

Hackers aren't in it these days for 'interesting'. If it doesn't make them money (i.e. allow them to setup a bot-net for scamming and/or receiving the 'offers' HTML people click on), it's much less interesting. Most hacking (Windows PC's mostly) is all about controlling that computer for fraudulent purposes.

RyanE

[joed]

You forgot that they could also raise and lower your temperature

Bzzt. Thanks for playing.

My thermostats are Aprilaire Communicating thermostats' date=' that communicate to the controller over a serial RS485 link.

RyanE[/quote']

But when they log into your controller with passwords then they do whatever they want You have changed your controllers password...right?

[joed]

Shawn' date=' per my post above, if I were a bad guy I'd find it far more interesting to write malware that affected people's actual terrestrial lives than something that just moved around bits on their computer.[/quote']

Hackers aren't in it these days for 'interesting'. If it doesn't make them money (i.e. allow them to setup a bot-net for scamming and/or receiving the 'offers' HTML people click on), it's much less interesting. Most hacking (Windows PC's mostly) is all about controlling that computer for fraudulent purposes.

RyanE

Did you check out the link I posted before? Once someone knows the password to a device on your network there are plenty of ways to profit, none of which involves turning your lights on and off.

Plus who would think to run a virus scan on your controller? It would be the perfect place to hide and do bad things.

The fact that very few people sees this as a concern really bothers me.

Oh well.

- joe

[RyanE]

I have been in networking for 12 years and focusing on security for 8. I don't claim to have all the answers, but I do think i have good question. I also agree that the level of security should be consistent with what you are trying to secure. In my opinion my home automation system should have more security than I currently see in C4. That is why i started this thread.

I don't think anyone disagrees with the need for the additional security within any system. Additional security is always good, unless it significantly impinges on the utility of the system.

Control4 continues to improve in that area, and will continue to in the future. Security is certainly a topic that is discussed within Control4.

That said, you (or your dealer) can already take steps to increase the security of your setup, by enabling SSH and disabling telnet on the controllers, changing the password on the controllers, and securing your network (routers, Wi-Fi, etc.).

At that point, if you've secured your Control4 system and your network as well as you can, the threat to someone hacking into your Control4 system and using it to break into your home is much less likely than that someone does a 'smash and grab' while you're not home, and leaves before the authorities get there, with the alarm going off or not, or watches you arm/disarm your system through the window from across the street, etc.

While I'm not discounting the possibility, many of the threats offered in this thread are 'Movie Plot threats'. It's more likely that if someone wanted to get in through my garage door, and they were determined, they'd wait around the corner of the house, and throw a 2x4 under the garage door as I'm driving off.

RyanE

[RyanE]

Did you check out the link I posted before? Once someone knows the password to a device on your network there are plenty of ways to profit, none of which involves turning your lights on and off.

Yes, and how did they get on my network?

RyanE

[thecodeman]

Did you check out the link I posted before? Once someone knows the password to a device on your network there are plenty of ways to profit' date=' none of which involves turning your lights on and off.[/quote']

Yes, and how did they get on my network?

RyanE

Through the Internet. If you join me now in the "Internet Connection Free Zone", you can get a monthly subscription of the magazine "Potato Farming Gone Wild".

[joed]

Did you check out the link I posted before? Once someone knows the password to a device on your network there are plenty of ways to profit' date=' none of which involves turning your lights on and off.[/quote']

Yes, and how did they get on my network?

RyanE

The same way any other virus would get on your network....through a PC on that network.

[inELEC]

To me two things are clear by now in this thread:

1) People who don't feel secure have all means to close the system as much as needed with the help of their dealer

2) For people who are less aware, C4 is working on making the system more secure 'out of the box'

Knowing that C4 puts a lot of effort in training dealers and making sure only these trained professionals install their solutions (here in Belgium they do at least), there doesn't seem much we can or should do more.

Naturally, in europe we tend to count a bit more on the responsability of individuals (end users and dealers) where in the states everything needs to be fool proof or that is at least my impression.

Maybe a hint for C4 to avoid lawsuits: put a nice page with red text saying:

"please change the root password, disable telnet, secure your C4 network, don't swallow, don't drop on small children, cats or dogs and don't take it into the jacuzzi"

in each HC box.

Nobody will read it but C4 won't be liable in any way, and our european customer would recognize it as a truely USA built system

Joachim

[RyanE]

The same way any other virus would get on your network....through a PC on that network.

No, they won't. I haven't *ever* had an *infected* PC on my network, although I've certainly cleaned up enough of them on other people's networks.

I run my network secure enough to avoid that, and the only PC that runs Windows also runs virus scans and Firefox as it's browser, with ads turned off.

Yes, it would be nice if Control4 had some additional security, but it's only one other layer of the onion.

RyanE

[jbs]

Shawn' date=' per my post above, if I were a bad guy I'd find it far more interesting to write malware that affected people's actual terrestrial lives than something that just moved around bits on their computer.[/quote']

Hackers aren't in it these days for 'interesting'. If it doesn't make them money (i.e. allow them to setup a bot-net for scamming and/or receiving the 'offers' HTML people click on), it's much less interesting. Most hacking (Windows PC's mostly) is all about controlling that computer for fraudulent purposes.

RyanE

I gotta say, guys, this is all getting a little silly. Apple in fact just recently began suggesting their users run multiple antivirus and antimalware programs (http://voices.washingtonpost.com/securityfix/2008/12/apple_mac_users_should_get_ant.html) so the "Windows is the only virus platform" myth is dead. And there are literally millions of viruses out there which serve no commercial interest whatsoever. They're created either to annoy people (an end in itself if you're antisocial) or to demonstrate the coder's prowess. Do you really think nobody's ever going to be interested in being the first coder to write an HA worm? Please . . .

[jbs]

Just because the system *can* be secured doesn't mean it's current state reaches an appropriate level of security. For example, a number of the things being suggested are things which 99% of dealers are not doing and which end users can't do with Composer HE. Telnet, for example. Can I change that password with Composer HE? Since dealers aren't changing them, and since users can't change them or disable telnet, why not turn it off by default, or require a password to be assigned?

The gist of the anti-security posts here seems to be that it's not that likely anyone's going to want to mess with a someone's $15,000 ~ $50,000 home electronics system, either just for the fun of it or for profit. I think they would. But if you insist on a profit motive, how about this: write a virus/malware program that logs into a system (i.e. through a PC on the network, backs up the program to a remote location, deletes most of the program and then embeds a bunch of annoying code in its place, searches the local drives for backup copies of the program and shreds them, then begins pestering the homeowner with lights, alarms, etc etc.

Now email the homeowner with a demand for $300 to log in and restore the system. How many homeowners would prefer to wait for their dealer to come back out and fix it (no doubt for a lot more than $300)?

If you think that's another movie plot, then you've not been paying attention. Hackers have been ransoming credit card numbers, identities, security codes from companies and individuals for more than a decade.

Even those of us who've worked hard to secure our networks and our homes have an interest in the security of the overall product in that I'm personally vested in C4's success. If HA generally or C4 specifically should be hit by security problems, then the industry and/or the company suffers and those of us who've already invested in the system lose out as well.

Naturally, in europe we tend to count a bit more on the responsability of individuals (end users and dealers) where in the states everything needs to be fool proof or that is at least my impression.

Well, as long as we're throwing around national stereotypes let's just make sure we're clear: Europe is the land of individual responsibility and the United States is the home of cradle-to-grave socialism. Did I get that right? I've lived on both continents so I get confused sometimes, just want to make sure I hadn't mixed those up . . .

[RyanE]

I never said or even implied Windows is the only platform that gets viruses. My Windows platform never has, but it's sure more vulnerable.

I'm done with this thread.

RyanE

P.S. Yes, I do think the scenario you proposed is a 'movie plot' threat. Not impossible, just *highly* improbable.

[jbs]

Ryan, most things seem highly improbably till they first happen. Then in retrospect people sit around and say, "Hmmm, I guess that's something we should have thought of." I get that C4 does not put its focus on security. That's a perfectly reasonable business decision. This thread, and others like it, are attempting to point out some of the areas that could be improved when and if Control4 decides to focus more attention on it.

I have no problem accepting the argument, "Consumers and the marketplace reward us more for an Apple interface than they do for bulletproof security" but I do have trouble accepting the argument, "Oh, that's a movie plot. There's nobody out there interested in hacking an HA system."

Most people spend their entire lives utterly unconcerned with security and, because there are so darn many of them on the planet, most of them will end up feeling justified in their ambivalence because nothing bad ever happened to them. That doesn't mean the threat was not real, it just means that there fortunately are not enough criminals out there to hack or assault *everyone*. But if you're one of the people who ends up on the short list, you're going to wish that you'd used your deadbolt or shredded that bank statement. Most people never get in a serious auto accident . . . do you still buckle your seat belt? Most homes don't get burglarized . . . do you lock your doors?

I never said or even implied Windows is the only platform that gets viruses. My Windows platform never has, but it's sure more vulnerable.

I didn't mean to suggest that *you* called Windows the only platform for viruses. When I said the myth was dead I was referring (as discussed in the Washington Post article I linked to) to the Apple-fueled myth that only PC users have to worry about viruses. That myth died with their recommendation that Apple users bulk up on security.

I've been running Windows systems since about 1992 and have never had a virus either. But I'd tend to argue that the Windows platform is more secure than Mac precisely because the security threats are public and well-known, companies have sprung up to help users secure their systems, and most users now are accustomed to taking precautions. Macs, on the other hand, are one bad worm away from a PR disaster that costs them 2 points of market share. Why? Because they've spent the last 20 years making the same arguments being made in this thread -- that Apples are secure, that no one has an incentive or readily available means to attack Apples and that security is not a concern. And today they have a complacent user base the vast majority of whom don't think they need protection from viruses, spyware or malware. And now Apple's telling them they were wrong.

--Jason

[joed]

http://www.control4.com/suitesystems/

I hope the security on this product is rock solid, since these systems are a little more exposed.

[inELEC]

http://www.control4.com/suitesystems/

I hope the security on this product is rock solid, since these systems are a little more exposed.

A good chance the security in that version will find its way to the residential systems in the near future...

[inELEC]

Naturally' date=' in europe we tend to count a bit more on the responsability of individuals (end users and dealers) where in the states everything needs to be fool proof or that is at least my impression.[/quote']

Well, as long as we're throwing around national stereotypes let's just make sure we're clear: Europe is the land of individual responsibility and the United States is the home of cradle-to-grave socialism. Did I get that right? I've lived on both continents so I get confused sometimes, just want to make sure I hadn't mixed those up . . .

Not talking about individuals here, more about the legal system and how it's used...although I get what you are saying, that is indeed a contradiction I never noticed. Touché I would say :cool:

[joed]

http://www.control4.com/suitesystems/

I hope the security on this product is rock solid' date=' since these systems are a little more exposed.[/quote']

A good chance the security in that version will find its way to the residential systems in the near future...

How is the security in that version different than the residential system?

[inELEC]

http://www.control4.com/suitesystems/

I hope the security on this product is rock solid' date=' since these systems are a little more exposed.[/quote']

A good chance the security in that version will find its way to the residential systems in the near future...

How is the security in that version different than the residential system?

No idea, I just assume it is or will be VERY soon

[jbs]

Naturally' date=' in europe we tend to count a bit more on the responsability of individuals (end users and dealers) where in the states everything needs to be fool proof or that is at least my impression.[/quote']

Well, as long as we're throwing around national stereotypes let's just make sure we're clear: Europe is the land of individual responsibility and the United States is the home of cradle-to-grave socialism. Did I get that right? I've lived on both continents so I get confused sometimes, just want to make sure I hadn't mixed those up . . .

Not talking about individuals here, more about the legal system and how it's used...although I get what you are saying, that is indeed a contradiction I never noticed. Touché I would say :cool:

Fair point. I'd certainly grant you that the US allows for some fairly silly legal cases to consume time in the Courts. I was thinking more along the lines of the government, though admittedly in that regard Brussels took a positive step recently by liberating ugly fruit!!

http://www.baltimoresun.com/news/nation/bal-te.uglyfruit16nov16,0,6187081.story

BRUSSELS, Belgium - There's hope again for homely hazelnuts, misshapen mushrooms and grotesque garlic. Not to mention onions unsightly enough to bring tears to your eyes.

Last week, the European Union chopped 100 pages of rules and regulations to open the way next summer to allow the sale of fruits and vegetables that may be crooked, bent or twisted - but otherwise good enough to eat.

"This marks the new dawn for the curvy cucumber and the knobbly carrot," EU Agriculture Commissioner Mariann Fischer Boel said. "We simply don't need to regulate this. In these days of high food prices and general economic difficulties, consumers should be able to choose from the widest range of products possible."

The EU ban, imposed more than 20 years ago to ensure uniform shapes and sizes for fruits and vegetables, has triggered much ridicule. The tabloid media use it to highlight bureaucrats' desire to regulate every nook and cranny of Europeans' lives.

Let's hope both sides of the pond can tend toward trusting individuals a bit more . . .

--Jason

[slemay]

Well, we're quickly descending into exactly what I'd hoped to avoid which is the discussion of specifics.

Sorry - don't mean to let it go that way.

Do you really think a dealer's never programmed a user's alarm code into their system for the ARM setting. Let's say the alarm dealer had not disabled the requirement to put the alarm code in to ARM, and now the C4 dealer is there integrating. Wouldn't it be a lot easier to just add the alarm code key presses to the Composer code than to get the alarm dealer out to change the system? So are you 100% confident that no alarm codes are stored in C4 programming? What about changing the arm status from HOME to AWAY. That's going to be a surprise in the morning when the motion detector greets you.

Best practices dictate that you should never do that! EVER! It's like having a Windows computer automatically log in... can it do it - sure it can - but you bypass the security and that's foolish. This is something that all dealers should be aware of. If the alarm isn't setup to do that - then the alarm company should come back and fix it! There is no system, no my knowledge, that "MUST REQUIRE" password to arm it - some default that way, but can usually be turned off.

And as to breaking into a house . . . wouldn't opening a garage door make that a lot easier? Most people don't lock the door from their garage to their house because garage door openers with their rolling codes are quite secure. If a garage door is connected to C4 then the vulnerabilities we're talking about now potentially expose access to the house.

Again - do you know how easy it is to get a garage door to open all by itself? Not too hard... slip a hook under the door and wave it in front of the electric eye - watch how it opens right away for ya. Again - you're talking stuff that people are not aware of (and maybe should be) - so again - someone is going to take easier steps before they're going to hack a C4 system to get things like this to open.

Well, not necessarily. Depends on if you have voicemail, if that feature is enabled, if you have VOIP, and probably even if the calls are coming from the right Caller ID. And I'd have to disagree with the relative ease of the approach. I think the security companies who design alarm systems have (not surprisingly) built a lot more security into their systems than C4 has into theirs. That's not inappropriate, the lighting automation built into my GE Concord alarm panel is a joke, so each has their own strengths and weaknesses. But that doesn't mean that C4's weaknesses shouldn't be addressed . . .

Are you talking from experience? As I am - most alarm systems just prompt you for the passcode... Voicemail or not doesn't make any difference - it's a back door for the alarm company to get in when you're having problems and they don't want to roll a truck. VoIP - how many people again are we talking? Common...

Again, I have to disagree. Look, security is not most people's top concern and that's fine. But you can only credibly state that it's not worth protecting something because they'll get it if they want to if you promise me that you don't lock your doors at night, you don't have an alarm, you don't lock your car and you use PASSWORD as your password cause it's really easy to remember. If all those do not apply to you then you're engaged in securing things that someone could get around if they really wanted to. The reason you do those things is that you're a smart guy who realizes that if you make it a little harder for someone to steal from you then they probably will go find someone it's not so hard to steal from. Same thing with securing your HA environment. I'm not out to make sure hackers and criminals go out of business. I'm just out to make it more convenient for them to bother someone else . . .

I think you missed my point - though you agreed with it in the end... lol... what I was saying is that hacking the Control4 system is more difficult than say getting the garage door to open - or popping the sliding glass door off the track. Yes - if you do everything as you should - it'll be more difficult... BUT, for the example of the garage door - it's still easier to open that then it is to hack the C4 system!

[slemay]

Hackers aren't in it these days for 'interesting'. If it doesn't make them money (i.e. allow them to setup a bot-net for scamming and/or receiving the 'offers' HTML people click on), it's much less interesting. Most hacking (Windows PC's mostly) is all about controlling that computer for fraudulent purposes.

That was 1/2 of my point - thank you for stating it more obviously.

[slemay]

Plus who would think to run a virus scan on your controller? It would be the perfect place to hide and do bad things.

The fact that very few people sees this as a concern really bothers me.

Joe - do you have ANY IDEA AT ALL how many unprotected linux systems are out there right now on the internet? ANY IDEA AT ALL!?!?! Do a google search... last time I read (which was close to a year ago) they were estimating well over 1 million unprotected linux systems! By unprotected I mean that have security holes in them and whatnot...

So if someone is going to hack and break in to do something like you're suggesting, - they're certainly going to:

1) Pick much more powerful machines that can do a lot more workload than a C4 system

2) They're going to pick something that actually sits directly on the internet with HUGE connections, not tiny little pipes at the home that may or may not be protected with a cheap home firewall.

3) They're going to go after known flaws - not try and find new flaws in C4's system.