BBC Panorama. How we hacked the house

Ken Munro 16 Apr 2016

We recently filmed for BBC Panorama about the insecurity of smart home devices. Ben, the willing owner of the house, is a tech-savvy fan of home automation. He’s also pretty knowledgeable around IT security, so we knew we were going to have more of a challenge on our hands.

Ben kindly provided us with a list of smart kit in advance, so we weren’t going at the exercise completely cold. That said, when we arrived for filming, we had no idea if anything would actually work! We had about 6 hours to create something cool.

First, he had changed his Wi-Fi PSK from the ISP router default, unlike most home users. He had also switched to a 3rd party router; there weren’t any usable exploits for that we could use in the timeframe.

However, the PSK didn’t stand up to cracking for long. Our 4 x NVidia1080 GPU rig got the key in about 40 minutes.

Once on to the network we had to move fast. We also couldn’t touch the various vendors APIs as we didn’t have permission to test them. The producers wanted visual and audible hacks that would alarm the householders and look interesting on screen.

First, we had a go at the two Foscam wireless cameras. A cheeky video stream from inside the house would look great; users rarely change the admin passwords. Except Ben had wisely followed the security recommendations and changed the creds to something much stronger. Brute force rates over the FTP and HTTP interfaces weren’t quick enough and we couldn’t find usable exploits. There’s a local reset button on the cameras, but that wouldn’t have been realistic.

Next we looked at Amazon Echo. Remote exploitation wasn’t on the cards. Then we noticed the TVs: One Samsung and a Sony with a Chromecast dongle plugged in.

We could cast to both without further authentication. The Samsung caster only accepted YouTube videos unauthenticated, so we simply recorded a blank video of us saying ‘Alexa, close the downstairs curtains’ and cast it over the Wi-Fi network to the TV from the ‘hack van’ outside:

Boom, Alexa heard the audio and  the curtains closed:

After that, we got the Smarter iKettle 3.0 to do the same. It’s much more secure than the original iKettle that we hacked years ago. It has an Alexa recipe:

“Alexa, turn on the kettle”

And for a laugh (with Ben’s permission) we did this:

<video of Prime order>

All very amusing, but a malicious individual could cast arbitrary porn to your TV whilst your kids were watching it. Not a pleasant thought.

The upstairs TV had Chromecast, so we could cast a full desktop. What else could we show 😉

Whilst looking at the TVs, we noticed an interesting device on the network

<a/v receiver hack>

So we could pump up the volume to 11 and freak out the homeowner

There was a printer on the network which allowed arbitrary printing. Simple map to the printer and we could print anything. What else?

Now to more interesting things: The Philips Hue lighting system