Security, in fact, is sometimes a matter of trust.

　　A girl asked her boyfriend: "Who is that girl on your WeChat?" "Having dinner with friends, both male and female?" "Why can't you show me your phone?" The boyfriend felt untrusted, while the girl said she felt insecure. This is the relationship between security and trust.

　　Network security is essentially also a matter of trust. A phishing email steals company data, a phishing website steals account passwords, and a fake WiFi hijacks communication traffic. These are all related to the victim's excessive trust in the other party and their strong sense of "security".

　　"Assume that all people, devices, and environments are untrustworthy." This has actually become a conventional concept in network security. A person's "overtrust" in their surroundings can lead to being hacked, while a service provider's "overtrust" not only harms themselves but also their users. Smart Home A provider, once hacked, could render their users unable to manage even their daily lives.

　　"Security stems from trust, and hackers break trust." This was the topic of Wang Xin, vice president of An Heng Information Security Research Institute, at the YunDun Xianzhi White Hat Conference last Sunday (March 25th). He attempted to analyze the security issues caused by the "overtrust" of smart homes from the perspective of attackers. Through several examples of hacked smart devices, he made it clear to the LeiFeng.com editor that excessive trust in smart homes can indeed lead to a situation where you are hacked to the point of being unable to manage your daily life!

　　A typical smart home device usually follows this process:

【Simplified Smart Device Interaction Process】

　　Within the local area network, the smart gateway and terminal devices communicate wirelessly using Bluetooth, WiFi, etc. A mobile phone in the same local area network can directly send instructions to the smart gateway and then to the terminal device. The relevant information of the terminal device is then transmitted back to the user's mobile phone through the smart gateway for the user to view.

　　If remote control of home devices is needed, the smart gateway uses the wireless router to send data to the cloud, communicates with the mobile phone in the cloud, and then executes a similar workflow.

　　Each link involves mutual trust, and "overtrust" can make any link a breakthrough point for attackers. Wang Xin explained this point with several examples of compromised smart devices:

　　1.  Smart Home Network Gateway's Trust in the Cloud

　　When a smart gateway needs a firmware upgrade, the user's phone will receive an upgrade prompt. As long as the user clicks upgrade on their phone, the cloud will send update instructions to the specific smart gateway.

　　The problem is that some smart devices and gateways completely trust the cloud's IP address, and the smart devices do not verify the updated firmware.

　　By observing the device's control and storage chips, the chip type can be identified. Through relevant information, the operating system used, the firmware storage path, and other relevant information can be understood. Then, according to its operating system, relevant compilation can be performed to see the operating system's memory partition, understand the length of the memory partition, the boot code, and the code for various functional areas such as WiFi and music playback.

　　After completing the preliminary preparation work, the attacker can perform DNS resolution on the local area network, forge network requests, and flash a firmware with a malicious backdoor into the device. Once the victim's gateway firmware is flashed with malicious firmware, it is equivalent to a time bomb placed in the home, which the attacker can detonate at any time.

　　 2. Smart Home's Trust in Itself

　　Wang Xin said that when analyzing another smart gateway, he found that it opened a port, which was originally intended to facilitate debugging by technicians. Usually, many manufacturers use the same or regular passwords for the convenience of later maintenance.

　　So Wang Xin used Binwalk (a firmware analysis tool) to read its storage chip, loaded some content in its file system, and then obtained its password through unpacking and reverse engineering.

　　Because the passwords are the same or follow a pattern, once the password of one device is obtained, all devices in the series can be logged into arbitrarily. This is a security problem caused by the manufacturer's overtrust in themselves.

　　 3. Smart Home Gateway's Trust in Users

　　In addition, Wang Xin also found some more deficient security practices: some manufacturers directly open ssh remote login to users and set the ssh password to a unified weak password such as 12345678.

　　"Perhaps the manufacturer thinks there are more good people than bad people in the world." Wang Xin expressed his helplessness about this. Because as long as there is one "bad person,"

　　he can easily use this problem to control other users' devices.

　 　4. Smart Device's Trust in the APP

　　Wang Xin introduced an example he saw online: a foreign researcher analyzed a drone and found that the device opened some ports to interact with the mobile phone APP. Then the problem appeared again. The drone overtrusted the mobile phone APP. By reverse engineering the APP, a fixed password was found hidden inside the APP.

　　By downgrading the device firmware, the drone can be restored to the firmware version with security vulnerabilities, thereby successfully obtaining control permissions. The most critical issue here is that the smart device defaults to the mobile phone APP being secure and "overtrusts" the APP.

　　 5. Smart Gateway's Trust in Smart Terminals

　　When the smart gateway and smart terminal devices communicate, many wireless protocols are used, among which the ZigBee protocol is widely used due to its low cost and low power consumption.

　　Wang Xin said that the key to testing ZigBee security lies in finding its encryption key. It can usually be obtained by using passive and active listening methods during authentication or transmission. Some manufacturers, worried about problems during transmission, may set the encryption key at the time of device manufacturing. The encryption key can also be obtained by reverse engineering the terminal device firmware. In short, for the smart gateway, the terminal device is not necessarily completely trustworthy.

　　In short, the security of smart homes involves a wide range of things. However, the issue of "trust" is always the most critical. For security researchers, every link involving "trust" is worth questioning and scrutinizing, because any "overtrust" can lead to security problems.