How I “Red Teamed” into my smart home (Part 1) — Prelude
What inspired this mini Red Teaming exercise
As a red team operator, I work with my team members to simulate real-world adversarial Tactics, Techniques and Procedures (TTP) to breach defences of organisations and access sensitive information. Due to the extension of the Circuit Breaker (CB) in Singapore, I was left working from home until further notice, and I thought I might apply this tradecraft to my own smart home.
The objective
Like every red team exercise, an objective must first be set. In my case, since it was my own home that I was hacking into, the objective was to identify if sensitive information could be leaked when smart home devices are compromised. This information could be obtained through any one of the following:
- the built-in features of smart home devices (e.g. video/voice capturing, voice assistant, etc.);
- data generated by the sensors of these devices and shared in the network; or
- other interconnected systems on the home network.
Simulating an external threat actor, the assumption was that the floor plan bearing the placement of targets (i.e. ICT and Smart Systems) had been provided by the team specialists through Open Source Intelligence (OSINT) and social engineering.
Breakdown of the game plan
With this information, the game plan was to first assess the physical security of my smart home, where Smart Digital Door Lock protects access to my home and can be attacked at the perimeter. By compromising these digital door locks (arrow 1), I could have access to the home network as they would either be connected directly to the home wireless network or a smart home hub.
The next system which I planned to target (arrow 2) was the smart home hub. The smart home hub connects devices on a home automation network and controls communication among them. This would allow me to gain control of all the built-in features of the smart home devices and generate data from their sensors for analysis. Furthermore, leveraging the smart home hub as a foothold will allow me to attack (arrow 3) other systems that are on the same network.
Most smart home assistants are powered by Artificial Intelligence (AI) and they act as a bridge for smart home devices, which can now be accessed from the Internet. Attacking (arrow 4) these smart home assistants could allow me to compromise the cloud service accounts that have been registered to access and control the smart home devices. These accounts may also contain Personal Identifiable Information (PII) or credit card information.
Finally, ICT systems typically store a treasure trove of sensitive information and this would be my final attack (arrow 5) to end this mini exercise with a bang! 🤞
This mini exercise will be shared over 7 parts and will include the various industry TTP (e.g. MITRE ATT&CK, OWASP WSTG & MASVS, etc.) used to discover and exploit security vulnerabilities on these targets.
- Part 2a — Smart Digital Door Lock (Mobile application)
- Part 2b — Smart Digital Door Lock (Wireless communications)
- Part 3 — Smart Home Hub
- Part 4 — Smart Home Appliances
- Part 5 — Smart Home Assistants
- Part 6 — ICT systems
- Part 7 — Summary of observations and remediations
Eventual learnings
At the end of this mini exercise, I aim to improve the overall security of my smart home and hopefully, benefit anyone else who is planning to build/has a smart home that they want to secure. This is especially relevant when the COVID-19 situation has required us to work remotely from home. Due to this revised working arrangement, the attack surface to our organisations has extended to our homes. Until then, stay safe and stay tuned to Part 2a.
On a side note, SANS has provided some tips to help organisations and individuals securely work and learn from home.
