back to article Insteon and Wink home hubs appear to have a problem with encryption

Security researchers have discovered that two popular home automation systems are vulnerable to attacks. The Insteon Hub and Wink Hub 2 are designed to connect various home products and manage automation, and the flaws represent another entry in the growing catalogue of IoT security shortcomings. Rapid7 discovered two …

  1. alain williams Silver badge

    What do we care ?

    Putting in proper security will just cost us to no benefit - ie we will not make more money.

    It will cost us developer time & make our products more complicated so that we will have to deal with extra support calls from the Muppets who buy our stuff - someone has to pay for those support calls y'know!

    If some of these do get cracked, they probably won't blame us, if they do we will just send out our press release blaming ''the bad guys'' - we have is already written, it just needs the date putting on it. After a fortnight the broohaha will have died down and our sales will just continue.

    If the law were change to make us liable for customer losses we might take notice, we have our lobbyists ready just in case legislators think about this.

    Love & kisses: Insteon PR department.

    1. AndyS

      Re: What do we care ?

      > If some of these do get cracked, they probably won't blame us, if they do we will just send out our press release blaming ''the bad guys''

      Remember to include the phrase "we take security very seriously."

      1. Trigonoceps occipitalis

        Re: What do we care ?

        Remember to include the phrase "we take security very seriously."

        Wot about "learning lessons?"

  2. HellDeskJockey

    First don't connect anything to the net unless there is a real benefit. That goes double for IOT devices. But seriously if you do spoof my Insteon system, all you can do if flick my lights on and off. Annoying but hardly the stuff of nightmares. If you are close enough for radio spoofing just try a jammer instead, no encryption decryption required.

    1. Anonymous Coward
      Anonymous Coward

      "But seriously if you do spoof my Insteon system, all you can do if flick my lights on and off"

      And possibly run a botnet, pissing off millions of people.

    2. tiggity Silver badge

      flicking

      Flicking lights on and off can reduce their lifespan quite a lot (susceptibility varies depending on "bulb" type) so an extra potential cost / irritation.

      Plus lights on when not wanted on = extra cost of electricity.

      I like my "dumb" lights & switches

  3. Lysenko

    No excuses either...

    If you're running an IoT device with a PIC16 or something then yes, implementing TLS etc. may not be feasible. You just don't have the MIPS or the RAM for that.

    The Wink hub on the other hand has an i.MX28! That's an ARM9 CPU capable of running Linux (albeit 7 years old). However a closer look at the HW is in order: the Wink supports multiple RF protocols and therefore (!) has a bunch of additional microcontrollers including an STM32, a PIC16F and some other Cortex M3 chippery. What was the designer thinking of? There is no valid reason to create such Frankenstein circuitry which must involve at least three different programming languages and at least five different toolchains. It smells very much like someone grabbing reference designs from chip vendor web sites and lashing them together with glorified veroboard. On that basis I classify the device as "works as expected".

  4. This post has been deleted by its author

  5. lglethal Silver badge
    Trollface

    "One hopes that Wink and Insteon will now carry out a thorough code review to see what else might be hiding in there."

    Hahahahahahahaha... Man that guy should go into Comedy. Wait... What? You mean he was serious.... *blink* Hahahahaahahahahaha

  6. Stevie

    Bah!

    What????

    An Internet of Tat device is configured for the convenience of pwners out-of-the-box?

    I'm shocked I tell you, shocked.

  7. Tom 38

    WinkHub

    Sounds like the kind of website that I have to remove from my history after use.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like