Enhanced security features: packet padding / random packets

bjohas · November 18, 2022, 10:35am

This article talks about an interesting/worrying exploit:
Smart home hubs leave users vulnerable to hackers, Referring to article Omid Setayeshfar et al, Privacy invasion via smart-home hub in personal area networks, Pervasive and Mobile Computing (2022). DOI: 10.1016/j.pmcj.2022.101675

The article proposes packet padding / random packets, so that e.g., a ‘door locking instruction’ is no longer identifiable as such, providing additional security.

Are such features already in home-assistant? If not, are they planned?

danielperna84 · November 18, 2022, 3:40pm

In most cases Home Assistant won’t be able to do this. As the article states, the manufacturers have to implement this in their hubs / devices / protocols. Home Assistant usually is just a user of such a hub. It can’t tell the hub to add some padding to it’s packets if this is not a feature of the product.

bjohas · November 18, 2022, 6:31pm

My reading of the article was that it’s not so much about the internal network, which e.g., could be a Raspberry Pi running hass connecting via say conbee/zigbee to a light/zigbee. Clearly the packets cannot be padded. However, you’d have to listen to rf outside the house, which doesn’t feel like a viable way of snooping: You might as well stand in front of the house and take notes when people leave.

Instead, it seemed to me, that the article seemed to be suggesting inspection of packets routed over the internet, i.e., between the Raspberry Pi running hass and the hass app on an android phone. Those packes can be inspected en-mass, determining user patterns en-mass, making it viable to then break into homes where suitable cases are found.

Where packets are routed over the interenet, both the Pi/hass (or future hass yellow) and the app could be updated to allow for padded packets. At least, that’s what it seems like to me?

When the article said hub, my understanding was that it meant e.g. an Alexa Hub, communicating with the internet; in that case the Alexa Hub plays the role of the Raspberry Pi running hass.

Am I misunderstanding? At least the way I’m running hass, it doesn’t use an Alexa Hub (e.g., using the zigbee hub function within Alexa…)

Tediore · November 18, 2022, 7:39pm

I suspect anyone who wants to break into a house will throw a brick through a window or kick a door in, not spend the time intercepting and analyzing data to/from a home assistant instance that they have somehow determined is at a specific home address.

danielperna84 · November 18, 2022, 8:22pm

I think you may have to re-read your two linked articles.

From the first one:

…when a smart home lock is locked, it sends a packet to the hub, and the smart home hub passes that onto the server … but using the patterns, the size of the packet and the timing of the packet, we can figure that information out with very high accuracy."

It clearly talks about the packets, which are the RF-Signals exchanged between the hub and the devices.

And from the second article:

Specifically, this work focuses on the devices that use Zigbee or Z-wave and are controlled by a centralized smart-home hub in a personal area network

Zigbee and Z-wave are used for RF communication. So essentially just a more specific example of what was said in the first article.

On top of that, the example of preventing a lock from locking is practically done by flooding the relevant frequency with packets, so that the lock can’t hear the command to perform the locking.

All this has nothing to do with the communication that Home Assistant is doing. If Home Assistant is wired to the router, then the traffic could only be intercepted if the attacker is already within the network. And at this point obfuscating via packet padding won’t do much, as you have way bigger problems at that time.

Of course also stuff like WiFi or Bluetooth can be monitored for patterns, which could give some insights about what is happening in your home. But again, that’s nothing Home Assistant can do anything about. Well, it could randomly poll a devices state or send invalid commands to make a mess out of what the attacker is gathering on information. But at least battery powered devices would be drained by that in the long run.

All that being said, my assumption is that at best only high profile targets would become victims of such an attack, as this takes time. As Tediore said, regular burglars tend to reach for the low hanging fruits. They enter quickly if they see a possibility, look for valuable items in places where people typically store them, then leave again as quickly as possible. Analyzing a house prior to entering only makes sense if they know they’ll make a huge profit from it. And (hopefully) such high profile home owners tend to have a lot of wired systems in their homes, which by design can’t be monitored wirelessly. Hence they aren’t (as) exploitable.

In my opinion a fingerprint-lock at your front door is WAY more interesting for criminals. Chances are, the owners fingerprints are scattered all around the house. Extracting it from his car-door wouldn’t take long. Then come back a few days later with a fake one and you’re in. At least if the fingerprint-scanner isn’t the most secure one.

nickrout · November 18, 2022, 9:54pm

As a criminal lawyer, I confirm the analysis. Most burglars are opportunists. Most are window smashers. Even planned burglaries are unsophisticated, certainly from a technical perspective.

One crew I acted for used to climb up to an upstairs deck and break in then ransack the upstairs rooms. Why? The owners usually only had motion detectors etc downstairs.

CChris · November 18, 2022, 11:18pm

while I do agree that “IT security” is something that should be considered when doing Smarthome stuff, I don’t think that HomeAssistant is the right point to address the topics mentioned in the articles.

Of course - if you expose your Installation to the internet - without any further security implementation, it can open the doors for nearly everyone.

But following at least most established security guidlines is within the responsibility of the operator of that system…

So - at all:
I agree with the others.

Burglars don’t care for your Smarthome installation.
If they see an easy opportunuty, they will try to get in…

Sniffing RF traffic - I think, that’s a very rare case for regular people… it can happen, but most probably you have personal difficulties with someone who’s trying to attack you then

bjohas · November 19, 2022, 7:40pm

Thank you all for the post - interesting read, and thank you for the comments. Makes sense!