DEF CON 23 - Peter Shipley - Insteon: False Security and Deceptive Documentation
Original upload date: Fri, 25 Dec 2015 00:00:00 GMT
Archive date: Thu, 02 Dec 2021 01:14:58 GMT
Insteon is a leading home automation solution for controlling lights, locks, alarms, and much more. More than forty percent of homes with automation installed use Insteon. For the last fifteen years,Show more
Insteon has published detailed documentation of their protocols—documentation that is purposely misleading, filled with errors, and at times deliberately obfuscated. As my research over the last year has revealed, this sad state of affairs is the direct result of Insteon papering over the fact that it is trivial to wirelessly take control, reprogram, and monitoring any Insteon installation. Worse still, the embedded nature of the Insteon protocol coupled with devices that do not support flash updates means that there are no current fixes or workarounds short of ripping out the Insteon products. I will be presenting my research, and releasing tools demonstrating the vulnerabilities throughout the Insteon home automation system. Speaker Bios: Peter Shipley has been working with security for over 30 years. In the late 80's he wrote one of the first network security scanners and maintained one of the first bug databases ( later used to seed similar lists at CERT and llnl.gov ). Around the same time Peter co-founded UC Berkeley's OCF (Open Computing Facility). In the mid 90's Peter Shipley became a founding member of cypherpunks & setup up one of the first official PGP distribution sites. In '98 (DEF CON 6) Peter Shipley did a independent security research on war-dialing, exposing a significant security problem that was being ignored in most corporate environments making phone security. At DEF CON 9 Peter Shipley introduced wardriving to the world. Recently Peter has written and released several APIs using python to link various networked automation appliances via REST and other interfaces. Peter Shipley currently manages for a dot-com by day, and helps raise two kids by night. Ryan Gooler (@jippen) is a cloud security guy, known for luck, sarcasm, and getting into things. Avid lockpicker, lover of cats, and disrespector of authority.