Insteon' False Security And Deceptive Documentation

DEF CON 23

Presented by: Ryan Gooler, Peter Shipley
Date: Friday August 07, 2015
Time: 13:00 - 13:50
Location: Track One

Insteon is a leading home automation solution for controlling lights, locks, alarms, and much more. More than forty percent of homes with automation installed use Insteon.

For the last fifteen years, Insteon has published detailed documentation of their protocols—documentation that is purposely misleading, filled with errors, and at times deliberately obfuscated. As my research over the last year has revealed, this sad state of affairs is the direct result of Insteon papering over the fact that it is trivial to wirelessly take control, reprogram, and monitoring any Insteon installation.

Worse still, the embedded nature of the Insteon protocol coupled with devices that do not support flash updates means that there are no current fixes or workarounds short of ripping out the Insteon products.

I will be presenting my research, and releasing tools demonstrating the vulnerabilities throughout the Insteon home automation system.

Peter Shipley

Peter Shipley has been working with security for over 30 years. In the late 80's he wrote one of the first network security scanners and maintained one of the first bug databases ( later used to seed similar lists at CERT and llnl.gov ). Around the same time Peter co-founded UC Berkeley's OCF (Open Computing Facility). In the mid 90's Peter Shipley became a founding member of cypherpunks & setup up one of the first official PGP distribution sites. In '98 (DEF CON 6) Peter Shipley did a independent security research on war-dialing, exposing a significant security problem that was being ignored in most corporate environments making phone security. At DEF CON 9 Peter Shipley introduced wardriving to the world. Recently Peter has written and released several APIs using python to link various networked automation appliances via REST and other interfaces. Peter Shipley currently manages for a dot-com by day, and helps raise two kids by night.

Ryan Gooler

Ryan Gooler (@jippen) is a cloud security guy, known for luck, sarcasm, and getting into things. Avid lockpicker, lover of cats, and disrespector of authority.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats