German computer Magazine c’t Issues Vulnerability Alert:
Weak Security In Loxone Smart Home System Lets Burglars Walk Right In

Hannover, August 31st, 2016 – Most smart homes provide remote access via smartphone apps. This can introduce new risks – especially when the manufacturer does not implement this feature with care. In its current issue 19/16, German computer magazine c’t describes how a security vulnerability could have led to burglars entering homes with the press of a button.

Smart home systems need to be easy to set up. On the other hand, manufacturers must take great care to ensure their systems are not vulnerable to attacks – especially when they are connected to the Internet. The case of Loxone Electronics provides dramatic proof of what can happen when this trade-off goes wrong: The manufacturer delivered its smart home system with badly secured remote access features and even pointed potential intruders toward targets with its oversimplified web service.

„Using only a simple script, we were able to find over 110 systems spread throughout Europe using weak logins,” explains c’t-editor Nico Jurran. This opens the door to far-reaching potential abuse: Loxone systems not only handle sensors and actuators for illumination, electricity, heating and cooling, shutters, and audio systems. They also control safety-critical components such as alarm systems, IP cameras and access systems for doors and garages.

With a single tap on their smartphone, criminals could have had access to a victim's home – without leaving any traces. „This is a nightmare for home-owners and tenants – and a huge insurance problem,” Jurran states.

c’t Magazine promptly informed Loxone Electronics' management about the security leak. Loxone immediately set up an internal task force which proceeded to block smart home systems with insecure login credentials from using the company's DDNS service.

This measure quickly bore fruit: The number of home servers with default login credentials dropped dramatically. However, customers are still allowed to use „admin/admin” as their login, Jurran warns. “Loxone customers whose system continues to use the standard password should change it immediately."

Note to editorial staff: We will gladly provide you with the full (German-language) article for review if requested.

c’t editor Nico Jurran is available for interviews on this topic.