The smart home I didn't ask for (MCH2022)

What happens when your home is “smart” before you even move in? More and more buildings are pre-installing smart devices that tenants didn’t ask for and may not want. These devices focus on comfort and convenience, an excellent focus as long as security is also considered. Given the deep integration these devices have, a vulnerable system could lead to devastating consequences like the loss of privacy and even unauthorized access. As a security researcher, these were my thoughts when I saw the tablet mounted on the wall of my new apartment. In a short period, I discovered multiple vulnerabilities in the system. A concern for sure, considering the system allows for remote access and has integration with services in my apartment and the building. This talk will cover my path, my process, and coverage of the vulnerabilities I discovered. The smart home system is based on a wall-mounted Android tablet, and is installed in thousands of properties throughout Europe. It allows for controlling lights, heating, motorized blinds, opening a building's main entrance door among other things. The talk will contain the following contents: * Introduction * Presentation of the smart home system * Methodology * How did I evaluate its security * Findings * Description of vulnerabilities found * Impacts and countermeasures * Disclosure timeline * Interactions with vendor * Raise awareness * Conclusion about this event: https://program.mch2022.org/mch2022/talk/JPLREJ/