Smart Home is today's favourites, however in people only focus on the home of intelligent and humane, hackers are will look to put in a smart home, everything can be exploitable.
From the application vulnerability
Data show that in a variety of home automation equipment and the help of sensors, including Door Locks, switches and electrical sockets-all of these devices are available through the Internet for remote control and monitoring capabilities, most of them may also be connected to cloud-based services, the user can through a Web port or a smartphone application with which to interact.
Journalists in the clouds on the summit, also with a white hat sharing some of the smart home vulnerabilities, from How from firmware attacks, embedded script attacks, Protocol Hack, and industrial control and other multi-angle analysis, plus a video demonstration, a comprehensive display of the hackers is how to black out the home of a variety of smart devices, including smart socket, smart router and how to remote control air conditioning, refrigerators, televisions and other equipment, the most terrible is by hijacking the monitor, and then control the entire building of smart devices. You have to believe that the matrix is the scene reproduced!
Security experts view these devices in the front-end(user and between cloud services)and back end(devices and cloud services)is connected, the front end of the connection, they found only a SmartThings Hub to perform a strong password, and Ubi even without the user to connect to any encryption, this will undoubtedly give the middle attack to create a possible. And in the end connected to the piece, these devices exhibit much worse. Ubi and MyQ Garage does not perform encryption, does not provide protection against MiTM attacks is necessary to protect for replay attack and no Defense Force. In addition, Ubi is also no sensitive data is adequately protected.
In addition to the SmartThings Hub, these devices do not have the man in the middle attacks protection, because they are either completely without the use of Transport Layer Security Protocol(TLS)encryption, or no use of appropriate validation of the certificate to perform the TLS encryption.