Hacking HomePlug Networks

I dont know whether HomePlug networks are growing in use or not, but the following statements caught my attention:

Officials at Intellon, the chip maker that developed the HomePlug spec, say that hacking into a HomePlug network would require cracking the governments DES encryption standard. – link

My favourite:

HomePlug specification products also protect data by utilizing powerful DES encryption, which makes hacking into a HomePlug network virtually impossible. – link

If you are not sure what a HomePlug network is then maybe the following diagram will help:

As you can see above, HomePlugs in many cases can replace a Wireless infrastructure or work along side it (i.e. your house or office has thick walls weakening the signal). You simply plug it into your wall socket and attach a network lead to it.

 

Now I didnt really spend ages on coming up with advanced hacking techniques for these things. It would be overkill me thinks. These devices are insecure in their default state. They are also insecure in their secured state.

So lets put our attack together:
1. HomePlug Detection Enumeration
2. Exploitation in its default state
3. Exploitation in its secured state
4. Hacker Countermeasures

1. HomePlug Enumeration

You need a compatible HomePlug to start. A single plug can cost between £20 – £30. Ensure that the plug is HomePlug v1.0 certified or you will most likely fail in your endeavor.

You will then require a target, testing your own network is easy enough, attackers will most likely test your network from an outside wall socket.

Install the software that comes with the plug – this software was exactly same with both my HomePlug makes (other then a few logo changes). Plug your HomePlug into the wall socket of the network you what to connect to. Load up the software and simply click Scan Powerlines Network. You could also just load a sniffer and check if your rogue plug has already joined the network.

2. Exploitation in its default state

I couldnt find the v1.0 specification rfc, but it was trivial to work out that all these devices use a default network key of HomePlug to start with. Obviously this was done to allow for plug and play. Load up your sniffer and monitor network traffic. If the default key is used you should see NetBIOS broadcasts etc. Job done.

3. Exploitation in its secured state

56-bit DES encryption may have been considered cryptographically strong in the stone ages but not today.

Even though 56-Bit DES encryption (2^56 possible keys) is breakable, it may take a fair chunk of time to crack – although Rainbowtables has made this alot easier. Personally, I would try some weak passwords to begin with.

4. Hacker Countermeasures

Do the obvious. Use a very strong key to secure your HomePlugs. Ensure thats your network devices are firewalled. Hopefully the newer versions will provide stronger encryption options.

SHARE