X10 Hacking

This post is inspired a DerbyCon 2011 talk by Rob Simon and Josh Kelly I recently watched called Pentesting Over Power Lines. I’m going to start with a brief overview of the concept of Broadband over Power Lines (BPL). From there I will transition into a description of the X10 protocol itself. The focus will be on the protocol’s vulnerability to hacking.

Broadband over power lines, in a nutshell, is achieved by sending medium-to-high frequency signals through typical AC power lines. Every device then plugged into that circuit is able to sense other devices if they are speaking in the same protocol. It essentially turns your home wiring into a broadcast hub.

The X10 protocol is one such protocol and is widely used for home automation and security. The X10 protocol uses 120kHz frequencies to communicate over the power lines, but it also uses utilizes radio technology in some cases for wireless communications. The protocol itself is simple: there are 14 commands, each encoded in four bits. Every 1 bit is represented by a 120kHz pulse at the zero-crossing point, and every 0 bit is represented by the lack of a 120kHz pulse at the zero-crossing point.

The X10 protocol has two problems: first, the communications aren’t encrypted. There is a direct and open translation between nodes on an X10 network, and that leaves the possibility open for someone to plant a device take control of the nodes on the circuit. Now, this plugging in and commanding technique won’t work for the devices that have and rely on wireless communication, but it seems that has some flaws, as well. The X10 operates on the 310MHz frequency in the United States, but the frequency doesn’t hop. That means blasting noise at 310MHz can drown out communications and essentially shut the functionality down. The end result is a home automation or security system that isn’t so secure after all.