Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Smart-Lock Hacks Point to Larger IoT Problems

Two recent reports on smart-locks vulnerabilities show that IoT vendors have a bigger job to do in ensuring their products are safely deployed and configured.

According to Grand View Research, the global smart-lock market size was valued at $1.2 billion in 2019, with over 7 million devices sold that year alone. It is further projected to register a CAGR of 18.5% from 2020 to 2027.

But two recently published reports on smart-lock vulnerabilities should make consumers and vendors alike think carefully about how these devices are deployed and implemented.

U-tec Ultraloq
Reporting on a flaw he found with the U-tec Ultraloq – a smart-lock project that began as an Indiegogo campaign – Craig Young, security researcher at Tripwire, tells Dark Reading that he came across this flaw in late 2019 simply because he had taken an interest in the lightweight publish-subscribe protocol MQTT (Message Queuing Telemetry Transport) used for constrained Internet of Things (IoT) devices.

As Young explains in his research: "The risk of using MQTT arises when it is deployed without proper authentication and authorization schemes. Without this, anyone who can connect to the broker can leak sensitive data and potentially influence kinetic systems. An unauthorized user that gains access to the MQTT broker can easily guess topic names and use # to subscribe to all kinds of topics to obtain data transiting the broker."

In conducting a series of searches on Shodan, a search engine for connected devices, Young discovered a server with several pages of MQTT topic names that also kept emerging in searches referencing "lock" and free email providers like "gmail.com."

"I queried the server myself with Linux command line tools (e.g. mosquitto_sub), and I was instantly inundated with PII apparently from all over the world," wrote Young, adding that data included email and IP addresses associated with locks and timestamped records of when and where they opened and closed.

Ultimately, Young says he was able to connect this back to U-tec. He next purchased the lock, paired it with Bluetooth via a Wi-Fi bridge, and monitored messages via MQTT until he found the flaw.

"The MQTT data correlates email addresses, local MAC addresses, and public IP addresses suitable for geolocation ... The device is also broadcasting the MAC address to anyone within radio range. This means that an anonymous attacker would also be able to collect identifying details of any active U-Tec customers including their email address, IP address, and wireless MAC addresses," he wrote. "This is enough to identify a specific person along with their household address … If the person ever unlocks their door with the U-Tec app, the attacker will also now have a token to unlock the door at a time of their choosing."

Young was able to reach the vendor by opening a support ticket to report the flaw. After first telling him, "Please don't worry," U-tec eventually fixed the issue by implementing access controls.

MQTT can be "a perfectly safe option," Young says, but U-tec didn't take the right steps.

"You should be using access controls, authentication and encryption. In this case with U-tec, it was initially using none of those," he says.

August Smart Lock
In another report, cybersecurity firm Bitdefender detailed a vulnerability it discovered with the August Smart Lock, also in late 2019, as part of an ongoing partnership with PCMag through which they evaluate smart device security.

In exploring this product, the Bitdefender team says it discovered that while the device's communication with the smartphone app is encrypted, the encryption key itself is hardcoded into the app, allowing an attacker within range to eavesdrop and intercept the Wi-Fi password.

According to Alex (Jay) Balan, chief security researcher at Bitdefender, while this vulnerability is specific to the moment of device setup, the team was also able to identify a way to social engineer the user to put the device in setup mode again by knocking it offline.

"Our approach would be, as attackers, knock it offline until the user gets frustrated, restarts the device, and reconfigures it to factory settings," Balan says. "That's when you intercept that communication and get the Wi-Fi password."

Bitdefender first reached out to August about the vulnerability in December; however, Balan says that "communication had a breakdown in March." When Bitdefender published its paper exposing the flaw this month, August resurfaced to say the company was issuing a fix, but Bitdefender could not confirm its success.

"They said they did ship a fix. We didn't get it. We cannot confirm a fix right now," Balan says.

A Larger Problem with IoT
Both Young and Balan express that the problem has less to do with smart locks and more with the ways that IoT devices are developed and deployed, as well as with a lack of best practices and due diligence by both vendors and consumers.

"It's a sad fact of life that not many companies have security contacts," says Balan, noting the difficulty Bitdefender has had reporting product vulnerabilities. "In my opinion, no company should operate without a functioning security contact."

He recommends consumers get their products from companies that have visible vulnerability and disclosure programs.

Young agrees. "There probably should be regulations in place saying if you're making certain types of devices, you need to have forms of contact," he says.

According to Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs, vulnerabilities are common with smart locks and other IoT products because of the difficulty balancing security with ease of use.

"Designing a device that is easy to set up and also secure is difficult because manufacturers need to contend with a large variety of home networks, routers, access points, and other devices," he tells Dark Reading. "Therefore, manufacturers make their devices accessible for 'the least common denominator,' which usually means using security protocols that are not always the most secure for every environment."

Tanner Johnson, IoT cybersecurity analyst at Omdia, says that another problem is time to market. Devices are rushed out without enough focus on security.

"Companies themselves are more concerned about not making it to market at all than getting recalled," Johnson says. "They see a recall as terrible but not as bad as not being out there to compete in the market."

What's needed are regulations at the federal level, Johnson says. "I understand states are the labs of democracy," he says, "but it's not a time to make attempts at security. We need solutions for security, and they need to be accepted and respected."

IoT: Another Threat to Remote Workers
The need to secure IoT is more crucial as people work and learn from home.

"Attackers know that with a large number of people working at home, one possible way to access a home network, and perhaps laterally work their way into valuable corporate resources may be to attack home IoT devices and determine if they can use that as a launching point into other more valuable targets to the attacker," Lakhani says.

He recommends that end users, at minimum, change default passwords on IoT devices and segment home networks to separate corporate assets from personal IoT.

Further, he says, organizations can take steps to mitigate risks of IoT devices in a remote work environment by having proper security software, operating system patches and policies set up, as well as access methods like multifactor authentication, network access controls, and certificate-based access.

 

Nicole Ferraro is a freelance writer, editor and storyteller based in New York City. She has worked across b2b and consumer tech media for over a decade, formerly as editor-in-chief of Internet Evolution and UBM's Future Cities; and as editorial director at The Webby Awards. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mcr314
50%
50%
mcr314,
User Rank: Apprentice
8/21/2020 | 11:49:02 AM
EN 303 645 requires vulnerability disclosure
The article is correct:  "There probably should be regulations in place saying if you're making certain types of devices, you need to have forms of contact," 

indeed this is true.  https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf says exactly this.

https://www.iotsecurityfoundation.org/just-13-percent-of-consumer-iot-firms-allow-vulnerability-reporting-despite-incoming-laws-and-international-standards/

There are additional guides, webinars, etc. at: 

https://www.iotsecurityfoundation.org/consumer-iot/

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...