Other issues in this category (12)
Be smarter than your smart things!
Monday, September 19, 2016
Recently, smart locks with built-in Bluetooth modules have become all the rage with users, but they are not as reliable as their manufacturers claim. Anthony Rose, an independent expert, conducted research on the reliability of Bluetooth locks. It turned out that 12 of the 16 devices he tested are quite easy to hack.
As per an article in the Register, in some cases, Rose was able to do this from a distance of 400 meters.
The researcher spent roughly $200 overall for the hacking tools he used.
Four of the locks tested transmitted their passwords in plain text so it was very easy to hack those. Another five devices were vulnerable to replay attacks, which is when attackers intercept a signal and use it again to unlock a device. In addition, the expert was able to make one of the devices fail by sending it specially created packets.
According to Rose, Bluetooth lock manufacturers keep making basic errors, and those errors are causing these devices to become vulnerable. For example, the Quicklock application allows for a six-digit password, which is easy to crack with a brute force attack.
Rose contacted the manufacturers of the vulnerable devices, but the results were disappointing. Ten companies simply ignored his warning, while one of the manufacturers acknowledged the issue but refused to fix it.
This is the future in all its glory! To be able to track the owner of a property (a company, an apartment, etc.) using the property owner’s mobile device, and then wait for him/her to leave and break in. Without a forced entry or skeleton keys!
Today the situation with smart devices is counterintuitive:
- Rather powerful, miniature hardware lets users do what they need to do using a very small device that can be purchased at an affordable price. But, the same manufacturers complain that the power of the hardware platforms involved is not sufficient enough to make these devices safe and equip them with the encryption systems they need to resist hacking, software substitution, and so on.
- On the other hand, the public is not very interested in security issues. Despite the fact that various polls show that people are interested in them, in reality users settle on cheaper and less secure solutions. This is especially true of young people and those who want the latest, greatest thing.
The result is predictable—manufacturers pay attention to safety only if their reputations are at stake. And, here, a problem appears—actually, two problems.
The first is as old as the world of personal computers. People ignore updates. The availability of exploit kits containing solutions for vulnerabilities of bygone days is proof of that. But the world of smart technologies highlights something else: smart things require smart users. Creating new firmware and not ending up with a useless object at output—is far from being the same thing as clicking "Update".
The second problem is specific to the un-updatable world of things: many of them can’t be updated. Why? After all, these are just things that have some sort of advanced functionality!
The Anti-virus Times recommends
Do not trust promises of miracles. Unfortunately, miracles happen only in stories about imaginary worlds, and even there, not all endings are happy. Does anyone remember how the original Pinocchio story ended?
The future will come. But…
While preparing this issue…
One of the vulnerabilities found by researchers of a smart socket, which lets consumers schedule the time they want different instruments to turn on and off, concerns an unsafe password being used by default for the access point. Meanwhile, the manufacturer isn’t warning users that they need to change the password because it poses a security risk.
The second problem is that mobile apps send account details in plain text to access Wi-Fi, making it easy for attackers to intercept them. The data transferred between the application and the server isn’t encrypted either.
Knowing the manufacturer's password and the device's MAC address, an attacker can remotely exploit the vulnerability to intercept data and modify configuration settings (the power on/off schedule).