Internet of Things (IoT) security: what is and what should never be

Internet of Things (IoT) security: what is and what should never be

The Internet has penetrated seemingly all technological advances today, resulting in Internet for ALL THE THINGS. What was once confined to a desktop and a phone jack is now networked and connected in multiple devices, from home heating and cooling systems like the Nest to AI companions such as Alexa. The devices can pass information through the web to anywhere in the world—server farmers, company databases, your own phone. (Exception: that one dead zone in the corner of my living room. If the robots revolt, I’m huddling there.)

This collection of inter-networked devices is what marketing folks refer to as the Internet of Things (IoT). You can’t pass a REI vest-wearing Silicon Valley executive these days without hearing about it. Why? Because the more we send our devices online to do our bidding, the more businesses can monetize them. Why buy a regular fridge when you can spend more on one that tells you when you’re running out of milk?

Internet of Things

Unfortunately (and I’m sure you saw this coming), the more devices we connect to the Internet, the more we introduce the potential for cybercrime. Analyst firm Gartner says that by 2020, there will be more than 26 billion connected devicesexcluding PCs, tablets, and smartphones. Barring an unforeseen Day After Tomorrow–style global catastrophe, this technology is coming. So let’s talk about the inherent risks, shall we?

What’s happening with IoT cybercrime today?

 Both individuals and companies using IoT are vulnerable to breach. But how vulnerable? Can criminals hack your toaster and get access to your entire network? Can they penetrate virtual meetings and procure a company’s proprietary data? Can they spy on your kids, take control of your Jeep, or brick critical medical devices?

So far, the reality has not been far from the hype. Two years ago, a smart refrigerator was hacked and began sending pornographic spam while making ice cubes. Baby monitors have been used to eavesdrop on and even speak to sleeping (or likely not sleeping) children. In October 2016, thousands of security cameras were hacked to create the largest-ever Distributed Denial of Service (DDoS) attack against Dyn, a provider of critical Domain Name System (DNS) services to companies like Twitter, Netflix, and CNN. And in March 2017, Wikileaks disclosed that the CIA has tools for hacking IoT devices, such as Samsung SmartTVs, to remotely record conversations in hotel or conference rooms. How long before those are commandeered for nefarious purposes?

Privacy is also a concern with IoT devices. How much do you want KitchenAid to know about your grocery-shopping habits? What if KitchenAid partners with Amazon and starts advertising to you about which blueberries are on sale this week? What if it automatically orders them for you?

At present, IoT attacks have been relatively scarce in frequency, likely owing to the fact that there isn’t yet huge market penetration for these devices. If just as many homes had Cortanas as have PCs, we’d be seeing plenty more action. With the rapid rise of IoT device popularity, it’s only a matter of time before cybercriminals focus their energy on taking advantage of the myriad of security and privacy loopholes.

Security and privacy issues on the horizon

According to Forrester’s 2018 predictions, IoT security gaps will only grow wider. Researchers believe IoT will likely integrate with the public cloud, introducing even more potential for attack through the accessing of, processing, stealing, and leaking of personal, networked data. In addition, more money-making IoT attacks are being explored, such as cryptocurrency mining or ransomware attacks on point-of-sale machines, medical equipment, or vehicles. Imagine being held up for ransom when trying to drive home from work. “If you want us to start your car, you’ll have to pay us $300.”

It’ll be like a real-life Monopoly game.

Privacy and data-sharing may become even more difficult to manage. For example, how do you best protect children’s data, which is highly regulated and protected according to the Children’s Online Privacy Protection Rule (COPPA), if you’re a maker of smart toys? There are rules about which personally identifiable information can and cannot be captured and transmitted for a reason—because that information can ultimately be intercepted.

Privacy concerns may also broaden to include how to protect personal data from intelligence gathering by domestic and foreign state actors. According to the Director of National Intelligence, Daniel Coats, in his May 2017 testimony at a Senate Select Committee on Intelligence hearing: “In the future, state and non-state actors will likely use IoT devices to support intelligence operations or domestic security or to access or attack targeted computer networks.”

In a nutshell, this could all go far south—fast.

So why are IoT defenses so weak?

Seeing as IoT technology is a runaway train, never going back, it’s important to take a look at what makes these devices so vulnerable. From a technical, infrastructure standpoint:

  • There’s poor or non-existent security built into the device itself. Unlike mobile phones, tablets, and desktop computers, little-to-no protections have been created for these operating systems. Why? Building security into a device can be costly, slow down development, and sometimes stand in the way of a device functioning at its ideal speed and capacity.
  • The device is directly exposed to the web because of poor network segmentation. It can act as a pivot to the internal network, opening up a backdoor to let criminals in.
  • There’s unneeded functionality left in based on generic, often Linux-derivative hardware and software development processes. Translation: Sometimes developers leave behind code or features developed in beta that are no longer relevant. Tsk, tsk. Even my kid picks up his mess when he’s done playing. (No he doesn’t. But HE SHOULD.)
  • Default credentials are often hard coded. That means you can plug in your device and go, without ever creating a unique username and password. Guess how often cyber scumbags type “1-2-3-4-5” and get the password right? (Even Dark Helmet knew not to put this kind of password on his luggage, nevermind his digital assistant.)

From a philosophical point of view, security has simply not been made an imperative in the development of these devices. The swift march of progress moves us along, and developers are now caught up in the tide. In order to reverse course, they’ll need to walk against the current and begin implementing security features—not just quickly but thoroughly—in order to fight off the incoming wave of attacks.

What are some solutions?

Everyone agrees this tech is happening. Many feel that’s a good thing. But no one seems to know enough or want enough to slow down and implement proper security measures. Seems like we should be getting somewhere with IoT security. Somehow we’re neither here nor there. (Okay, enough quoting Soul Asylum.)

Here’s what we think needs to be done to tighten up IoT security.

Government intervention

In order for developers to take security more seriously, action from the government might be required. Government officials can:

  • Work with the cybersecurity and intelligence communities to gather a series of protocols that would make IoT devices safer for consumers and businesses.
  • Develop a committee to review intelligence gathered and select and prioritize protocols in order to craft regulations.
  • Get it passed into law. (Easy peasy lemon squeezy)

Developer action

Developers need to bake security into the product, rather than tacking it on as an afterthought. They should:

  • Have a red team audit the devices prior to commercial release.
  • Force a credential change at the point of setup. (i.e., Devices will not work unless the default credentials are modified.)
  • Require https if there’s web access.
  • Remove unneeded functionality.

Thankfully, steps are already being taken, albeit slowly, in the right direction. In August 2017, Congress introduced the Internet of Things Cybersecurity Improvement Act, which seeks to require that any devices sold to the US government be patchable, not have any known security vulnerabilities, and allow users to change their default passwords. Note: sold to the US government. They’re not quite as concerned about the privacy and security of us civies.

And perhaps in response to blowback from social and traditional media, including one of our one posts on smart locks, Amazon is now previewing an IoT security service.

So will cybersecurity makers pick up the slack? Vendors such as Verizon, DigiCert, and Karamba Security have started working on solutions purpose-built for securing IoT devices and networks. But there’s a long way to go before standards are established. In all likelihood, a watershed breach incident (or several), will lead to more immediate action.

How to protect your IoT devices

 What can regular consumers and businesses do to protect themselves in the meantime? Here’s a start:

  • Evaluate if the devices you are bringing into your network really need to be smart. (Do you need a web-enabled toaster?) It’s better to treat IoT tech as hostile by default instead of inherently trusting it with all your personal info—or allowing it access onto your network. Speaking of…
  • Segment your network. If you do want IoT devices in your home or business, separate them from networks that contain sensitive information.
  • Change the default credentials. For the love of God, please come up with a difficult password to crack. And then store it in a password manager and forget about it.

The reason why IoT devices haven’t already short-circuited the world is because a lot of devices are built on different platforms, different operating systems, and use different programming languages (most of them proprietary). So developing malware attacks for every one of those devices is unrealistic. If businesses want to make IoT a profitable model, security WILL increase out of necessity. It’s just a matter of when. Until then…gird your loins.

ABOUT THE AUTHOR


Head of Content, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.

Internet of Things (IoT) security: what is and what should never be

New Android malware could blow up your phone

New Android malware could blow up your phone

Lo lo lo Loapi Trojan could break your Android

Posted: December 19, 2017 by 

Kaspersky has found what they deem as a jack of all trades malicious app they call Trojan.AndroidOS.Loapi. Like the Trojan AsiaHitGroup we discovered last month on Google Play, this malware can do all the things—it’s a downloader, dropper, SMS Trojan, and can push ads all from the same malicious app. If left to its own devices, it could overheat the phone by taxing the processor, make the battery bulge, and essentially leave your Android for dead.

It seems creating Swiss army knife malware—lumping several uniquely malicious features into one catch-all malicious app—is becoming a trend. At least this time, the Loapi Trojan didn’t make it onto Google Play.

Loapi capabilities

For the purpose of hiding itself, Loapi poses (mostly) as a fake antivirus or, on the other end of the spectrum, adult content apps. It then asks for device administrator permissions to lock the screen of the mobile device, among other things. Furthermore, it takes the damage to another level by attempting to trick the user into thinking genuine anti-malware scanners are the real threat, and prompts to uninstall them if found. If that weren’t enough, it comes with a host of other features, including:

With everything going on in the background, Loapi puts an extreme load on the mobile device. This can lead to the Android literally blowing up from heat produced by the maxed-out processor and battery.

To state the obvious: This Loapi Trojan is quite nasty.

Darn it, tell me if you detect it or not already!

So, do we detect this monster? You bet we do! Our Malwarebytes for Android detection name is Android/Trojan.Dropper.Agent.BGT. You’ll be delighted to know that we’ve been on top of this bad boy since October.

In Malwarebytes for Android, detection of this infection is primarily done by our advanced deep scanner, which uses heuristic methodology to find malware, such as this Trojan, deeply embedded in the device. Deep scan is a feature in our Premium version. Therefore, if you want to stay protected in real time against Loapi, we recommend you upgrade to Premium after your free 30-day trial of Malwarebytes for Android. Stay safe out there!

ABOUT THE AUTHOR


Senior Malware Intelligence Analyst

Full time mobile malware researcher, part time endurance mountain bike athlete and world traveler. As nerdy about biking as he is about mobile malware.

Lo lo lo Loapi Trojan could break your Android

Registry Cleaners: Digital Snake Oil

Registry Cleaners: Digital Snake Oil

Registry Cleaners: Digital Snake Oil

Posted: June 23, 2015 by 
Last updated: October 19, 2016

 

A word on registry cleaners.

One of the most common complaints we see on our forums, and from our users, concerns a particular category of program called “Registry Optimizers” or “Registry Cleaners” or “Registry Defragmenters”. For this post, we will just refer to them as registry cleaners.

 

Who makes this software?

There are many software companies all over the world who make registry cleaners. Not all of them are included in our PUP classification. We will discuss why some get added to our PUP list later in this blog post, but for now, let’s look at what a registry cleaner is exactly in greater depth.

 

What is the registry?

Wikipedia defines it as

…a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems.

Think of it as a place where information about the programs you have installed on your computer is stored. Things like what options are enabled for programs, how they are setup, which user account can use them, and many other settings and preferences.

 

Where is the registry stored on my computer?

The registry is located in multiple places on your computer, and some of these places vary, depending on the version of Windows you are running. They are often referred to as registry hives.

If you really want to know where to find them, a quick Google search will tell you. You will notice that many of these searches give results that include the caveat that you shouldn’t touch the registry with an infinitely long pole.

Bad things happen when you make uninformed changes to the registry.

 

When were registries added to Windows?

Their introduction goes all the way back to Windows 3.1, so yeah… A long time ago.

 

Why would you need to clean it?

This is where we get to the heart of the problem. Many users swear by the performance differences they have experienced before and after running these types of programs.

We believe that this is mostly due to a computer version of the placebo effect. You watch the progress bar. The little lego blocks get stacked neatly. You get a report showing everything that is repaired… It’s all very satisfying.

All this makes what we are about to say very problematic. It might even make some readers angry…

Registry Cleaners are the digital equivalent of snake oil!

Snake oil is an expression that has come to refer any product with questionable or unverifiable quality or benefit.

You should not have to optimize, defragment, organize, streamline, clean, compress, fold, knit, wash, or color code your registry. Ever. Period. Nada. Zilch.

The potential performance enhancements resulting in the use of these programs are at best miniscule and unperceivable.

At worst, they could damage your computer so badly as to require a re-installation of the operating system.

 

Don’t believe us?

How about what Microsoft themselves have to say about registry cleaners?

This is what Microsoft has to say about registry cleaners:

Microsoft does not support the use of registry cleaners. Some programs available for free on the internet might contain spyware, adware, or viruses. If you decide to install a registry cleaning utility, be sure to research the product and only download and install programs from publishers that you trust. For more information, see when to trust a software publisher.

Microsoft is not responsible for issues caused by using a registry cleaning utility. We strongly recommend that you only change values in the registry that you understand or have been instructed to change by a source you trust, and that you back up the registry before making any changes.
Microsoft cannot guarantee that problems resulting from the use of a registry cleaning utility can be solved. Issues caused by these utilities may not be repairable and lost data may not be recoverable.

Before you modify the registry, make sure you back it up, create a restore point, and make sure that you understand how to restore the registry if a problem occurs.

That’s a pretty damning statement.

Does that mean that we will add all these programs to our PUP definitions? No, as we mentioned earlier, not all registry cleaners meet our PUP definition criteria.

We can tell you these programs are snake oil, but we’re not going to try and force you not to use them. We don’t condone forcing stuff onto people, but forcing programs onto users is exactly how a registry cleaner would wind up flagged as a PUP by Malwarebytes Anti-Malware

 

Let’s look at an example of how this happens.

Step 1

A software manufacturer partners with another software company that makes “bundlers” or “wrappers” to distribute their registry cleaner program. Let’s stick with the name bundlers for this example.

Bundlers put a bunch of programs together and offer the user these additional programs during the initial installation process. Sadly, many software companies do this, even some pretty big ones. We are not saying that all bundled software is malicious, only that this practice is rife for abuse.

(Not all PUP’s use a bundler, but the ones that do tend to misbehave…)

Remember, all the bundler wants to achieve is the maximum number of installations. It’s their business model. It’s how they get paid. It is also therefore not surprising that they would bend the rules as far as they can in order to achieve this.

(A side effect of surrendering the distribution of your program to a third-party is that you can then insulate yourself from their bad behavior… Right there we have an ethical quandary.)

 

Step 2

The bundler pre-populates the installation check box for several programs, including their partnered registry cleaner. They then seed the Internet with their bundled installer.

This can be through an affiliate marketing scheme to distribute the bundle, aggressive online adverts, or any number of other ways.

 

Step 3

A user, either seeking one of the other programs that are part of the bundler or deceived into installing it through “dark patterns”, double negatives, and confusing opt-out techniques winds up with the registry cleaner installed. Some of these software manufacturers will go so far as to have two versions of their programs.

  • An official one, available from their website, that reports a low error count, has opt-in partner program installations and looks innocuous.

 

  • An affiliate version, that has opt-out partner programs, a silent install, and an aggressive detection count. That version can only be found on the web during an active affiliate campaign. This is done so the software vendor can claim innocence and blame a rogue affiliate for the aggressive nature of the program.

 

Step 4

The registry cleaner runs as part of it’s installation, and/or configures itself to run at start up, perform a scan, and generate a report showing a large number errors found.

(Hint: Registry cleaners will ALWAYS find errors, even on a freshly installed operating system! The trick is that these software manufacturers are classifying events recorded in the registry as critical errors that require “fixing”.)

This program now runs at every start up, generating the “push for sale” popup, with the results of the scan and the numerous “errors”.

Sometimes the UI is designed to make the window difficult to close.

Sometimes the registry cleaner periodically displays the “push for sale” pop up AGAIN in the same session, despite the user having closed it and declined to purchase the software. They may use bubble notifications in the taskbar.

These types of behaviors are how we rate the aggressiveness of the registry optimizers in determining if a PUP classification is warranted.

 

Step 5

The user clicks on the fix button of the report, and is funneled to a purchase page for the registry cleaner. The user buys the software, alarmed at the numerous registry “errors” reported.

The bundler, affiliates, and the software manufacturer split the profits. The user has paid for a program that is at best useless, and at worst could damage the registry and make the computer unusable.

 

These are the PUP criteria that merit such a program be flagged as a Potentially Unwanted Program:

  • Malicious bundling
  • Pre-populated checkboxes, and the recently added
  • Registry Cleaners, Optimizers, Defragmenters.

 

You can find our complete PUP criteria classification page here.

The changes to our PUP classification took place as a result of listening to our user base.

We have seen the large number of complaints on forums about these programs. We have seen the deceptive methods they use to sneak onto computers in an effort to extract payment for non-existent errors detected by a program of little or no value.

We have revised our Potentially Unwanted Program stance in the past, and now have revised it again to include Registry Cleaners that exhibit these aggressive traits.

Presently our default behavior is to quarantine PUP’s. Unlike the programs that we classify as such, when using Malwarebytes Anti-Malware you decide what to keep or remove, and our free version provides you with full removal capabilities, should you chose the latter.

By pushing the limits of marketing techniques, by playing the numbers games on unwanted installations, by claiming innocence and blaming overzealous affiliates for repeated bad behavior, the purveyors of this digital snake oil will earn a well deserved potentially unwanted program classification.

Our vision statement at Malwarebytes is that “everyone has a fundamental right to a malware free existence,” and we mean to uphold it.

ABOUT THE AUTHOR

https://blog.malwarebytes.com/cybercrime/2015/06/digital-snake-oil/

 

What is cryptocurrency and why do cybercriminals love it?

What is cryptocurrency and why do cybercriminals love it?

Ever pretend you know what your friends are talking about because you want to sound smart and relevant—and then trap yourself in a lie?

“Wow, looks like those hackers were mining for cryptocurrency. You know what cryptocurrency is, right?”

“Oh yeah, totally. Cryptocurrency. Bad stuff. You know. Currency? In the crypt? Bad.”

“Yeah….”

Okay, so the next time someone asks, “What is cryptocurrency, anyway?” instead of awkwardly shrugging, be prepared to dazzle them with your insider knowledge.

What is cryptocurrency, in a nutshell?

In its simplest form, cryptocurrency is digital money. It’s currency that exists in the network only—it has no physical form. Cryptocurrency is not unlike regular currency in that it’s a commodity that allows you to pay for things online. But the way it was created and managed is revolutionary in the field of money. Unlike dollars or euros, cryptocurrency is not backed by the government or banks. There’s no central authority.

If that both excites and scares you, you’re not alone. But this technology train has left the station. Will it be a wreck? Or will it be the kind of disruptive tech that democratizes the exchange of currency for future generations?

Let’s take a closer look at what cryptocurrency is, how it works, and what are the possible pitfalls.

What makes cryptocurrency different from regular money?

If you take away all the techno-babble around cryptocurrency, you can reduce it down to a simple concept. Cryptocurrency is entries in a database that no one can change without fulfilling specific conditions. This may seem obtuse, but it’s actually how you can define all currency. Think of your own bank account and the way transactions are managed—you can only authorize transfers, withdrawals, and deposits under specific conditions. When you do so, the database entries change.

The only major difference, then, between cryptocurrency and “regular” money is how those entries in the database are changed. At a bank, it’s a central figure who does the changing: the bank itself. With cryptocurrency, the entries are managed by a network of computers belonging to no one entity. More on this later.

Outside of centralized vs. decentralized management, the differences between cryptocurrency and regular currency are minor. Unlike the dollar or the yen, cryptocurrency has one global rate—and worth a lot. As of November 2017, one Bitcoin is equal to $6,942.77. Its value has increased exponentially this year, exploding from around $800 in January 2017.

How does cryptocurrency work?

Cryptocurrency aims to be decentralized, secure, and anonymous. Here’s how its technologies work together to try and make that happen.

Remember how we talked about cryptocurrency as entries in a database? That database is called the blockchain. Essentially, it’s a digital ledger that uses encryption to control the creation of money and verify the transfer of funds. This allows for users to make secure payments and store money anonymously, without needing to go through a bank.

Information on the blockchain exists as a shared—and continuously reconciled—database. The blockchain database isn’t stored in a single location, and its records are public and easily verified. No centralized version of this information exists for a cybercriminal to corrupt. Hosted by millions of computers simultaneously, its data is accessible to anyone on the Internet.

So how, exactly, is cryptocurrency created and maintained on the blockchain? Units are generated through a process called mining, which involves harnessing computer power (CPU) to solve complicated math problems. All cryptocurrencies are maintained by a community of miners who are members of the general public that have set up their machines to participate in validating and processing transactions.

And if you’re wondering why a miner would choose to participate, the answer is simple: Manage the transactions, and earn some digital currency yourself. Those that don’t want to mine can purchase cryptocurrency through a broker and store it in a cryptocurrency wallet.

When was cryptocurrency developed?

In the wake of Occupy Wall Street and the economic crash of 2008, Satoshi Nakamoto created Bitcoin, a “peer-to-peer electronic cash system.” Bitcoin was a slap in the face to the “too big to fail” banks because it operated outside of a central authority, with no server and no one entity running the show. Bitcoin pioneers had high hopes of eliminating the middle man in order to cancel interest fees, make transactions transparent, and fight corruption.

While Bitcoin was the first and remains the most popular cryptocurrency, others saw its potential and soon jumped on the bandwagon. Litecoin was developed in 2011, followed by Ripple in 2012. In 2015, Ethereum joined the fray and has become the second most-popular cryptocurrency. According to CoinMarketCap, there are now more than 1,000 cryptocurrencies on the Internet.

different cryptocurrencies

Cryptocurrency’s popularity on the Internet soon bled into other real-world applications. Japan has adopted Bitcoin as an official currency for commerce. Banks in India are using Ripple as an alternative system for transactions. JP Morgan is developing its own blockchain technology in partnership with Quorum, an enterprise version of Ethereum.

However, as with any new and relatively untested technology, the cybercriminals wanted in. And it wasn’t long before Bitcoin and other cryptocurrencies fell victim to their own democratic ideals.

How has cryptocurrency been abused?

As secure as a Bitcoin address is, the application of its technology is often fumbled; usually by unpracticed programmers looking to get in on the action and creating faulty code. Fundamentally, the system is superior to centralized database systems, but poor coding practices among its thousands of practitioners have created a multitude of vulnerabilities. Like vultures to carrion, cybercriminals flocked to exploit. According to Hacked, an estimated 10 to 20 percent of all Bitcoin in existence is held by criminals.

While cryptocurrency was initially hailed as the next big thing in money, a savior for folks who just lost everything in steep recession (but watched as the banks that screwed them over walked away unscathed), a hack in 2011 showed how insecure and easily stolen cryptocurrency could be. Soon, the criminal-minded rushed in, looking to take advantage of the cheap, fast, permission-less, and anonymous nature of cryptocurrency exchange. Over the last nine years, millions of Bitcoin, worth billions of dollars, have been stolen—some events so major that they drove people to suicide.

On a smaller but much more frequent scale, cryptocurrency is used on the black market to buy and sell credit card numbers and bot installs, fund hacktivism or other “extra-legal” activity, and launder money. It’s also the payment method of choice for ransomware authors, whose profits are made possible by collecting money that can’t be traced. Certainly makes getting caught that much more difficult.

ransom note asking for bitcoin

Ransom note asking for Bitcoin

And if that weren’t enough to call cryptocurrency unstable, the process of mining itself is vulnerable and has already attracted some high-profile hacks. Services such as CoinHive allow those that deploy it to mine the CPU of their site visitors—without the visitors’ knowledge or permission. This process, known as cryptojacking, is robbery-lite: Users may see an impact to their computer’s performance or a slight increase in their electric bill, but are otherwise unaffected. Or that is, they were, until cybercriminals figured out how to hack CoinHive.

Future applications

So where does that leave us with cryptocurrency? Surely its popularity is skyrocketing and its value is spiking so hard it could win a gold medal for beach volleyball at the Olympics. But is it a viable, safe alternative to our current currencies? Cryptocurrency could democratize the future of money—or it could end up in technology hell with AskJeeves and portable CD players.

We can see the technological applications for the future that demonstrate the clear advantages of cryptocurrency over our current system. But right now, cryptocurrency is good in theory, bad in practice. Volatile and highly hackable, we’ll have to move to create security measures that can keep up with the development of the tech, otherwise cybercriminals will flood the market so heavily that it never moves beyond the dark web.

If you want to learn even more about cryptocurrency, stay tuned for a deeper dive on blockchain technology and a full report on cryptojacking.

Posted: November 3, 2017 by 
Last updated: November 2, 2017

ABOUT THE AUTHOR


Head of Content, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.

What is cryptocurrency and why do cybercriminals love it?

“Please don’t buy this: smart locks”

“Please don’t buy this: smart locks”

We all like buying the latest and greatest tech toy. It’s fun to get new and novel features on a product that used to be boring and predictable; a draw of the original BeBox (amongst many) was a layer of “das blinkenlights” across the front. But sometimes, the latest feature is not always the greatest feature. And sometimes, some things should not be on the Internet at all. For readers concerned with privacy, or who simply do not want to introduce additional hassle into their tech maintenance routine, we introduce the first entry in our series called “Please don’t buy this.”  Today’s feature: smart locks.

The cool new thing

Recently, Amazon announced a new service combining a selection of smart locks, a web-connected security camera, and a network of home service providers that work in concert to allow remote access to your home. Ignoring the question of allowing third-party contractors vetted by an unpublished standard unsupervised access, lets take a look at why smart locks might not be the best purchase.

Amazon’s program actually works with three different existing smart lock products, as seen here.

“Smart lock” is a bit of a catchall term covering a wide variety of technologies, so what are the Amazon locks dependent on, and what security vulnerabilities do those technologies include? It’s a bit of a mystery, as the Amazon sales pages don’t include that information, nor does the “technical specification” page of one of the manufacturers.

What we can surmise is that these locks will require replaceable batteries, and that at least one of the locks affords the user Wi-Fi access. While allowing remote unlocks to your home without any in-person authentication is a pretty transparently bad idea, a number of other smart locks have attempted a more secure approach using Bluetooth low energy, which affords some additional security features that the original protocol does not.

Unfortunately, while the protocol itself has a generally good security profile, implementation and associated companion apps put out by lock manufacturers aren’t quite as good. In tests at last year’s Defcon, 12 out of 16 smart lock models failed under sustained attack. Most of these failures concerned either encryption implementation, or shoddy code in associated apps.

Why it’s less cool than it appears

Setting aside poor security design and implementation, “smart” devices like these tend to come with fuzzy legal boundaries surrounding ownership and maintenance.  Last year, a home automation hub company called Revolv was shut down during acquisition. Rather than simply failing to provide updates, the devices were disabled.

This was an inconvenience for users, but what if it was your front door? Given the current state of mobile OS fragmentation, would it be that much of a surprise if a lock company simply declined to provide security updates? We couldn’t find any information on the means by which the new Amazon compatible locks are updated, how authorized delivery personnel will interact with the locks, and if any third party has access to data communicated by the lock and/or accompanying phone apps.

These are questions that would be concerning for any device. But when that device affords access to your home, considerably more transparency about the device’s underlying technology should be mandatory.

Conclusion

A physical deadbolt has security flaws as well. But deadbolts have a standardized design, commonly accepted standards that they are evaluated against, can be repaired or replaced by anybody, and are unequivocally owned by you. Can a smart lock’s EULA claim the same? Smart locks could achieve acceptable purchase status if they met the following criteria:

  • independent, industry-wide security standards in design
  • independent code auditing
  • no Wi-Fi
  • Conventional implementation of industry standard encryption
  • no third-party data storage
  • right to repair

Until smart locks can meet these standards, we respectfully suggest. . .Please don’t buy this.

Posted: October 26, 2017 by 

ABOUT THE AUTHOR

Breaking things and wrecking up the place since 2005.

Please don’t buy this: smart locks

Pin It on Pinterest

Shares
Share This