Two recent reports on smart-locks vulnerabilities show that IoT vendors have a bigger job to do in ensuring their products are safely deployed and configured.
According to Grand View Research, the global smart-lock market size was valued at $1.2 billion in 2019, with over 7 million devices sold that year alone. It is further projected to register a CAGR of 18.5% from 2020 to 2027.
But two recently published reports on smart-lock vulnerabilities should make consumers and vendors alike think carefully about how these devices are deployed and implemented.
Reporting on a flaw he found with the U-tec Ultraloq – a smart-lock project that began as an Indiegogo campaign – Craig Young, security researcher at Tripwire, tells Dark Reading that he came across this flaw in late 2019 simply because he had taken an interest in the lightweight publish-subscribe protocol MQTT (Message Queuing Telemetry Transport) used for constrained Internet of Things (IoT) devices.
As Young explains in his research: "The risk of using MQTT arises when it is deployed without proper authentication and authorization schemes. Without this, anyone who can connect to the broker can leak sensitive data and potentially influence kinetic systems. An unauthorized user that gains access to the MQTT broker can easily guess topic names and use # to subscribe to all kinds of topics to obtain data transiting the broker."
In conducting a series of searches on Shodan, a search engine for connected devices, Young discovered a server with several pages of MQTT topic names that also kept emerging in searches referencing "lock" and free email providers like "gmail.com."
"I queried the server myself with Linux command line tools (e.g. mosquitto_sub), and I was instantly inundated with PII apparently from all over the world," wrote Young, adding that data included email and IP addresses associated with locks and timestamped records of when and where they opened and closed.
Ultimately, Young says he was able to connect this back to U-tec. He next purchased the lock, paired it with Bluetooth via a Wi-Fi bridge, and monitored messages via MQTT until he found the flaw.
"The MQTT data correlates email addresses, local MAC addresses, and public IP addresses suitable for geolocation ... The device is also broadcasting the MAC address to anyone within radio range. This means that an anonymous attacker would also be able to collect identifying details of any active U-Tec customers including their email address, IP address, and wireless MAC addresses," he wrote. "This is enough to identify a specific person along with their household address … If the person ever unlocks their door with the U-Tec app, the attacker will also now have a token to unlock the door at a time of their choosing."
Young was able to reach the vendor by opening a support ticket to report the flaw. After first telling him, "Please don't worry," U-tec eventually fixed the issue by implementing access controls.
MQTT can be "a perfectly safe option," Young says, but U-tec didn't take the right steps.
"You should be using access controls, authentication and encryption. In this case with U-tec, it was initially using none of those," he says.
August Smart Lock
In another report, cybersecurity firm Bitdefender detailed a vulnerability it discovered with the August Smart Lock, also in late 2019, as part of an ongoing partnership with PCMag through which they evaluate smart device security.
In exploring this product, the Bitdefender team says it discovered that while the device's communication with the smartphone app is encrypted, the encryption key itself is hardcoded into the app, allowing an attacker within range to eavesdrop and intercept the Wi-Fi password.
According to Alex (Jay) Balan, chief security researcher at Bitdefender, while this vulnerability is specific to the moment of device setup, the team was also able to identify a way to social engineer the user to put the device in setup mode again by knocking it offline.
"Our approach would be, as attackers, knock it offline until the user gets frustrated, restarts the device, and reconfigures it to factory settings," Balan says. "That's when you intercept that communication and get the Wi-Fi password."
Bitdefender first reached out to August about the vulnerability in December; however, Balan says that "communication had a breakdown in March." When Bitdefender published its paper exposing the flaw this month, August resurfaced to say the company was issuing a fix, but Bitdefender could not confirm its success.
"They said they did ship a fix. We didn't get it. We cannot confirm a fix right now," Balan says.
A Larger Problem with IoT
Both Young and Balan express that the problem has less to do with smart locks and more with the ways that IoT devices are developed and deployed, as well as with a lack of best practices and due diligence by both vendors and consumers.
"It's a sad fact of life that not many companies have security contacts," says Balan, noting the difficulty Bitdefender has had reporting product vulnerabilities. "In my opinion, no company should operate without a functioning security contact."
He recommends consumers get their products from companies that have visible vulnerability and disclosure programs.
Young agrees. "There probably should be regulations in place saying if you're making certain types of devices, you need to have forms of contact," he says.
According to Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs, vulnerabilities are common with smart locks and other IoT products because of the difficulty balancing security with ease of use.
"Designing a device that is easy to set up and also secure is difficult because manufacturers need to contend with a large variety of home networks, routers, access points, and other devices," he tells Dark Reading. "Therefore, manufacturers make their devices accessible for 'the least common denominator,' which usually means using security protocols that are not always the most secure for every environment."
Tanner Johnson, IoT cybersecurity analyst at Omdia, says that another problem is time to market. Devices are rushed out without enough focus on security.
"Companies themselves are more concerned about not making it to market at all than getting recalled," Johnson says. "They see a recall as terrible but not as bad as not being out there to compete in the market."
What's needed are regulations at the federal level, Johnson says. "I understand states are the labs of democracy," he says, "but it's not a time to make attempts at security. We need solutions for security, and they need to be accepted and respected."
IoT: Another Threat to Remote Workers
The need to secure IoT is more crucial as people work and learn from home.
"Attackers know that with a large number of people working at home, one possible way to access a home network, and perhaps laterally work their way into valuable corporate resources may be to attack home IoT devices and determine if they can use that as a launching point into other more valuable targets to the attacker," Lakhani says.
He recommends that end users, at minimum, change default passwords on IoT devices and segment home networks to separate corporate assets from personal IoT.
Further, he says, organizations can take steps to mitigate risks of IoT devices in a remote work environment by having proper security software, operating system patches and policies set up, as well as access methods like multifactor authentication, network access controls, and certificate-based access.