The Internet of Things movement has been subject to security concerns from its inception, and most buyers are okay with that. The issue comes when certain IoT appliances that really should not be insecure end up being insecure. While there are a huge number of proprietary standards out there, to the point that there’s an all out war to find even the dominant category of IoT standard, most IoT devices use some derivative of Wi-Fi, Bluetooth, or cellular signal to communicate. These are all protocols that can easily be broken into, if they’re not carefully secured. The problem with IoT is that they’re usually not. One particularly alarming example of that was shown at the recent DEF CON security conference.
At the conference, white hat hackers and security research firms strut their stuff by cracking the latest tech wide open, and showing everybody exactly how they did it so that the manufacturer can patch up the loophole that led to the hack being viable. Naturally, such gatherings of great minds in security often include more off the grid elements, and it’s one of those that actually managed to bust the best-in-show smart lock wide open. First, two representatives from Merculite Security went to work on a set of smart locks. In total, 12 of the 16 locks tested went down. Of them, three different companies’ models literally broadcast their passwords in plain text to anybody listening via Bluetooth. Let that sink in. If your front door is secured by Quicklock, iBluLock, or Plantraco, any schmuck with a $10 Android phone from Walmart could let themselves into your home with the help of root privileges and a few apps related to Bluetooth sniffing and logging. The other locks, aside from the four left standing, required some convoluted exploits, like using a sniffer to record traffic when an authorized user opened the door and then playing that back, but went down easily enough.
The real show stopper was when an independent hacker by the handle of Jmaxxz managed to crack the nicest lock in show, an August model, wide open, and had prepared a presentation about the whole thing, complete with angsty princesses sarcastically complaining about how difficult it was to crack the locks. Naturally, some of the locks ended up losing out to a good old fashioned screwdriver, as well; this means that the locks were not only digitally insecure, but also physically so. These are flaws you’re not going to find on the average $20 Kwikset, and a nice representation of security in IoT right now; that is to say, there basically is none.
There are some companies, of course, looking to buck that trend. Right now, the most shining example is Samsung. Recently, Samsung committed to providing more security in not only their Tizen-based Smart TVs, but their entire Smart Home IoT setups. Amazon Echo, meanwhile, is relatively safe from backdoors, according to Amazon, and the upcoming Google Home is a complete wildcard. For the most part, though, the swath of smart fridges, coffee makers, washers, and thermostats out there are far from hack-proof. At the dawn of the IoT movement, there were whispers that the huge amount of different standards coming out, along with basic security protocols being followed, would likely be adequate, given the scale and use cases of the tech. Obviously, that has proven to be far from correct in this day and age; ransomware for thermostats is a thing, white hat hackers have taken over cars on test tracks as a proof of concept, and here we are at the logical conclusion of it all; literally insecure smart door locks. So, in conclusion, IoT may be incredibly convenient and make your life far easier, but trusting the tech right now is a horrible idea.