This popular smart lock could have been easily hacked -- what to do now

1. Home
2. News
3. Security

This popular smart lock could have been easily hacked -- what to exercise now

(Image credit: Amazon)

UPDATED for clarification.

A security researcher warns that a popular smart lock could have been easily opened by anyone equally the result of a major flaw.

According to an investigation by security business firm Tripwire, a threat role player would accept had the power to access information stored on cloud servers pertaining to any U-Tec UltraLoq, including its Internet Protocol (IP) address and the email address of its main user -- enough to physically locate the lock and open up it.

• Best VPN: add an extra layer of security with a virtual individual network
• The all-time antivirus software to keep you lot and your devices safe
• Only In: VPN security alarm: 900 servers hit by huge information breach

Serious flaw

"This is enough to identify a specific person forth with their household address," Tripwire security researcher Craig Young in a web log posting yesterday (Aug. v).

He went on to say that hackers could "precisely place an private" considering the server data "correlates email addresses, local MAC addresses, and public IP addresses suitable for geolocation."

If the user then sent the UltraLoq an unlock control from a smartphone app while the attacker was monitoring the deject server, the attacker could replay the unlock command at a later time and unlock the lock.

"If the person ever unlocks their door with the U-Tec app," wrote Young, "the attacker will also now have a token to unlock the door at a time of their choosing."

Another flaw meant attackers had the ability to stop users from accessing their locks through the distribution of spoofed messages, an action described past Immature as "confusing."

UltraLoq is a connected lock that is available to purchase at retailers such as Amazon, Walmart and Home Depot.

"The locks boast some advanced features including fingerprint readers and anti-peep touchscreens likewise every bit Bluetooth and Wi-Fi connectivity for app-based control," wrote Young.

While describing the locks equally "user-friendly" for consumers, he warned that "they may leave some users feeling uneasy nigh security."

Last November, Young discovered the flaw in question, which has since been fixed past the manufacturer on the server side. Only for the first time, he's detailed the vulnerability and what information technology meant for customers.

Young explained that "attackers could easily steal 'unlock tokens' in bulk or from specific devices knowing but the MAC address".

The MAC accost is a device unique identifier that consists of six two-graphic symbol pairs, such as A1:2B:C3:4D:E5:F8. Annihilation that connects to a network has a MAC address for each network port.

By design, networked devices broadcast their MAC addresses over Wi-Fi, Bluetooth, Ethernet and other network protocols then that they tin can be found and connected to. Basically, each device is shouting its name and saying "I'grand here!"

Security nightmare

UltraLoq locks use MQTT, a low-power protocol that relays messages between Internet of Things and smart-home devices.

Devices can't transport messages directly to each other, however -- they accept to relay letters through an MQTT "broker", a piece of software that sits on a server and acts as a telephone operator.

In U-Tec's case, that MQTT banker was hosted on Amazon Web Services, and it was open up to the cyberspace. Young found it past scanning the internet with Shodan, a search engine meant to observe non-PC, not-smartphone devices connected to the cyberspace.

Immature noticed that the U-Tec MQTT server was listing the status of each UltraLoq. Each entry listed the UltraLoq'south Cyberspace Protocol (IP) address, and frequently whether the lock was connected or disconnected and the user'southward email address.

Using his own UltraLoq and the corresponding smartphone app while he monitored his own lock'due south entries on the MQTT deject broker, Immature plant that his smartphone sent unlock commands to his UltraLoq using the same text string every fourth dimension.

He replayed that text string from his reckoner, which wasn't authorized to unlock the UltraLoq, and the lock opened anyway.

What to practise

Jake Moore, a security specialist at ESET, told Tom's Guide: "The massive growth in IoT devices placed in the home and function is the perfect breeding ground for hackers to brand the nigh of user convenience.

"IoT devices are far too often packaged up with weak (if any) born security features so the public are on the dorsum foot from the get go and enjoy these devices working straight out of the box. Furthermore, security updates tend to exist infrequent which put extra risk on the possessor to make certain they are safety."

He recommends: "The best way to protect your IoT device is by setting a strong and unique password for it and making sure it is capable of implementing two factor authentication.

"Withal, some things are all-time left physical and if information technology'south that significant to have a lock in place, it is clearly important enough to secure in the all-time style possible. It is also vital for users to plough off non-authenticated user access as this tin lead to threat actors intercepting remotely."

• More: Stay safer at home with the all-time smart locks

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Contained, the Daily Telegraph, The Side by side Spider web, T3, Android Cardinal, Computer Weekly, and many others. He as well happens to be a diehard Mariah Carey fan!

Source: https://www.tomsguide.com/news/smart-lock-hacker-unlock

Posted by: akerscoustopeceir.blogspot.com

Share this post