Painful IoT Security Lessons Highlighted by a Digital Padlock
The first warning sign was “hackproof” in the 360Lock marketing materials. As it turns out, with no surprise to any security professional, the NFC and Bluetooth enabled padlock proved to be anything but secure.
Straightforward penetration testing revealed horrible logical and physical security for a padlock that promotes itself as “incorruptible” and “hackproof”!
Digital Transformation is a rush to connect our physical world to the global electronic ecosystem to enable better access, integration, and advanced capabilities. Internet of Things (IoT) devices are often at the forefront of this movement, turning normal devices into ‘smart’ devices. Sometimes even the best ideas fail when it comes to design and execution.
This padlock has several innovative features such as connectivity to mobile applications, an included RFID wristband and tag for easy unlocking, configurability to add access for others, and a detailed history log. What it lacks however, is actual security.
Simple pentesting proved what was likely a foregone conclusion. The kickstarter funded lock is neither hackproof nor secure. Testers found that simple replay attacks could trick the logic to open the device. Additionally, crude brute-force methods were able to compromise the integrity of the lock mechanism. Pounding it with a hammer quickly defeated the padlock.
The results highlighted that the $40 lock is not robust and better served as a visual deterrent, casual locking device, or novelty item.
An industry problem
A massive quantity and vast diversity of smart devices are emerging. Most connect to the internet and require a high degree of security. Connectivity accentuates vulnerabilities. Sadly, many of the IoT devices consumers and businesses are embracing lack the necessary measure for security rigor, leaving users exposed and data vulnerable.
The 360Lock is not the only device that has poor security, but it does highlight two important points, emphasizing overall industry challenges.
First, never trust any product that claims to be ‘unhackable’. Seasoned security professionals would never make such an outlandish assertion as to say a device is hackproof! The fact that 360Lock promoted their product in this way was the only indicator needed to instill great skepticism.
Second, this device’s weaknesses highlight the need for proper data transport security. Man-in-the-Middle (MitM) attacks, such as a replay attacks, are common tactics for hackers. Transactional security is absolutely critical to protect data and requests. Unfortunately, securing data in-transit between IoT devices on the edge and phones/PC/cloud-services requires the right expertise and tools. Most failures occur in how data protections are implemented and managed. As a rule, if a product manufacturer is not detailing their security, they likely do not have quality capabilities in place.
Consumers must be wary and realize that even dedicated security products, such as padlocks, can be victimized by poor development decisions. Trendy features are no replacement for solid security and reliability. IoT devices are often much less secure than the marketing materials and salesperson will reveal. Look for reputable manufacturers who have committed to work with the best technology, security integrators, and verification practices. Every consumer and business is responsible for understanding the risks accompanying the benefits of new technology.