Painful IoT Security Lessons Highlighted by a Digital Padlock

The first warning sign was “hackproof” in the 360Lock marketing materials. As it turns out, with no surprise to any security professional, the NFC and Bluetooth enabled padlock proved to be anything but secure.

Straightforward penetration testing revealed horrible logical and physical security for a padlock that promotes itself as “incorruptible” and “hackproof”!

Digital Transformation is a rush to connect our physical world to the global electronic ecosystem to enable better access, integration, and advanced capabilities. Internet of Things (IoT) devices are often at the forefront of this movement, turning normal devices into ‘smart’ devices. Sometimes even the best ideas fail when it comes to design and execution.

This padlock has several innovative features such as connectivity to mobile applications, an included RFID wristband and tag for easy unlocking, configurability to add access for others, and a detailed history log. What it lacks however, is actual security.

Security theater

Simple pentesting proved what was likely a foregone conclusion. The kickstarter funded lock is neither hackproof nor secure. Testers found that simple replay attacks could trick the logic to open the device. Additionally, crude brute-force methods…