How an IoT Door Lock Actually Provided a Way InCraig Young of Tripwire Says Security Errors Should Be Costly to Vendors
IoT door locks offer conveniences, such as monitoring access and enabling keyless entry. But while the devices are ultimately designed to keep people out, they may actually be the way in.
See Also: Securing Your Building Management System
A recent examination of U-tech’s Ultraloq provides a case in point. Craig Young, a principal security researcher with Tripwire, found that U-tech left a service exposed to the internet that ultimately could be leveraged to remotely open someone’s door.
U-tech’s “infrastructure for managing the locks and the access to locks didn’t require usernames and passwords,” Young says. “Anybody could connect to it and start monitoring the activity of all of the locks and then actually start unlocking other people’s doors.”
U-tech left a server open to the internet that exposed an MQTT broker. MQTT is a lightweight publish-subscribe protocol often used for IoT applications involving sensors, and the broker mediates messages sent from devices such as sensors to an app that can issue commands to the sensors. The company has since fixed the problems Young found.
Young says in a blog post that the exposed MQTT data also contained personally identifiable information, such as email and IP addresses.
The findings add to a crisis of confidence in some IoT products. Young says vendors are making some strides in improving their products, but whether IoT products are better overall isn’t entirely clear.
“At the end of the day, it has to cost vendors money to release insecure stuff,” Young argues. “Making mistakes in terms of security needs to be costly.”
In this video interview, Young discusses:
- How he used Shodan to uncover a critical problem with U-tech’s service;
- What steps could be taken to improve IoT security;
- Why regulation may be required to raise the security competency in IoT.
Young is principal security researcher with Tripwire's Vulnerability and Exposures Research Team. He has found dozens of vulnerabilities in products from Google, Amazon, IBM, Netgear, Apple and more. He’s also presented at the Black Hat and Def Con security conferences.