According to Grand View Research, the global smart-lock market size was valued at $1.2 billion in 2019, with over 7 million devices sold that year alone. It is further projected to register a CAGR of 18.5% from 2020 to 2027.
But two recently published reports on smart-lock vulnerabilities should make consumers and vendors alike think carefully about how these devices are deployed and implemented.
U-tec UltraloqReporting on a flaw he found with the U-tec Ultraloq – a smart-lock project that began as an Indiegogo campaign – Craig Young, security researcher at Tripwire, tells Dark Reading that he came across this flaw in late 2019 simply because he had taken an interest in the lightweight publish-subscribe protocol MQTT (Message Queuing Telemetry Transport) used for constrained Internet of Things (IoT) devices.
As Young explains in his research: "The risk of using MQTT arises when it is deployed without proper authentication and authorization schemes. Without this, anyone who can connect to the broker can leak sensitive data and potentially influence kinetic systems. An unauthorized user that gains access to the MQTT broker can easily guess topic names and use # to subscribe to all kinds of topics to obtain data transiting the broker."
In conducting a series of searches on Shodan, a search engine for connected devices, Young discovered a server with several pages of MQTT topic names that also kept emerging in searches referencing "lock" and free email providers like "gmail.com."
"I queried the server myself with Linux command line tools (e.g. ..
Support the originator by clicking the read the rest link below.
