The mechanical lock is perhaps the most fundamental, tangible, and familiar layer of security in our daily lives. People lock their doors with the expectation that these locks will keep the bad people out, but there’s a common adage in the security industry that locks are only good at keeping honest people honest. This is perhaps truer than ever in the era of the IoT “smart lock” where lock picks and bump keys can often be replaced by scripts and sniffers. This was exactly the case with an Internet-enabled lock I evaluated late last year. At that time, an anonymous attacker could physically locate and remotely control any locks connected to the vendor’s cloud infrastructure.Although the specific issues outlined in this blog have since been resolved, the underlying concerns regarding privacy and safety in the industry still remain. The purpose of this article is to bring awareness to the issues surrounding Internet-connected devices and the centralized cloud computing that drives IoT.The device I’ll be talking about in this post is the U-Tec UltraLoq, which connects to the vendor’s U-Cloud infrastructure. For the record, I notified U-Tec in early November 2019, and the issues were resolved within a week. The underlying issue in this case, a service misconfiguration, will be explained at a high-level, but the bigger focus of this research is around the risks posed by feeding data and control through a central authority.The U-Tec UltraLoq started on Indiegogo and is now sold directly to consumers th ..
Support the originator by clicking the read the rest link below.
