IoT manufacturer caught fixing security holes
Smart lock maker August fails to ignore flaws
In a shocking development, smart lock manufacturer August has been caught promptly patching security holes discovered in its product.
At this year's DEF CON, security researcher Anthony Rose gave a presentation where he outlined how a whole range of "smart locks" were hackable.
"Smart locks appear to be made by dumb people," Rose said. "Lots of manufacturers choose user convenience over security and aren't bothered about fixing their hardware."
This is not exactly news to those who have been following the blossoming internet-of-things (IoT) marketplace. In fact, security measures on these products has been so consistently bad that it could arguably be the most defining characteristic of the entire market, after the fact that it connects to the internet.
But what was surprising was that just 10 days later, August had put out patches that fix the holes. Even Rose was surprised, tweeting: "August just patched their web services to stop guest from being able to insert backdoor keys in homekit locks! Kudos to their engineers."
He noted in a subsequent blog post that the fix is not an all-encompassing one – that will take longer to effect – but a 10-day turnaround? What is August thinking? Don't worry though, the company remains an outlier in a market that seems to think packaging and tweets are more important than security.
Among the many models of smart locks that Rose identified as being fundamentally flawed, so far it seems that none other than August have fixed the flaws or even acknowledged they exist. In fact, of the 12 manufacturers that Rose contacted because he was able to unlock their locks without approval, only August even responded.
So, well done to the Quicklock doorlock and padlock, the IBluLock padlock and the Plantrace Phantomlock for transmitting your passwords in plaintext.
Bravo the Ceomate Bluetooth Smart Doorlock, the Lagute Sciener Smart Doorlock, the Vians Bluetooth Smart Doorlock, and the Elecycle EL797 and EL797G smart padlocks for allowing for replay attacks.
We will put out a special mention, however, to the engineer at Kwikset who produced "fantastic" software security for its Kevo lock. Sadly the rest of the team let him down when Rose was able to open the lock with a screwdriver. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust