Endpoint Security , Internet of Things Security , Open XDR

How an IoT Door Lock Actually Provided a Way In

Craig Young of Tripwire Says Security Errors Should Be Costly to Vendors
Craig Young, principal security researcher, Tripwire

IoT door locks offer conveniences, such as monitoring access and enabling keyless entry. But while the devices are ultimately designed to keep people out, they may actually be the way in.

See Also: OnDemand I IoT infrastructure and Retail Operations Fireside Chat I AMPOL

A recent examination of U-tech’s Ultraloq provides a case in point. Craig Young, a principal security researcher with Tripwire, found that U-tech left a service exposed to the internet that ultimately could be leveraged to remotely open someone’s door.

U-tech’s “infrastructure for managing the locks and the access to locks didn’t require usernames and passwords,” Young says. “Anybody could connect to it and start monitoring the activity of all of the locks and then actually start unlocking other people’s doors.”

U-tech left a server open to the internet that exposed an MQTT broker. MQTT is a lightweight publish-subscribe protocol often used for IoT applications involving sensors, and the broker mediates messages sent from devices such as sensors to an app that can issue commands to the sensors. The company has since fixed the problems Young found.

Young says in a blog post that the exposed MQTT data also contained personally identifiable information, such as email and IP addresses.

The findings add to a crisis of confidence in some IoT products. Young says vendors are making some strides in improving their products, but whether IoT products are better overall isn’t entirely clear.

“At the end of the day, it has to cost vendors money to release insecure stuff,” Young argues. “Making mistakes in terms of security needs to be costly.”

In this video interview, Young discusses:

  • How he used Shodan to uncover a critical problem with U-tech’s service;
  • What steps could be taken to improve IoT security;
  • Why regulation may be required to raise the security competency in IoT.

Young is principal security researcher with Tripwire's Vulnerability and Exposures Research Team. He has found dozens of vulnerabilities in products from Google, Amazon, IBM, Netgear, Apple and more. He’s also presented at the Black Hat and Def Con security conferences.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.