Newly-discovered vulnerabilities in one particular smart lock may call into question just how secure the IoT devices are. Specifically found in U-Tec's UltraLoq, the bugs allowed would-be attackers to find the gadget's MAC address. And that, in turn, allowed access to the device's controls.
Recent reports detailing the discovery, made by Tripwire researcher Craig Young, indicate this isn't a first for the company either. Additionally, it took real effort to convince the company to fix all of the issues in this case. Mr. Young notes that there are also at least a few reasons to believe this isn't limited to U-Tec devices. So it isn't necessarily unlikely that similar problems could be found in what the researcher refers to as other "safety-critical devices."
How was UltraLoq smart lock found to be insecure?
The U-Tec UltraLoq is a $139.99 smart lock billed as being both secure and versatile. It's sold at a wide assortment of retailers and shippers, including Amazon, Walmart, and Home Depot. The specific vulnerabilities in question are multifaceted. At the heart of the matter, though, is the MQTT protocol found in IoT devices. Some companies use that or other protocols to exchange data between nodes. And, for U-Tec UltraLoq, that was leaking quite a lot of data.
For starters, Mr. Young utilized IoT search engine Shodan to find records associated with the vendor. The queries revealed an Amazon-hosted broker that contained UltraLoq topic names recorded by MQTT. That included customer personally identifiable information, such as email addresses. But that wasn't the extent of the problem. Mr. Young also found that the details included a MAC address.
Upon examination of the UltraLoq itself, Mr. Young found a "repeating message flow on the unlock process" and those could be accessed with just the MAC address. And that, in turn, allowed the researcher to steal unlock tokens from specific devices. Or in larger volumes.
First, U-Tec reportedly told Mr. Young not to worry about the problem. When pressed and shown evidence that the information could be scraped, it eventually fixed user authentication problems. But it left wide open the other problems. Pressed further, the company eventually fixed the remaining protocol isolation issues.
What does this say about other devices?
According to Mr. Young, the problems with IoT extend well beyond this breach. Even "safety-critical" systems including devices such as "locks and furnaces" don't have a lot of requirements associated with them. And oversight, the researcher says, is minimal. With the presence of Mirai and IoT botnets proving that even non-safety-critical systems can cause major problems, that's a real issue.
Now, that doesn't mean that every IoT device is insecure. But it does highlight problems underpinning the shift from physical locks and systems to digital ones. The current requirements and standards don't necessarily account for the relatively new wave of IoT products. So this appears to be as much a regulatory issue as anything else.