Craig discusses problems with some of the smart lock technology and an even larger issue surrounding IoT devices in general. 

For more tech tips, news, and updates visit – CraigPeterson.com

Read More:

Patch Tuesday (September 2020): Microsoft Addresses 129 Vulnerabilities

Ransomware accounted for 41% of all cyber insurance claims in H1 2020

A bevy of new features make iOS 14 the most secure mobile OS ever

Don’t Fall for It! Defending Against Deepfakes

Patient dies after a ransomware attack reroutes her to a remote hospital

Lock your doors, people: Verizon breach on unsecured AWS server exposes 14M customer records

Time for CEOs to Stop Enabling China’s Blatant IP Theft

Newly Patched Amazon Alexa Flaws — A Red Flag for Home Workers


Automated Machine-Generated Transcript:

Craig Peterson: [00:00:00] Hey, welcome back everybody. If you have smart locks or you think maybe smart locks are the way to go, we’ve got a little bit of news for you. Some research had just come out about these smart locks in our homes and offices turns out they just smart for their own britches.

Craig Peterson here. Thanks for joining me online. And of course, WGAN where we air every Saturday from one till three, you can always join us there. I’d love for you to tune in. And of course, we’re also on, yeah, you guessed it. Tune in as well as any pretty much any other podcast app out there.

Now, let’s get a little bit into this whole smart lock thing. We’ve been talking a fair amount about the whole problem with IoT on the show. If you miss some of the earlier stuff, I think it’s important to go back to particularly if you are a business person or you’re working from home and VPNing into a business.

I covered quite a bit of that stuff just today, in fact, but you can always find it out on my website@craigpeterson.com for a review. What we’re going to talk about right now? Isn’t like the Alexa or the Google home. Although in both cases they do have smart locks and tie into them. Oh, it’s just so convenient to tell Alexa to turn on the chicken coop lights or turn them off or open the front door, et cetera.

There are also other types of locks that I think are really cool where it’s a proximity lock. It uses your Bluetooth phone ID. That ID is typically something that is merely a, are basically like a Mac address there on your Bluetooth device.

There are other ones that are being built into cars, including Teslas and now BMWs that use an app on your phone in order to unlock the door, cool all the way around.

But behind all of these is some technology that is not only unproven but according to grand view research, this is still a bit of a problem. We’re looking at a global, smart lock market valued at $1.2 billion. Last year over 7 million devices sold last year and they are expecting this market to grow pretty dramatically over the next five to 10 years. But there are two recently published reports about smart lock vulnerabilities that are very concerning.

This is another article out of dark reading our friends over there. First of all the UTEC ultra lock. Now they have hit the news before this is a smart lock project. It began as an Indiegogo campaign. If you’re not familiar with them, it’s where people get to you, invest in a project. If the project comes to fruition they go ahead and they get one of the products. That’s usually how those types of things work. It’s a way for people to invest a couple of bucks on something that they really believe in.

So this guy came up with this ultra lock and the idea and the group put it together and they put it up on IndieGoGo to try and raise some money to build these new types of smart locks that they had.

Tripwire, which is a security research company among other things said that they came across this flaw late last year, the researcher’s name is Craig Young. And he was looking into this, the protocol that’s being used by a lot of these smart devices, It’s called MQTT, which is message queuing, telemetry transport.

You can think of it as an SNMP if you are a little bit more techie. Which is the simple network management protocol, but lighter weight because the internet of things, devices just don’t have enough memory and CPU and everything else to run big operating systems. Now I have a problem with that.

The manufacturers saying, we’ve got to go with this lightweight protocol, man. We’re just a door lock. how can you expect us to do anything more? It turns out that a lot of these companies are not using authentication that’s verifiable. They are not using encryption and they’re not using any sort of real authorization scheme.

So what’s happened here is he has proven that pretty much any unauthorized user, that can see one of these messages in transit port and get access that broker can easily guess the names of that are used the topic names. Now in SNMP, you have the MIPS. There are security parameters that you can use, but in this case, all you have to do if you can get access to that, the broker is use the pound sign and the topic name, and now all of a sudden you’re obtaining all of the data that’s going through that data broker.

This is a very. Big problem. So he looked at several pages of these protocols, topic names, and he kept finding references to LOC and free email providers. Like g-mail dot com that some of these companies are using, if you can believe that.

So he said, I query the server myself with Linux command, align tools, and I was instantly inundated with personally identifiable information, apparently from all over the world. He said that it included email addresses, IP addresses associated with the logs, timestamp records of when and where they opened and closed all of it.

Now there is thinking out there that really this protocol can be perfectly safe. But the problem again is these companies that are making them are not hiring professional programmers that understand the risks because it could have been secured. They should be using access controls. They should be using authentication. They should be using encryption.  In this case with UTEC, it used none of those things. None of them. so again, don’t just blame it on China, although they certainly take shortcuts. Most of these companies here in the US are taking shortcuts too. 

We don’t have any real programmers coming out of schools now it’s all drag and drop. Yeah. Yeah. You just drag this visual basic, visual C-sharp thing, whatever it might be. There’s this Java module and magic happens. Without them knowing what’s really going on behind the scene. There’s another one too, about the August smart lock.  This is out of Bitdefender now a bit defender has software that I recommend a lot of people use.

It is not a panacea. It is not the ultimate. But bit defender, particularly their paid version usually does help with your security. So a little tip there for those of us on either a Mac or a windows computer. Check out Bitdefender, you might want to use it, not as good again as the commercial stuff, the real stuff for real businesses.

But they said, yes, they documented in detail, a vulnerability. The bit defender had found with the August smart lock also late last year and the Bitdefender guys were working with PC mag and they were evaluating smart device security. So Bitdefender is saying that their team does discover that while this August smart lock.

It could communicate with the smartphone in over an encrypted channel. The encryption key itself is hardcoded into the app. So it allows an attacker within range to use, drop an intercept, the wifi password it’s really that simple. So there you go. There’s an example. Of a smartphone using wifi to talk to the lock and yeah. Yeah. We’re encrypted.

So again, it goes back to pencil whipping forms is your smart lock encrypted? Oh yeah, we are encrypted. And then that’s where the conversation ends in the audit check purchasing manager just checks it there on the form. it’s almost completely useless when it’s programmed this way. Almost completely useless. So again, this is. Obviously specific to this device and when the device is being set up a real vulnerability, but you know what you could, if you want them to install another one of those devices, all you have to do is install a little monitor, hide it there in the bushes or something, and burn out the lock that’s there or smasher or whatever you want to do so that it has to be replaced and when the guy replaces it. TaDa you have access to it. It’s obviously not that difficult.

Now, someone overseas isn’t going to be able to get at it. But someone that is really determined to get into your house could get into it pretty easily. It reminds me of a lot of these door lock systems that are still used in cars today that can be replicated.

You just sit there in the parking lot at a shopping mall and you have a receiver that’s listening for that little. Click on the remote control right in the car goes, beep yeah, I’m locked.

Many of those, in fact, almost all of the older ones, can then be duplicated so that all the guy has to do is okay, great, he just locked up that old or BMW. It’s only worth $30,000 today, but you know what the heck? And he can replicate it and get that car to unlock itself.

So we have to be a lot more careful with this stuff. Absolutely, a lot more careful. I am very upset with the vendors that do this sort of thing. They are fooling people. They are scamming people by again, pencil whipping forms that poor guy/ gal who’s working in purchasing who bought it, who had no idea that, the checkbox was checked, is now in trouble because that device was hacked.

That’s just an example of two obvious problems with smart locks. It’s a really sad fact of life. That many companies don’t have real security people who can look into this and look into a little bit more.

All right. When we come back, we got more, we’re going to talk about facial recognition and what the cops are doing right now with not just protesters, obviously, but rioters and how they’re using it to arrest people.

You’re listening to Craig Peterson here on WGAN and of course, I am on every Wednesday morning at seven 30 with Matt, Gagnon.

 Stick around. We’ll be right back.

More stories and tech updates at:


Don’t miss an episode from Craig. Subscribe and give us a rating:


Follow me on Twitter for the latest in tech at:


For questions, call or text:


Listen to this episode

Malcare WordPress Security