Smart Locks are opening us up to danger?
Read this article and this one, which hilariously misinterprets it.
And, I fallback to my general... HUH?
So, firstly, what McAfee says is technically possible. But, has far too many restrictions to be practical. Attempting to exploit a smart phone AND use it's trusted relationship with your smart home to do something like unlock a door is a massive undertaking.
The article which misinterprets it, is just hilariously bad. For a GREAT deal of reasons, no smart lock app worth the investment allows a smart lock to be unlocked by voice alone. In fact, many don't allow it all. But, some WILL allow it with the addition of an extra PIN.
Why? Not because of any fear of nefarious attacks on the network. But, voice identification in these smart devices is pretty weak with the owner of the device often not being identified as the owner or false positives from others in the household. If these worked without a PIN or other additional measures over voice, then a burglar could simply stand outside the door and try yelling "Alexa, unlock the door" in a number of different voices. Honestly, I'd be unsurprised if it worked. And it would require ZERO network hacking. WITH these protections in place, hijacking on smart speaker to command another?!?!?! How the hell does that compromise anything?
No, for this to work, it NEEDS to be something like a smart phone which is compromised. And not the assistant either. It needs to compromise the app which triggers the unlock. And even then, if the security is good enough, it might still get you nowhere.
But, the nail in the coffin is this; how do you compromise the phone? The easiest way is an app or a website which can leverage an exploit to compromise the phone. But how the hell do you get the person owning the phone to go to that site or download that app? And be sure that they've done it?
Realistically... this falls right back into my usual pattern. It is possible for advanced hackers to compromise a site or submit a compromised app to an App Store. But, being able to compromise a smart device is meaningless if you're not local to the compromised house. So, hackers are MUCH more likely to invest their time hacking your bank accounts or personal information for identity theft/fraud than they are to submit apps which hack your smart lock. And, once the attack is discovered, the app will be removed from the store as will any new app leveraging the exact same attack.
Not only that. It isn't sufficient to hack JUST a phone. You also need a means, once in control of the phone of hacking the smart lock. But, there are multiple vendors. And multiple OSs. At a minimum, you'd need to know how to hack probably both iOS and Android. And how to hack the top 2-3 smart lock vendors, let's say August, Nest and Schlage. This is already a MASSIVELY sophisticated attack. And an insane amount of effort to try and pull off for a local heist.
But it doesn't end there. Odds are good that the house also has a smart camera. As houses grow increasingly smarter it isn't JUST smart locks people are adding. So, now you also need to know how to take down monitoring services for these smart homes. Which adds more attack vectors for the known products and adds more to the list. For instance, I would say Ring is one of the biggest in smart home cameras. Followed by companies like Arlo. You have some overlap in that Nest also has cameras as August has a doorbell cam.
It wouldn't be any good to compromise the smart lock when the camera has your license plate, face or even just enough identifying features to help in a police investigation.
In short, while the sophistication level is EXTREME. It is certainly not impossible. BUT, if a local player had all of these skills and wanted to target your house... I suspect that they could probably just hack the devices directly over Bluetooth. This is a pretty advanced skillset and it requires compromising numerous layers from the App Stores/browser, to the app container, to the OS, to the individual products you're targeting.
Once again, there aren't roaming gangs of thugs all over the place with the skills to pull this off.
And, if there were, and they were THAT determined... I'm sure they could find more cost efficient ways to get what they wanted.
I would say that the most nefarious way this MIGHT happen would be if something like a state sponsored hacker group did the dirty work, and then SOLD access. But, even then, it likely wouldn't be trivial to exploit all of these layers and get that code running on many devices. They wouldn't want it discovered until it had served it's purpose. And so, even this is infeasible sounding. And, if it happened, selling that access would likely not come cheap, and so, again, local thugs... likely not pulling it off.
The last thing I want to say is this. I don't want to dismiss these things entirely. I find articles like those above ignore the real world ramifications and possibilities and treat it like there is likely to be a rash of smart home robberies in the coming years. I don't want to swing the other direction though and imply that just because I don't see a chance of a large scale threat that anyone should bank on notions.
A smart home is in some ways less secure than a dumb one. There are also ways in which it is more secure. My doors can auto-lock after a period if I want. I can check while I'm away to make sure I locked it, and also review a history of locks and unlocks. But, at the same time, someone else owns that software and that software likely has either undiscovered or even simply unpatched (or possibly even un-patchable) vulnerabilities.
I have no delusions. My home is slightly less prone to traditional attacks thanks to smart home technology. Auto-locking doors rule us out as a crime of opportunity. But, that is about it. Most crimes happen via forced entry in broad daylight. If they break the door jam... the door will stay "locked" I'll get no notification and they will need no fancy phone exploits.
Honestly, the cameras are probably more of a deterrent. But, even that won't necessarily stop someone from, once again, simply busting through a window or door. And, they can always take measures to hide their identity.
It is just my opinion. But, I feel like these articles ascribe way too much value to these sorts of attacks. Again, it is REALLY hard to believe that someone who could get sufficient access to your phone, so as to take over your smart home apps, wouldn't instead use that access to farm personal data, credit card numbers, passwords, etc... They can sit on that data until they have as much as they want or until someone catches the app leaking the data out.
But, absolutely. Don't take my word for it. If you're interested in smart lock and scared at the same time. Do your research. The risks you take on may be too much or not. I can't decide for others. And while I believe it is highly unlikely, it is also POSSIBLE for the sorts of attacks described to happen. Not every hacker does it for the same reasons.
And, I fallback to my general... HUH?
So, firstly, what McAfee says is technically possible. But, has far too many restrictions to be practical. Attempting to exploit a smart phone AND use it's trusted relationship with your smart home to do something like unlock a door is a massive undertaking.
The article which misinterprets it, is just hilariously bad. For a GREAT deal of reasons, no smart lock app worth the investment allows a smart lock to be unlocked by voice alone. In fact, many don't allow it all. But, some WILL allow it with the addition of an extra PIN.
Why? Not because of any fear of nefarious attacks on the network. But, voice identification in these smart devices is pretty weak with the owner of the device often not being identified as the owner or false positives from others in the household. If these worked without a PIN or other additional measures over voice, then a burglar could simply stand outside the door and try yelling "Alexa, unlock the door" in a number of different voices. Honestly, I'd be unsurprised if it worked. And it would require ZERO network hacking. WITH these protections in place, hijacking on smart speaker to command another?!?!?! How the hell does that compromise anything?
No, for this to work, it NEEDS to be something like a smart phone which is compromised. And not the assistant either. It needs to compromise the app which triggers the unlock. And even then, if the security is good enough, it might still get you nowhere.
But, the nail in the coffin is this; how do you compromise the phone? The easiest way is an app or a website which can leverage an exploit to compromise the phone. But how the hell do you get the person owning the phone to go to that site or download that app? And be sure that they've done it?
Realistically... this falls right back into my usual pattern. It is possible for advanced hackers to compromise a site or submit a compromised app to an App Store. But, being able to compromise a smart device is meaningless if you're not local to the compromised house. So, hackers are MUCH more likely to invest their time hacking your bank accounts or personal information for identity theft/fraud than they are to submit apps which hack your smart lock. And, once the attack is discovered, the app will be removed from the store as will any new app leveraging the exact same attack.
Not only that. It isn't sufficient to hack JUST a phone. You also need a means, once in control of the phone of hacking the smart lock. But, there are multiple vendors. And multiple OSs. At a minimum, you'd need to know how to hack probably both iOS and Android. And how to hack the top 2-3 smart lock vendors, let's say August, Nest and Schlage. This is already a MASSIVELY sophisticated attack. And an insane amount of effort to try and pull off for a local heist.
But it doesn't end there. Odds are good that the house also has a smart camera. As houses grow increasingly smarter it isn't JUST smart locks people are adding. So, now you also need to know how to take down monitoring services for these smart homes. Which adds more attack vectors for the known products and adds more to the list. For instance, I would say Ring is one of the biggest in smart home cameras. Followed by companies like Arlo. You have some overlap in that Nest also has cameras as August has a doorbell cam.
It wouldn't be any good to compromise the smart lock when the camera has your license plate, face or even just enough identifying features to help in a police investigation.
In short, while the sophistication level is EXTREME. It is certainly not impossible. BUT, if a local player had all of these skills and wanted to target your house... I suspect that they could probably just hack the devices directly over Bluetooth. This is a pretty advanced skillset and it requires compromising numerous layers from the App Stores/browser, to the app container, to the OS, to the individual products you're targeting.
Once again, there aren't roaming gangs of thugs all over the place with the skills to pull this off.
And, if there were, and they were THAT determined... I'm sure they could find more cost efficient ways to get what they wanted.
I would say that the most nefarious way this MIGHT happen would be if something like a state sponsored hacker group did the dirty work, and then SOLD access. But, even then, it likely wouldn't be trivial to exploit all of these layers and get that code running on many devices. They wouldn't want it discovered until it had served it's purpose. And so, even this is infeasible sounding. And, if it happened, selling that access would likely not come cheap, and so, again, local thugs... likely not pulling it off.
The last thing I want to say is this. I don't want to dismiss these things entirely. I find articles like those above ignore the real world ramifications and possibilities and treat it like there is likely to be a rash of smart home robberies in the coming years. I don't want to swing the other direction though and imply that just because I don't see a chance of a large scale threat that anyone should bank on notions.
A smart home is in some ways less secure than a dumb one. There are also ways in which it is more secure. My doors can auto-lock after a period if I want. I can check while I'm away to make sure I locked it, and also review a history of locks and unlocks. But, at the same time, someone else owns that software and that software likely has either undiscovered or even simply unpatched (or possibly even un-patchable) vulnerabilities.
I have no delusions. My home is slightly less prone to traditional attacks thanks to smart home technology. Auto-locking doors rule us out as a crime of opportunity. But, that is about it. Most crimes happen via forced entry in broad daylight. If they break the door jam... the door will stay "locked" I'll get no notification and they will need no fancy phone exploits.
Honestly, the cameras are probably more of a deterrent. But, even that won't necessarily stop someone from, once again, simply busting through a window or door. And, they can always take measures to hide their identity.
It is just my opinion. But, I feel like these articles ascribe way too much value to these sorts of attacks. Again, it is REALLY hard to believe that someone who could get sufficient access to your phone, so as to take over your smart home apps, wouldn't instead use that access to farm personal data, credit card numbers, passwords, etc... They can sit on that data until they have as much as they want or until someone catches the app leaking the data out.
But, absolutely. Don't take my word for it. If you're interested in smart lock and scared at the same time. Do your research. The risks you take on may be too much or not. I can't decide for others. And while I believe it is highly unlikely, it is also POSSIBLE for the sorts of attacks described to happen. Not every hacker does it for the same reasons.
Comments
Post a Comment