Your Smart Locks and Smart Thermostats Are Definitely Not Smart, Security-Wise

Let’s say that when it comes to your attorney-client data, you are on top of your security game. You’re using a password manager so that you can always have strong passwords. You’re either encrypting your attorney-client communications or using a secure portal or both. But are you sufficiently vigilant about the rest of the things in your life?

Whether or not you realize it, you have probably begun to participate in the Internet of Things (IoT). Are you using wearable tech like a FitBit to track your steps? That’s part of the IoT ecosystem. Apple Watch? Internet of Things. Nest thermostat? Totally the Internet of Things. Basically, any device you have that isn’t a computer but is able to track data and talk to your computer or phone is probably some sort of IoT device. So, unless you’re being a devout Luddite about this sort of thing, you’ve probably got some device hanging around that is accumulating data about you, analyzing your personal data, or sending your data somewhere. And it’s all done with a relative paucity of regulation–and that’s a near-perpetual problem.

The latest two IoT failures are for things that actually aren’t all that futuristic. First, let’s talk about that smart thermostat you might have. You can control your house’s temperature when you’re not there, automate what temperatures you want throughout the day and night, and, perhaps nicest of all, it learns what you do and then does it for you. No more pesky thinking about what temperature you want it to be at breakfast time.

All of that is completely great, except for the time last month that Nest had an outage during a heat wave and users couldn’t remotely adjust temperatures any longer, which meant that if you had set a temperature in the morning for the kids or Fido or something and suddenly the heat spiked, there was no way you could change that if you weren’t home. A minor inconvenience, but something that substantially undercuts the whole appeal of a smart thermostat that you don’t have to be at home to change.

That was a blip in functionality, but the newest smart thermostat problem would be far, far worse. Two white-hat aka good guy hackers proved that they could get ransomware on a smart thermostat.¹ Ransomware basically takes control of your device until you pay an exorbitant amount to get control back. Ransomware has become a big problem for computers, but think of how much worse it could be if you have to pay huge sums to be able to heat or cool your home again. While this particular hack involved some steps that would be a bit difficult to execute, it’s a stark reminder that something like a smart thermostat or smart lights or anything similar is really just another security attack vector.

Where the smart thermostat hack was a complicated hack that might not ever be replicated in the real world, figuring out that those cool Bluetooth locks are easy to hack is an entirely different story. Two researchers tested 16 popular models of those locks and found out they were able to crack 12 of them–some of them in ridiculously easy and inexpensive ways.

Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.

The remaining locks required a bit more finesse to break into, but the most worrisome thing about these hacks is probably the blithe attitude of most of the manufacturers.

“We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors.  It turned out that the vendors actually don’t care,” Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.’” […]

“We contacted [lock manufacturer] Okidokeys, and then they turned off their website,” Rose said. “But you can still buy the locks on Amazon.” […]

“We contacted the Bitlock’s manufacturer and told them about this,” Rose said. “They said they’d fix the problem, but after three months they still haven’t.”

That attitude does not inspire confidence in a Brave New World of New Things.

Does this mean you should never buy cool gadgets that make your life easier and interface with your network and computers? Of course not. It does mean that you may not want to be the very earliest of adopters, however, or that you may want to wait until greater security regulations and protocols are in place. Let someone else buy that first-generation fully-loaded SmartHome down the block. Your time will come.

1. They didn’t specify which one, precisely so the hack couldn’t be easily repeated by bad guys and so that the unnamed company could fix it. ↩

Your Smart Locks and Smart Thermostats Are Definitely Not Smart, Security-Wise was originally published on Lawyerist.com.