Your $100 smart lock is actually a $0.50 paperweight
-
Editing while reading...
First things first, the app communicates over HTTP. There is no transport encryption. This is unforgiveable in 2018.
Even if you revoke permissions, you have already given the other user all the information they need to authenticate with the lock, in perpetuity.
Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.
-
@jazzyjosh said in Your $100 smart lock is actually a $0.50 paperweight:
Editing while reading...
From the video:
[on the subject of someone stealing your bike in 30 seconds with a set of bolt cutters] But no-one is ever going to call the cops on a guy with a screwdriver
Well, in the US, maybe not...
-
@jazzyjosh as always, the S in IoT stands for Security
-
Can someone tell me why a padlock has a freaking Bluetooth!?
-
@gąska For security, of course
-
@gąska said in Your $100 smart lock is actually a $0.50 paperweight:
Can someone tell me why a padlock has a freaking Bluetooth!?
-
I've really only seen these locks for realtors--they put a house key in a box that has a blue-tooth code. The showing agent gets the code from the seller's agent and can show the house without needing anyone home and it improves security (fewer keys to lose, records of who went in/out when, etc). Any other use is
-
Well, consumers can't be expected to do a security analysis of every device they buy. And manufacturers don't face any consequences for not even attempting to make them secure, even when being secure is the whole point of the thing.
Soo... yeah, that's pretty much what you'd expect .
-
@benjamin-hall said in Your $100 smart lock is actually a $0.50 paperweight:
and it improves security (fewer keys to lose, records of who went in/out when, etc).
Apparently it doesn't improve security over a flower pot or a doormat, so.
-
@maciejasjmj said in Your $100 smart lock is actually a $0.50 paperweight:
@benjamin-hall said in Your $100 smart lock is actually a $0.50 paperweight:
and it improves security (fewer keys to lose, records of who went in/out when, etc).
Apparently it doesn't improve security over a flower pot or a doormat, so.
Yeah. But it does keep honest agents honest. And most real estate agents are...not the sharpest tools. So small barriers (like having to research cracks) keep them out pretty well.
It's how I feel about most security measures--someone who really wants in will get in. But it keeps the idiot kids out and puts minor barriers to entry on other people. Most thieves are opportunists--they'll twist a dozen handles to find the one that's unlocked, rather than pick a lock, even if it's really easy to do.
Edit: and in this context, since they log when they were opened, an open command without a corresponding request from an agent means it was broken. And IIRC, the seller's agent gets a ping every time its opened, or at least can trivially log in and see the stats.
-
@benjamin-hall said in Your $100 smart lock is actually a $0.50 paperweight:
I've really only seen these locks for realtors--they put a house key in a box that has a blue-tooth code. The showing agent gets the code from the seller's agent and can show the house without needing anyone home and it improves security (fewer keys to lose, records of who went in/out when, etc). Any other use is
I've only ever seen the kind where you punch in a code and they unlock to open a compartment inside where the key is.
-
@anotherusername The newer ones have bluetooth. The old ones are basically combo locks.
I just bought a house last year, so I saw both kinds.
-
@benjamin-hall said in Your $100 smart lock is actually a $0.50 paperweight:
It's how I feel about most security measures--someone who really wants in will get in. But it keeps the idiot kids out and puts minor barriers to entry on other people.
There’s no point in trying to secure anything absolutely — it’s sufficient to make it secure enough that it’s too much trouble to circumvent for those who might want to. The lock being talked about here probably works fine to keep your stuff safe because few thieves are likely to go around with the necessary kit to crack it. However, if locks with this kind of insecurity are common enough, they will. So don’t buy the lock and the problem will go away :)
-
@gurth said in Your $100 smart lock is actually a $0.50 paperweight:
few thieves are likely to go around with the necessary kit to crack it
You mean a smartphone? Yeah, those will never catch on...
-
@jazzyjosh That smart lock is much smarter than you believe.
Look, you are expected to open it with your finger print. But what could you do when you lost your finger? E.g. when a dog bite it off? You'd stand in front of your door and cannot get into your apartment. But now, look, comes smartness: take your smart phone, and open the door. That's really smart, isn't it?
-
@benjamin-hall said in Your $100 smart lock is actually a $0.50 paperweight:
I've really only seen these locks for realtors--they put a house key in a box that has a blue-tooth code. The showing agent gets the code from the seller's agent and can show the house without needing anyone home and it improves security (fewer keys to lose, records of who went in/out when, etc). Any other use is
And yet I remember hurtling around eastern Massachusetts in the back of a realtor's car in 1984, and she would be driving along, oh, look there's a realtor's office (a different realtor, no less), let's stop here, "Hi, I'm (name) of (company), do you have any houses I can show these folks?" Material provided, off we go.
In one case they insisted on one of their people being there as well(1), but in general, they just handed over keys and that was that.
(1) The owner had recently been busted by the Massachusetts foster-care administration because he just kept taking in more kids and living off the money the state paid him for each one. He'd even gone so far as to build a big(2) extension on the back of the house that consisted mostly of bedrooms sized for kids.
(2) As in, it was as big as the main part of the house.
-
@berniethebernie said in Your $100 smart lock is actually a $0.50 paperweight:
@jazzyjosh That smart lock is much smarter than you believe.
Look, you are expected to open it with your finger print. But what could you do when you lost your finger? E.g. when a dog bite it off? You'd stand in front of your door and cannot get into your apartment. But now, look, comes smartness: take your smart phone, and open the door. That's really smart, isn't it?IoT is like socialism: it heroically overcomes difficulties that wouldn't exist without it.
-
@gąska I'd prefer to live in a place where I do not need a lock at the door.
Yes, such places do exist. In 2000, I was on holiday in the Scottish province. Found a bed&breakfast place, asked the owner for the key of the house. "Why?" he asked. "I'll go out to the pub, have some dinner, some beers, don't know yet when I'll come back, might be late in the night, and I do not want to wake you for opening the door for me..." "You don't need a key. Look" and he pointed to the door. It had a handle just like doors inside an apartment...
At a different place, the owner told: "oh, yes, that door came with a key. I forgot where I put it."
With such places, the modern shitty IoT has no chance. Nobody will understand why they should buy that.
-
@berniethebernie said in Your $100 smart lock is actually a $0.50 paperweight:
@gąska I'd prefer to live in a place where I do not need a lock at the door.
Thank you for reinforcing my point.
-
@berniethebernie said in Your $100 smart lock is actually a $0.50 paperweight:
the Scottish province
Since you're still with us in the land of the living, I guess you didn't call it that while you were there.
-
-
@heterodox said in Your $100 smart lock is actually a $0.50 paperweight:
@gurth said in Your $100 smart lock is actually a $0.50 paperweight:
few thieves are likely to go around with the necessary kit to crack it
You mean a smartphone? Yeah, those will never catch on...
I admit I didn’t read the article, but from the current thread I get the impression it takes more than just having a smartphone to open this lock.
-
@steve_the_cynic said in Your $100 smart lock is actually a $0.50 paperweight:
And yet I remember hurtling around eastern Massachusetts in the back of a realtor's car in 1984, and she would be driving along, oh, look there's a realtor's office (a different realtor, no less), let's stop here, "Hi, I'm (name) of (company), do you have any houses I can show these folks?" Material provided, off we go.
In one case they insisted on one of their people being there as well(1), but in general, they just handed over keys and that was that.You know those combination lock things that hold the keys? My BIL is a realtor on the side and when we were house shopping he gave me his MLS login information so we could peruse listings on our own. A surprising number of them just included the combination to the key safe in them. Right in the open for thousands of realtors to see. It was staggering.
-
@polygeekery said in Your $100 smart lock is actually a $0.50 paperweight:
@steve_the_cynic said in Your $100 smart lock is actually a $0.50 paperweight:
And yet I remember hurtling around eastern Massachusetts in the back of a realtor's car in 1984, and she would be driving along, oh, look there's a realtor's office (a different realtor, no less), let's stop here, "Hi, I'm (name) of (company), do you have any houses I can show these folks?" Material provided, off we go.
In one case they insisted on one of their people being there as well(1), but in general, they just handed over keys and that was that.You know those combination lock things that hold the keys? My BIL is a realtor on the side and when we were house shopping he gave me his MLS login information so we could peruse listings on our own. A surprising number of them just included the combination to the key safe in them. Right in the open for thousands of realtors to see. It was staggering.
The weakest link in all security protocols is the people. Bar none.
-
@gurth said in Your $100 smart lock is actually a %2.50 paperweight:
I admit I didn’t read the article, but from the current thread I get the impression it takes more than just having a smartphone to open this lock.
The smartphone and an app, yes. Might want to read TFA.
The Tapplock, however, falls way below any acceptable standard. It can be opened in under 2s with only a mobile phone.
-
-
@gurth said in Your $100 smart lock is actually a $0.50 paperweight:
@heterodox said in Your $100 smart lock is actually a $0.50 paperweight:
@gurth said in Your $100 smart lock is actually a $0.50 paperweight:
few thieves are likely to go around with the necessary kit to crack it
You mean a smartphone? Yeah, those will never catch on...
I admit I didn’t read the article, but from the current thread I get the impression it takes more than just having a smartphone to open this lock.
At the time I read the article, they hadn't yet packaged the exploit as a ready-to-run app, but were working on it.
Probably 'd
-
@hungrier said in Your $100 smart lock is actually a $0.50 paperweight:
@gurth said in Your $100 smart lock is actually a $0.50 paperweight:
@heterodox said in Your $100 smart lock is actually a $0.50 paperweight:
@gurth said in Your $100 smart lock is actually a $0.50 paperweight:
few thieves are likely to go around with the necessary kit to crack it
You mean a smartphone? Yeah, those will never catch on...
I admit I didn’t read the article, but from the current thread I get the impression it takes more than just having a smartphone to open this lock.
At the time I read the article, they hadn't yet packaged the exploit as a ready-to-run app, but were working on it.
Probably 'd
Well, they did build an app to facilitate it, but the company that made the locks patched that specific vulnerability IIRC.
-
@tsaukpaetra said in Your $100 smart lock is actually a $0.50 paperweight:
@hungrier said in Your $100 smart lock is actually a $0.50 paperweight:
@gurth said in Your $100 smart lock is actually a $0.50 paperweight:
@heterodox said in Your $100 smart lock is actually a $0.50 paperweight:
@gurth said in Your $100 smart lock is actually a $0.50 paperweight:
few thieves are likely to go around with the necessary kit to crack it
You mean a smartphone? Yeah, those will never catch on...
I admit I didn’t read the article, but from the current thread I get the impression it takes more than just having a smartphone to open this lock.
At the time I read the article, they hadn't yet packaged the exploit as a ready-to-run app, but were working on it.
Probably 'd
Well, they did build an app to facilitate it, but the company that made the locks patched that specific vulnerability IIRC.
Which implies these locks talk to the Internet? Or they just fixed new locks - which leaves existing ones vulnerable. Yea IoT!!!
edit: That first part ... :shudder:
: Oops. That update went sideways. Sorry we bricked your lock! For the low-low price of $999.99, we'll send a lock breaker out to remove your lock.
-
@dcon said in Your $100 smart lock is actually a $0.50 paperweight:
: Oops. That update went sideways. Sorry we bricked your lock! For the low-low price of $999.99, we'll send
a lock breaker outyou a screwdriver to remove your lock.
-
@coderpatsy said in Your $100 smart lock is actually a $0.50 paperweight:
Ugh. It's one of those horrible star-shaped screw heads.
-
@dkf no one has a screwdriver like that. Securityyy!
-
@tsaukpaetra The sonic screwdriver always seemed like a really cheap literary device. Just point it at something and buzz a bit, and it unlocks.
Yet, with these "smart locks" it suddenly seems entirely realistic.
-
@gąska said in Your $100 smart lock is actually a $0.50 paperweight:
@dkf no one has a screwdriver like that.
Securityyy!Fuck the customers!!!!FTFY
-
@gurth said in Your $100 smart lock is actually a $0.50 paperweight:
it’s sufficient to make it secure enough that it’s too much trouble to circumvent for those who might want to
Yep, I have about 20k worth of jet engines in the garage on nice easy-to-move wheeled stands. I just chain them all together. Good luck trying to move 4 tons of stuff floppily joined. It would just take too much time to cut it all apart and one of my nosy neighbours would notice.
-
@cursorkeys said in Your $100 smart lock is actually a $0.50 paperweight:
Yep, I have about 20k worth of jet engines in the garage on nice easy-to-move wheeled stands. I just chain them all together. Good luck trying to move 4 tons of stuff floppily joined. It would just take too much time to cut it all apart and one of my nosy neighbours would notice.
Your main defensive measure is that scum don't know there's something valuable there that's easy to steal.
-
@dkf yeah, but now we know...
-
@swayde said in Your $100 smart lock is actually a $0.50 paperweight:
@dkf yeah, but now we know...
Yeah, but we're usually subscribers to round here…
-
@swayde said in Your $100 smart lock is actually a $0.50 paperweight:
yeah, but now we know...
dkf said the scum, not the dregs.
-
-
@oloeopia Ha, I thought it was just local access. But no, it's just a matter of time now for someone to remotely unlock (or brick!) every "Smart Lock" in the world.
Or get a dump of the entire database and sell it. That would probably be worth more.
-
@steve_the_cynic said in Your $100 smart lock is actually a $0.50 paperweight:
@benjamin-hall said in Your $100 smart lock is actually a $0.50 paperweight:
I've really only seen these locks for realtors--they put a house key in a box that has a blue-tooth code. The showing agent gets the code from the seller's agent and can show the house without needing anyone home and it improves security (fewer keys to lose, records of who went in/out when, etc). Any other use is
And yet I remember hurtling around eastern Massachusetts in the back of a realtor's car in 1984,
Wow, glad you got out of that okay. It's much harder to escape from modern cars.
-
@polygeekery said in Your $100 smart lock is actually a $0.50 paperweight:
You know those combination lock things that hold the keys? My BIL is a realtor on the side and when we were house shopping he gave me his MLS login information so we could peruse listings on our own. A surprising number of them just included the combination to the key safe in them.
So a few thousand lines of "1234"
-
@lorne-kates said in Your $100 smart lock is actually a $0.50 paperweight:
@polygeekery said in Your $100 smart lock is actually a $0.50 paperweight:
You know those combination lock things that hold the keys? My BIL is a realtor on the side and when we were house shopping he gave me his MLS login information so we could peruse listings on our own. A surprising number of them just included the combination to the key safe in them.
So a few thousand lines of "1234"
Worse than that. A fair number of them were the house number.
-
@cursorkeys said in Your $100 smart lock is actually a $0.50 paperweight:
Yep, I have about 20k worth of jet engines in the garage on nice easy-to-move wheeled stands. I just chain them all together. Good luck trying to move 4 tons of stuff floppily joined
Pfff, I'd just turn them all on and fly then away. Sucker.
-
@anonymous234 said in Your $100 smart lock is actually a $0.50 paperweight:
@tsaukpaetra The sonic screwdriver always seemed like a really cheap literary device. Just point it at something and buzz a bit, and it unlocks.
Yet, with these "smart locks" it suddenly seems entirely realistic.
Theory: the sonic screwdriver can actually only open a small subset of lock types. But the Time Lords went back to each civilizations industrial boom, and influenced their designers and engineers to favour a certain design patterns and methodologies, which produce those lock types. ingrained it so deep in the collective psyche that engineers will defend "the right way" with blinding, religious fervor. This ensured that every civilization produced locks and other offshoot tech that could be manipulated by the sonic screwdriver
-
@dkf said in Your $100 smart lock is actually a $0.50 paperweight:
@coderpatsy said in Your $100 smart lock is actually a $0.50 paperweight:
Ugh. It's one of those horrible star-shaped screw heads.
They didn't even make it a security torx head.
-
And then . . .
-
What to do?
Tapplock user?
Get and install any and all patches provided. Apparently, the company has now addressed the most obvious web portal holes (guessable account IDs and no HTTPS), but we assume an app update will be needed as well.Throw it in the garbage and get a padlock from the dollar store
-
Stand by for jeffing.Resume talking about locks.Go here for guns: https://what.thedailywtf.com/topic/25318/guns-don-t-kill-people-police-kill-people