Finnish cyber security company F-Secure has hacked and opened the “smart door lock” of the Korean manufacturer KeyWe with amazingly simple means.
For Rüdiger Trost, Head of Cyber Security Solutions at F-Secure, this is further proof that the so-called “Smart Home” still has to struggle with extreme security problems worldwide: “Outdated operating systems, poor programming, lack of standards – the now unmanageable number of networked devices makes the “smart” home a “dumb home“.
“Any consumer who relies on such devices will end up being the fool himself. We are finally calling for uniform, reliable standards in IT security for the Internet of Things.” This is confirmed by the results of the “Attack Landscape Report”, which in September 2019 registered a twelvefold increase in the number of attacks from the Internet compared to the same period last year. Much of these attacks were caused by insecure smart home devices, which are now attacking other devices under the control of hackers without the owner knowing.
Come on in
Users of the Korean manufacturer KeyWe ‘s supposedly “smart door lock” can open their doors at home using a smartphone app. However, F-Secure was able to handle the existing KeyWe security devices with quite simple means, by intercepting and manipulating the messages between the lock and the app. “All we needed was a little know-how, a small device to intercept the messages for 10 euros from the technology market and a little time to find the users” – said Krzysztof Marciniak, one of F-Secure’s cyber security consultants who performed the hack. F-Secure is holding back important details about the hack, as many of the locks are already in use, but there is no possibility of subsequently securing the devices with a security update. Nevertheless, F-Secure has published a security warning.
Hyppönens law: smart = vulnerable
“KeyWe ‘s customers have to replace their ‘smart’ locks completely or live with the risk. It is unacceptable that there are any networked devices that have no or only inadequate routines for security patches,” complains Rüdiger Trost. Instead, the smart home industry must finally commit itself to common standards and long-term security mechanisms. Especially in many crowdfunding projects, there are no guarantees as to how long the supposedly smart device will be supported and provided with security updates. “If you get involved with such ‘stupid’ products, you risk having your home pierced with numerous security holes like a Swiss cheese,” says Trost. Back in 2016, Mikko Hyppönen, Chief Research Officer at F-Secure, formulated his statement, now known as “Hypponen’s Law”: “Whenever a device is described as ‘smart’, it is vulnerable“.
F-Secure report: More and more IoT devices attack
In autumn 2019 this law was impressively confirmed in the “Attack Landscape Report”. The report is based on vulnerable servers that are placed on the net like bait (“honeypots”) and provoke attacks that are then documented by F-Secure. In the first half of 2019, F-Secure’s experts registered twelve times as many attacks as in the same period last year. With over 760 million attacks, or 26 percent of measured traffic, Telnet carried the largest share of the total number of attacks in the observed period. UPnP ranks second with 611 million attacks. SSH, which is also used by IoT devices, recorded 456 million attacks. The sources of these attacks are most likely IoT devices that have been infected with the Mirai malware, which was also most frequently detected on honeypots. Mirai infects routers, security cameras and other networked devices on the “Internet of Things” that still use factory defaults as credentials.
“The uncertainty of the ‘Internet of Things’ is growing as new devices emerge that are hijacked and integrated into botnets. And SMB protocol activity shows that there are still far too many devices out there that have never experienced a security patch” – Jarno Niemela, Principal Researcher at F-Secure.