Have you ever been really passionate about the potential of a particular technology but constantly disappointed by its reality? This is how I feel about smart locks. In theory, they make a hell of a lot of sense in that they eschew the need for keys. I live in Berlin, where if you were to lose the front door key to your apartment, you are usually required to pay for the replacement keys for every tenant. At an average of 200€ per lock; it’s not a cheap mistake. Fortunately, you can get insurance in case of this very situation, but will smart locks be a solution in the future?
Cybersecurity expert, Yossi Atias, General Manager, IoT Security at Dojo by BullGuard, took the stage at this week’s Mobile World Congress to demonstrate a live hack of the Amazon Ring video doorbell, exposing a previously unknown vulnerability in the popular IoT device. The hack revealed unencrypted transmission of audio and/or video footage to the Ring application allows for arbitrary surveillance and injection of counterfeit video traffic, effectively compromising home security and putting family members’ safety at risk.
People Aren’t Who You Think They Are
Launched in 2012 and acquired in February 2018 by Amazon, the main feature of the Ring video doorbell is two-way communication between the smart video doorbell and the user’s mobile app, which acts as a security camera and allows the user to confirm who is ringing their doorbell from anywhere in the world via the internet. Presuming the Ring owner is away from home, they can see who is at their door and then remotely open the door if a supported smart lock is installed to let the housecleaner or babysitter in, for example.
The Ring video doorbell vulnerability lies between the cloud service and the Ring mobile application. In the Ring video doorbell hack, Atias was able to change the video feed so the end user ‘believed’ they were seeing someone they know and let in previously.
“This particular vulnerability is complex because it is between the cloud and the Ring mobile app, and is acted upon when the Ring video doorbell owner is away from home — meaning the package delivery person, housecleaner or babysitter might not actually be the same person at your door.”
Dojo’s cybersecurity experts were able to gain access to the application traffic without difficulty. When the owner is in transit, a hacker can open a rogue Wi-Fi connection near the owner and wait for them to join, or join a common public network. Once sharing a network, a simple ARP spoof allows the hacker to capture Ring data traffic before passing it on to the mobile app, and certain 3G/4G configurations may allow intra-network poisoning as well. Encrypting the upstream RTP (Real-Time Transport Protocol) traffic will not make forgery any harder if the downstream traffic is not secure, and encrypting the downstream SIP (Session Initiation Protocol) transmission will not thwart stream interception.
Fortunately, Amazon has already released a new version of the Ring mobile app where this vulnerability has been fixed and the device is now safe from this kind of attack.
A Long History of Smart Lock Blunders
One need only read the agenda of the latest DEFCON or Black Hat conference to know smart locks are notoriously easy to hack. At every conference, hackers demonstrate how easy the locks are to hack. For example, in 2016, researchers Anthony Rose and Ben Ramsey revealed that out of 16 Bluetooth smart locks they had tested, 12 locks opened when wirelessly attacked. The locks — including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Evans, Okidokey and Mesh Motion — had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit.
They’re also vulnerable during upgrades. In 2017, hundreds of Internet-connected locks became inoperable last week, a problem lock makers Lockstate attributed to a faulty software update that resulted in a fatal system error. Lockstate’s RemoteLock 6i is a worldwide partner of Airbnb, meaning that many hosts were unable to remotely control their locks. The problem occurred when RemoteLock6i’s were sent a firmware update intended for RemoteLock7i’s and subsequently the former was unable to be locked or receive over-the-air updates.
Inherent with connected hardware design are possible failure scenarios like problems with Internet connectivity, Wi-Fi, a residential blackout, remote updates or the system needing a reboot/restart. Surely, the possibility of product failure should have been anticipated in the design phase? Or does it negate the point of the connected product in the first place?
Is Facial Recognition Technology the Answer?
Late 2018, an Amazon patent application detailed the use of facial recognition in home security. The patent credits Jamie Siminoff, the CEO of Ring, as its inventor. Ring was acquired by Amazon last year. The patent proposes users add suspicious individuals to a watch list, which is shared by a network of connected homes all who are all using the biometric doorbell system. If these individuals are identified by the face-scanning doorbell, an alert is sent to the homeowner. Regular visitors such as mail carriers are added to a list of authorized persons.
The patent further “anticipates targeting an arsenal of other biometrics, including fingerprints, skin-texture analysis, DNA, palm-vein analysis, hand geometry, iris recognition, odor/scent recognition, and even behavioral characteristics, like typing rhythm, gait, and voice recognition” suggesting this is only the beginning of Amazon’s plans.
Less well-known companies have announced they are focused on the biometric smart locks. Tuya Smart is unveiling Smart Home 2.0 this year, a security system equipped with artificial intelligence and capable of facial recognition. The company asserts it can identify someone based on a single photograph. Similarly, ElecPro has created a smart lock with a built-in camera that connects to a corresponding app to provide two-way audio, fingerprint scanning, and additional security with facial recognition.
Given the parlous state of smart locks over the last few years with their ease of hackability and their failure to secure during software updates, it will be interesting to see what facial recognition brings to the security market. Will it solve some of the pain points, or be another opportunity for smart home security companies to fall on their sword?
Originally published at dzone.com.