Thursday, June 14, 2018

When a security vendor ignores security - What could go wrong.

Another week, another embarrassing security issue.

I'm going for something light this week, to end the week smoothly.

So many news items to pick from, my eyes and heart landed on a highly secure digital padlock.

What could go wrong

Well, it seems, everything could go wrong since this padlock has a list of transgressions longer then Donald Trump.

Note that their selling points include ZAMAK 3 Zinc Alloy metal body with cut-resistant stainless steel shackle.  Double layered design with anti-shim and anti-pry..bla bla bla...

Pretty solid lock right !    Well.....If you loose access to the padlock, no worries, just get a GoPro sticky mount pad, stick it to the back and twist the back open. Once it's popped open, pretty easy to physically unlock it.  That's right... the back twists and pops off... you know... for maintenance and oil changes!

Twist and pop !

And on the digital front, the claim military grade security.  AES128 isn't really military grade, but we can let that one slide.  What is interesting is the fact that the communications from the cloud with the lock are all done over the very secure HTTP protocol.  That's right folks, no S on the HTTP.

The blue tooth low energy:  Vulnerable to replay attack (easy hack)

Quote from the research article:  

Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.

I could go on and on, but the following two articles do a much better job providing something to laugh at and giving you something to avoid in your own projects.

Walk through of all the issues:

SC MAGAZINE article about it all:


Having a "qualified" security person in any of these architecture and design meetings would certainly have made these issues float to the surface.   Instead, the only thing that floated to the surface, was a genuine sh*t product.

So to be fair, they may have had a security person in these meetings.  So they either had someone with inadequate qualifications or they did like most startups (and cough cough large enterprises) and said shut up with all these issues, we need to push this to market to get our first round of financing pushed through.  

Kids, this is why we can't have nice things.  

If Gordon Ramsey would have been in this kitchen, he would have told their CEO that he is either blind, incompetent or stupid, or a mix of all three.

Nothing wrong with making money but it kinda stinks when you can't make "honest" money and produce "quality" products, especially when the product is a "security" product.

Do we really need more landfill ?



Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

----- ENGLISH FOLLOWS Un cas intéressant d'exposition de données à l'UDA. Le site web comprenait une seule ligne de texte qui pouvai...