The first warning sign was “hackproof” in the 360Lock marketing materials.
As it turns out, with no surprise to any security professional, the NFC and Bluetooth enabled padlock proved to be anything but secure.
Straightforward penetration testing revealed horrible logical and physical security for a padlock that promotes itself as “incorruptible” and “hackproof”!
Digital Transformation is a rush to connect our physical world to the global electronic ecosystem to enable better access, integration, and advanced capabilities. Internet of Things (IoT) devices are often at the forefront of this movement, turning normal devices into ‘smart’ devices. Sometimes even the best ideas fail when it comes to design and execution.
This padlock has several innovative features such as connectivity to mobile applications, an included RFID wristband and tag for easy unlocking, configurability to add access for others, and a detailed history log. What it lacks however, is actual security.
Simple pentesting proved what was likely a foregone conclusion. The kickstarter funded lock is neither hackproof nor secure. Testers found that simple replay attacks could trick the logic to open the device. Additionally, crude brute-force methods were able to compromise the integrity of the lock mechanism. Pounding it with a hammer quickly defeated the padlock.
The results highlighted that the $40 lock is not robust and better served as a visual deterrent, casual locking device, or novelty item.
A massive quantity and vast diversity of smart devices are emerging. Most connect to the internet and require a high degree of security. Connectivity accentuates vulnerabilities. Sadly, many of the IoT devices consumers and businesses are embracing lack the necessary measure for security rigor, leaving users exposed and data vulnerable.
The 360Lock is not the only device that has poor security, but it does highlight two important points, emphasizing overall industry challenges.
First never trust any product that claims to be ‘unhackable’. Seasoned security professionals would never make such an outlandish assertion as to say a device is hackproof! The fact that 360Lock promoted their product in this way was the only indicator needed to instill great skepticism.
Second, this device’s weaknesses highlight the need for proper data transport security. Man-in-the-Middle (MitM) attacks, such as a replay attacks, are common tactics for hackers. Transactional security is absolutely critical to protect data and requests. Unfortunately, securing data in-transit between IoT devices on the edge and phones/PC/cloud-services requires the right expertise and tools. Most failures occur in how data protections are implemented and managed. As a rule, if a product manufacturer is not detailing their security, they likely do not have quality capabilities in place.
Consumers must be wary and realize that even dedicated security products, such as padlocks, can be victimized by poor development decisions. Trendy features are no replacement for solid security and reliability. IoT devices are often much less secure than the marketing materials and salesperson will reveal. Look for reputable manufacturers who have committed to work with the best technology, security integrators, and verification practices. Every consumer and business is responsible for understanding the risks accompanying the benefits of new technology.
Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 28 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies. Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity. Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services.