While not IoT - Lock Picking Lawyer has a bunch of "smart" locks that he owns with very little effort. [1] My favourites are these RFID locks [2][3] and this fingerprint lock.[4]<p>[1] <a href="https://www.youtube.com/c/lockpickinglawyer/search?query=smart" rel="nofollow">https://www.youtube.com/c/lockpickinglawyer/search?query=sma...</a><p>[2] <a href="https://www.youtube.com/watch?v=z4lVylO7y5U" rel="nofollow">https://www.youtube.com/watch?v=z4lVylO7y5U</a><p>[3] <a href="https://www.youtube.com/watch?v=XXW27KKHtc8" rel="nofollow">https://www.youtube.com/watch?v=XXW27KKHtc8</a><p>[4] <a href="https://www.youtube.com/watch?v=pTys_WYBOLE" rel="nofollow">https://www.youtube.com/watch?v=pTys_WYBOLE</a>
It's really a shame that "IoT" locks are destroying the reputation of electronic locks.<p>A well constructed electronic lock can be considerably more secure against non-destructive attack than any mechanical lock. Yet IoT locks continually have gross vulnerabilities that allow undetectable bypass-- and issue that even moderately good mechanicals locks don't really have (even picking usually leaves evidence).
This is the funny part:<p>"the [cloud] server does have strong security” --> oh, good<p>"and that users’ data have been encrypted by the MD5 algorithm --> WTF???
I've fiddled with IoT very little, yet with the little experience I have, I must say, I'm not surprised at all. And I think the main reasons are the ecosystems around IoT: they are a mess - no standards, no common communication protocols, none of that. So it is a bit of a "every man for himself" kind of thing. I have a few smart devices at home and it really boggles my mind how much they differ from one another when they connect to the wifi. Some fire up a tiny http server which I would assume is used as a rest api, some use udp connections, each one uses the most random port you can imagine, the developer documentation for all of them is nothing short of crap. I think the security vulnerabilities will start going down once:<p>1. Everything goes open source.<p>2. Everyone settles on a standard way of communicating between those devices.<p>Sure, vulnerabilities won't disappear completely but they will go down. At this stage, I feel like they aren't exploited due to lack of interest rather than good will or lack of opportunities.
> and that users’ data “have been encrypted by the MD5 algorithm”<p>Literal head-desk. They ought to be sued. There is so much wrong with that one statement.
Got an IoT smart lock? Watch out for hackers unlocking it from anywhere!<p>A security vulnerability discovered and responsibly reported by Craig Young of Tripwire exposes flaws in U-Tec UltraLoq locks, among other devices.