Connect with us

Gadgets

Security flaws in a popular smart home hub let hackers unlock front doors – TechCrunch

Published

on

When is a smart home not so smart? When it can be hacked.

That’s exactly what security researchers Chase Dardaman and Jason Wheeler did with one of the Zipato smart hubs. In new research published Tuesday and shared with TechCrunch, Dardaman and Wheeler found three security flaws which, when chained together, could be abused to open a front door with a smart lock.

Smart home technology has come under increasing scrutiny in the past year. Although convenient to some, security experts have long warned that adding an internet connection to a device increases the attack surface, making the devices less secure than their traditional counterparts. The smart home hubs that control a home’s smart devices, like water meters and even the front door lock, can be abused to allow landlords entry to a tenant’s home whenever they like.

In January, security expert Lesley Carhart wrote about her landlord’s decision to install smart locks — forcing her to look for a new home. Other renters and tenants have faced similar pressure from their landlords and even sued to retain the right to use a physical key.

Dardaman and Wheeler began looking into the ZipaMicro, a popular smart home hub developed by Croatian firm Zipato, some months ago, but only released their findings once the flaws had been fixed.

The researchers found they could extract the hub’s private SSH key for “root” — the user account with the highest level of access — from the memory card on the device. Anyone with the private key could access a device without needing a password, said Wheeler.

They later discovered that the private SSH key was hardcoded in every hub sold to customers — putting at risk every home with the same hub installed.

Using that private key, the researchers downloaded a file from the device containing scrambled passwords used to access the hub. They found that the smart hub uses a “pass-the-hash” authentication system, which doesn’t require knowing the user’s plaintext password, only the scrambled version. By taking the scrambled password and passing it to the smart hub, the researchers could trick the device into thinking they were the homeowner.

All an attacker had to do was send a command to tell the lock to open or close. With just a few lines of code, the researchers built a script that locked and unlocked a smart lock connected to a vulnerable smart hub.

The proof-of-concept code letting the hackers unlock a smart lock (Image: Chase Dardaman, Jason Wheeler)

Worse, Dardaman said that any apartment building that registered one main account for all the apartments in their building would allow them to “open any door” from that same password hash.

The researchers conceded that their findings weren’t a perfect skeleton key into everyone’s homes. In order to exploit the flaws, an attacker would need to be on the same Wi-Fi network as the vulnerable smart hub. Dardaman said any hub connected directly to the internet would be remotely exploitable. The researchers found five such vulnerable devices using Shodan, a search engine for publicly available devices and databases.

Zipato says it has 112,000 devices in 20,000 households, but the exact number of vulnerable hubs isn’t known.

We asked SmartRent, a Zipato customer and one of the largest smart home automation providers, which said fewer than 5% of its apartment-owning customers were affected by the vulnerable technology. A spokesperson wouldn’t quantify the figure further. SmartRent said it had more than 20,000 installations in mid-February, just weeks before the researchers’ disclosure.

For its part, Zipato fixed the vulnerabilities within a few weeks of receiving the researchers’ disclosure.

Zipato’s chief executive Sebastian Popovic told TechCrunch that each smart hub now comes with a unique private SSH key and other security improvements. Zipato has also since discontinued the ZipaMicro hub in favor of one of its newer products.

Smart home tech isn’t likely to go away any time soon. Figures from research firm IDC estimate more than 832 million smart home devices will be sold in 2019, just as states and countries crack down on poor security in internet-connected devices.

That’s also likely to bring more scrutiny to smart home tech by hackers and security researchers alike.

“We want to show that there is a risk to this kind of tech, and apartment buildings or even individual consumers need to know that these are not necessarily safer than a traditional door lock,” said Dardaman.



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Gadgets

Paramount+ will carry new Star Trek series Strange New Worlds and Prodigy

Published

on

Enlarge / Key art for the new Star Trek series Star Trek: Prodigy.

ViacomCBS

In an online event for investors, ViacomCBS revealed several new details about CBS All Access replacement Paramount+, including pricing as well as two new Star Trek series that will premiere on the network. Also, the company announced that a much-anticipated Showtime show will end up on Paramount+ instead.

Paramount+, which was announced several months ago, will launch on March 4 in the United States, Canada, and 18 Latin American countries. As with CBS All Access, both an ad-supported and ad-free plan will be offered. In the US, the ad-supported one will cost $4.99 per month, while the ad-free plan will cost $9.99.

That $4.99 per month is $1 cheaper than the ad-supported version of CBS All Access. However, this cheaper plan will not include local CBS stations. The service is also expected to launch in Nordic countries within a few weeks and in Australia sometime later this year.

When it launches, Paramount+ will have 2,500 films and 30,000 TV episodes, according to ViacomCBS executives. That will include some original series, many of which will be available in 4K and Dolby Vision HDR.

Original series will include those we’ve already seen on CBS All Access, including the large slate of Star Trek shows such as Discovery, Picard, and Lower Decks.

Two new Star Trek series have recently been announced: a CG animated kids’ show called Star Trek: Prodigy, and a spinoff about Captain Pike and Mr. Spock called Star Trek: Strange New Worlds. Prodigy was planned for airing on Nickelodeon (which is owned by the Viacom part of ViacomCBS), and it will still air there— but only after appearing on Paramount+ first.

Additionally, it has been confirmed that the long-anticipated and much delayed series based on the video game franchise Halo will be delivered via Paramount+; it was originally planned as a Showtime series. Steven Spielberg is an executive producer on the show, which is planned to premiere in the first quarter of 2022. According to Deadline, shooting was well underway when the pandemic forced a shutdown. During the break, it was decided to move the show to the broad-audience Paramount+ service rather than “adult” and “sophisticated” Showtime. (Those descriptors were used by Showtime exec David Nevins to describe the network.)

Other content includes a Frasier reboot, as well as some 2021 theatrical film releases like Mission Impossible 7.

Continue Reading

Gadgets

Google’s Wear OS neglect has left voice activation broken for months

Published

on

Enlarge / A Wear OS watch.

Ron Amadeo

Poor, dying Wear OS.

Apparently, the Google Assistant on Wear OS has been broken for months, and until now, no one at Google has noticed. About four months ago, diehard Wear OS users started a thread on the public Android issue tracker saying that the “OK Google” hotword no longer worked on Wear OS, and several claimed that the feature has been broken for months. Recently, news of the 900-user-strong thread spilled over to the Android subreddit, and after 9to5Google and other news sites picked it up, Google has finally commented on the issue.

The Verge quotes a Google spokesperson as saying the company is “aware of the issues some users have been encountering,” and it will “address these and improve the overall experience.” Google didn’t give an ETA on how long a fix would take. Google offered a similar boiler-plate response back in that November thread, with a rep saying, “We’ve shared this with our engineering teams and will continue to provide updates as more information becomes available.”

Wear OS’ broken voice system is the latest in a long line of signs that Wear OS is a dead platform and that it has been abandoned by Google. Google’s last major update for Wear OS was in 2018, and many of Google’s newer services have opted to not support the platform. Google Play Music had a standalone offline music app for Wear OS, which was fantastic if someone was out jogging and wanted to leave their phone at home. Play Music is dead now, and its replacement, YouTube Music, supports the Apple Watch but not Wear OS. Google Hangouts is another dying Google app that had great support for Wear OS, but its replacement, Google Chat, doesn’t support the OS. Updates to Google Fit a few months ago killed the Wear OS weight training feature, which was one of the best parts of the platform.

Wear OS’ hardware has also been a disaster. Qualcomm suffocated the platform by letting it go six years without a significant SoC upgrade, leading to slow hardware that struggled to run the latest features. Every major hardware company that once supported Wear OS—brands like Samsung, LG, Motorola, Huawei, Asus, and Sony—has abandoned it. Wear OS devices are only sold by fashion brands now.

Google’s new fling in the wearables space is with Fitbit, a company it recently acquired for $2.1 billion. Years ago, Fitbit was a trailblazer in simple, cheap step counters, but today the company is an also-ran with single-digit market share. Fitbit hasn’t been able to adapt to low-end pressure from cheap Chinese fitness trackers and high-end competition from the Apple Watch. It’s not clear how combining Fitbit’s failing wearables company with Google’s failing wearables division will lead to any kind of success, but at this point, all we can do is wait and watch.

Continue Reading

Gadgets

Framework startup designed a thin, modular, repairable 13-inch laptop

Published

on

Enlarge / The Framework laptop certainly seems slim enough in this studio shot. Note the seams around the USB-C ports on the side—those are user-replaceable modules.

Framework

Laptops these days are slimmer, sleeker, and lighter than ever—but their repairability and configurability are taking enormous hits in the process. Framework is seeking to roll back the clock in a good way with its first product, the upcoming Framework 13.5-inch laptop.

Following the lead of companies like Fairphone, the startup is focused on respecting users’ right to repair by building systems focused on modular design, with components that are easily configured, replaced, and even upgraded.

Not some massive block

Although Framework’s raison d’etre revolves around modularity, the company clearly understands that it can’t sacrifice sleek, lightweight design if it wants to maintain a wide appeal. It describes its first product, the upcoming Framework laptop, as “similar to a Dell XPS… thin, not some massive block.” The early product shots and specifications seem to bear that out:

  • 13.5-inch 3:2 screen @ 2256×1504
  • 1.3kg (2.9lb) milled aluminum chassis
  • 15.9mm thick
  • configurable Intel Tiger Lake (11th gen) CPU
  • configurable Wi-Fi up to Wi-Fi 6E
  • configurable RAM up to 64GiB DDR4
  • configurable NVMe storage “4TB or more”
  • 1080p webcam @ 60fps
  • 57Wh battery

Framework’s off-the-cuff comparison seems pretty reasonable, with specs equivalent to or slightly better than those available on Dell’s XPS 13. It is 0.1kg heavier and 1.1mm thicker than the XPS 13—but we don’t think that’s going to be a dealbreaker for most people.

Modularity

You can go a long way toward making a laptop repairable by simply including standard sockets rather than soldering everything down to the board. I’ve been personally frustrated with the latter practice many times this year—soldered components not only prevent you from repairing laptops when they fail, but in many cases, they stop you from even configuring machines as you’d prefer.

Framework pledges to do away with all of that—specifications, product shots, and even video shown to us in confidence show easily accessible sockets for RAM, storage, and Wi-Fi. The company also pledges to offer future motherboard swaps to allow for upgrading the CPU without replacing the entire laptop—although frankly, we’re a bit extra skeptical about that claim until we see it in action; it’s difficult to predict how physical layouts and thermal needs will change with entire future hardware generations.

Beyond the standard sockets we used to expect from laptops, Framework will introduce the concept of configurable external ports. Instead of building the chassis with a specific port layout, the machine has been designed with four bays which fit what the company is calling “Expansion Cards”—these offer USB-C, USB-A, HDMI, DisplayPort, microSD, and even 3.5mm headphone ports. With this system, users will be able to decide for themselves not only what ports they need but which side of the laptop to put them on.

Finally, the company pledges to make the Framework laptop user-serviceable by focusing on ease of replacement—and availability—of frequently replaced parts, including battery, screen, keyboard, and bezel. The company also pledges to open its hardware ecosystem up to third parties, which will be able to design, build, and sell compatible modules via a Framework Marketplace.

Too good to be true?

Framework is promising an awful lot in its very first product—”thin as an XPS 13, repairable as a custom-built gaming PC” is a pretty tall order to live up to. We very much want to believe, but it’s going to take a full Ars Technica teardown before we’re completely convinced.

Although we’re skeptical, we are hopeful—the fledgling company does have a pretty solid pedigree. Framework founder Nirav Patel was Oculus VR’s head of hardware from 2012-2017, and he was a Facebook director of engineering beyond that. The company’s team also includes design, engineering, and operations people hailing from Apple, Google, and Lenovo.

The Framework laptop is expected to become widely available this summer—and a company representative promised us a hands-on review unit as soon as one becomes available.

Continue Reading

Trending