The Internet of Things (IoT) is notorious for delivering three outcomes in worryingly many cases:
- connected product we didn’t know we needed.
- connected product we bought anyway.
- connected product Finally separated from the cupboard.
To be fair, not all IoT products fall into all, some, or some of these categories, but there are many that fall into at least one.
I had a home video camera with a non-unique “unique identifier”. A couple from Australia thought they could both see their living room, but suddenly discovered that each was monitoring the other third. party.
In England, there was a surveillance system showing the outside of an unknown pub by an unknown landlord, who he eventually tracked down with the help of a search engine and visited to enjoy a pint of fortified ale.
At the bar, he took a selfie with his cell phone enjoying his drink…using the bar’s camera. (He showed the picture to the landlord, who shares his joys and worries.)
And then there was the $99 smart bike lock. No more need to memorize combinations! No more fussing with keys in cold hands! – You can unlock your own lock in 0.8 seconds with the official app (or fingerprint), or open someone else’s lock in 2 seconds with the unofficial app.
No hacksaw required
That’s why the locksmith in the locksmith above (no hacker or hacksaw required) is from PTP, a well-known British penetration testing agency. pen test partner.
And when the researchers at PTP discovered a connected product they didn’t know they needed…
…they know right away they need it!
So when they discovered the digital suitcase Air Wheel SR5, they simply had to get one, who can reject a bag of Bluetooth-enabled autonomous robots? (We don’t make this.)
Why drag your carry-on luggage backwards when you can simply tie a Bluetooth wristband and have your luggage follow you through the airport, bypassing obstacles. It saves you the hassle of carrying all the extra weight your suitcase needs in the form of a suitcase), battery and motor.
Well, PTP is why they may not trust SR5 at a busy airport, i.e. not very accurate.
It made vaguely confident progress, but it didn’t keep the road well, and it hit and worked the same way as travelers who spent too much time in the airside bar.
However, it was the design flaws that worried PTP the most. This means that the SR5 can pair with two different devices at the same time. As the researchers admitted, it achieved an unusual and actually pretty cool Bluetooth performance. pairing process.
Pair the SR5 with the supplied wristband and you can autonomously follow your surroundings. No need to use any other functions. It’s worryingly simple, using an app on your phone.
But unless you install the app and pair it with your own suitcase…
….and someone else can pair for you, even if you tell them to follow you.
Following your suitcase, the suitcase thief can pair your phone with your luggage thanks to a wired pairing code and simply take it out without touching it.
Make sure you can guess the “secret” PIN.
did you figure it out?
Yes, that’s right. 11111111
.
(We guessed. 78482273
, on the basis that it spells SUITCASE
, However 1
The characters on the phone keypad don’t match at all.)
PTP can also allow for rogue firmware updates (tracking beacons, anyone?) as the suitcase firmware doesn’t appear to be digitally signed, and the company has yet to get the app to the Google Play Store, forcing it to sideload instead.
What to do?
- If you can’t refuse this self-driving suitcase, Pair it with your own phone as well as your wristband to prevent your fellow airport travelers from trivially stealing it. (At least for now, we can assume that caring for a vaguely autonomous digital suitcase around modern airports will certainly draw attention to suitcases, if not you.)
- If you’re a programmer, don’t use wired passwords. In fact, don’t enable remote pairing by default to prevent unauthorized surprises. As PTP pointed out, picking a random password before shipping and putting the printout in your suitcase would be an easy place to start. Home router vendors are doing this with wireless access points these days and have largely eliminated the problem of native Wi-Fi credentials.
- If you are using the official Android app Do your best to get to the Play Store first. Google Play doesn’t completely block malware, but not being able to get a rating in the first place isn’t a good look for your product and we don’t encourage customers to install it. Ironically in this case (see what we did there?), you can’t protect your luggage from malicious pairing attempts without first installing an unverified app.
We couldn’t refuse emmeding PTP video, an autonomous driving suitcase that can be operated remotely in an incredibly active driving mode.
.