The Internet of Things (IoT) is notorious for delivering three outcomes in worryingly many cases.
- connected product we didn’t know we needed.
- connected product we bought anyway.
- connected product Finally separated from the cupboard.
To be fair, not all IoT products fall into all, some, or some of these categories, but there are many that fall into at least one.
I had a home video camera with a non-unique “unique identifier”. A couple from Australia thought they could both see their living room, but suddenly discovered that each was monitoring the other third. party.
In England, there was a surveillance system showing the outside of an unknown pub by an unknown landlord, who he eventually tracked down with the help of a search engine and visited to enjoy a pint of fortified ale.
At the bar, he took a selfie with his cell phone enjoying his drink…using the bar’s camera. (He showed the picture to the landlord, who shares his joys and worries.)
And then there was the $99 smart bike lock. No more need to memorize combinations! No more fussing with keys in cold hands! – You can unlock your own lock in 0.8 seconds with the official app (or fingerprint), or open someone else’s lock in 2 seconds with the unofficial app.
No hacksaw required
That’s why the locksmith in the locksmith above (no hacker or hacksaw required) is from PTP, a well-known British penetration testing agency. pen test partner.
And when the researchers at PTP discovered a connected product they didn’t know they needed…
…they know right away they need it!
So when they discovered the digital suitcase Air Wheel SR5, they simply had to get one, who can reject a bag of Bluetooth-enabled autonomous robots? (We don’t make this.)
Why drag your carry-on luggage backwards when you can simply tie a Bluetooth wristband and have your luggage follow you through the airport, bypassing obstacles. It saves you the hassle of carrying all the extra weight you need in your suitcase (in the form of batteries and motors).
Well, PTP is why they may not trust SR5 at a busy airport, i.e. not very accurate.
It made vaguely confident progress, but it didn’t hold the course well, bumping into objects along the way the same way travelers who spent too much time in the airside bar did.
However, it was the design flaws that worried PTP the most. This means that the SR5 can pair with two different devices at the same time. As the researchers admitted, it achieved an unusual and actually pretty cool Bluetooth performance. pairing process.
Pair the SR5 with the supplied wristband and you can autonomously follow your surroundings. No need to use any other functions. It’s worryingly simple, using an app on your phone.
But unless you install the app and pair it with your own suitcase…
… .Someone else can pair for you, even if you tell them to follow you from behind.
Following your suitcase, the suitcase thief can pair your phone with your luggage thanks to a wired pairing code and simply take it out without touching it.
Make sure you can guess the “secret” PIN.
did you find out
Yes, that’s right. 11111111
.
(We guessed. 78482273
, on the basis that it spells SUITCASE
, However 1
The characters on the phone keypad don’t match at all.)
PTP also seems to indicate that your suitcase firmware isn’t digitally signed, which can allow for rogue firmware updates (like beacon tracking) and the company hasn’t brought the app to the Google Play Store yet, forcing you to sideload it instead.
What to do?
- If you can’t refuse this self-driving suitcase, Pair it with your own phone as well as your wristband to prevent your fellow airport travelers from trivially stealing it. (At least for now, we can assume that caring for a vaguely autonomous digital suitcase around modern airports will certainly draw attention to suitcases, if not you.)
- If you’re a programmer, don’t use wired passwords. In fact, don’t enable remote pairing by default to prevent unauthorized surprises. As PTP pointed out, picking a random password before shipping and putting the printout in your suitcase would be an easy place to start. Home router vendors are doing this with wireless access points these days and have largely eliminated the problem of native Wi-Fi credentials.
- If you are using the official Android app Do your best to get to the Play Store first. Google Play doesn’t completely block malware, but not being able to get a rating in the first place isn’t a good look for your product and we don’t encourage customers to install it. Ironically in this case (see what we did there?), you can’t protect your luggage from malicious pairing attempts without first installing an unverified app.
We couldn’t refuse emmeding PTP video, shows off a remote-controlled, self-driving suitcase in an incredibly active driving mode.
.