Jump to content

Major Security Flaw In Apple's HomeKit


marcin

Recommended Posts

Posted

How A Few Words To Siri Unlocked A Man's Front Door And Exposed A Major Security Flaw In Apple's HomeKit

 

http://www.forbes.com/sites/aarontilley/2016/09/21/apple-homekit-siri-security/#795adeb26e8a

 

Its funny everyone is reading the same tech blogs this week. As for this user *Marcus* none of this surprises me the least as the millennial group of folks really don't put too much thought into what they do or the consequences of.

 

I have blogged about this since the whole voice control has ramped up.

 

Almost every month I read about some moron who insists upon adding in their GDO / door locks to Echo, Siri, Cortona, etc. These people believe they are smarter than anyone else when in fact their actions clearly show they have the IQ of a potato.

 

Its quite comical to read these articles which I am sure many more will surface. The fact the title states there is a major flaw in Apple Home Kit just screams trolling to the nth degree.

 

Because the reality, stupid is - is stupid does!  

Posted

...but if you forget your keys you only have to go to a window and yell...

 

. . "Alexa! Unlock the doors!"

 

How convenient is that for safety item? Backup for key loss!

Posted

...but if you forget your keys you only have to go to a window and yell...

 

. . "Alexa! Unlock the doors!"

 

How convenient is that for safety item? Backup for key loss!

 

Why does that matter anyways? 

 

All the people who insist upon doing so - see absolutely no problem in doing this in the first place. The first thing that comes out of their mouth is I am smarter. I have all of these super fancy programs or fail over devices to protect my stupid aszz. To I am very careful and live in the desert all alone so nothing like this could ever happen.

 

The sad reality is convenience supersedes common sense in this world. This has been seen by the rampant adoption of tap and go CC / debit cards. This has been seen by the fact anyone with the worst credit rating in the history of man can still obtain a fictitious *Gold, Platinum, Diamond CC.

 

The very fact so called smart people are all riding the same pathetic band wagon of self driving cars defies not only common sense but logic.

 

When that little old lady, child, dog gets run over by a self driving car I will be ready in the side lines to yell out I told you so. The best thing that could happen is a EMP right now to take out the stupid.

Posted

How A Few Words To Siri Unlocked A Man's Front Door And Exposed A Major Security Flaw In Apple's HomeKit

 

http://www.forbes.com/sites/aarontilley/2016/09/21/apple-homekit-siri-security/#795adeb26e8a

As much as I'm not a fan of Apple, this isn't really a security flaw, just a stupid user.

 

Automatically unlocking your door any time should not be done. Now Apple should probably require Siri to ask for a PIN when locking/unlocking door locks, but the current method (PIN protecting the Siri device) does work, and the user didn't use it.

 

FWIW I believe Amazon Echo doesn't allow any keywords like "unlock".

 

Sent from my SM-N910W8 using Tapatalk

Posted

FWIW I believe Amazon Echo doesn't allow any keywords like "unlock".

 

Sent from my SM-N910W8 using Tapatalk

 

Alexa does not allow you to open the lock, you can lock it or check the status but not unlock....

 

 

You will have some shady characters walking around the neighborhood yelling "Siri open..."

Posted

It really doesn't matter - These articles simply high light the direction of hell the world is going to. The only positive is (IF) this sort of thing makes people think twice before doing so.

 

That is the only benefit - then again if I or anyone has to tell someone not to do this kind of thing. You really have to take pause and consider how much grey matter is inside of that brain.

Posted

Yeah but I am smarter than that, Chicken Little! :)

 

Why would I need some electronics to unlock my doors anyway?

I use keypad locks that take 1.2 seconds to eneter a combination to open them and they lock behind me automatically. They are never unlocked when closed.

 

My car doesn't use a key either.

 

I like the one with people at the "game at the stadium"

 

Thief breaks into your car

Hotwires the ignition.

Tells the GPS to "Go Home"

Get close to the house and the garage door opens automatically or via the magic button on the visor.

Yells into the door "Alexa, unlock the doors"

House turns on the lights for you and disables the alarm system.

You steal everything of value and leave the taps on with the sinks plugged, just to "make your mark"

 

Police are called and want you to prove you didn't "invite your guest into your home and willingly offer your car to get there."

 

duh, Now how do I prove I didn't? Cripes I even turned the lights on so they could see properly. :)

 

It's along and winding road.

Posted

Yeah but I am smarter than that, Chicken Little! :)

 

Why would I need some electronics to unlock my doors anyway?

I use keypad locks that take 1.2 seconds to eneter a combination to open them and they lock behind me automatically. They are never unlocked when closed.

 

My car doesn't use a key either.

 

I like the one with people at the "game at the stadium"

 

Thief breaks into your car

Hotwires the ignition.

Tells the GPS to "Go Home"

Get close to the house and the garage door opens automatically or via the magic button on the visor.

Yells into the door "Alexa, unlock the doors"

House turns on the lights for you and disables the alarm system.

You steal everything of value and leave the taps on with the sinks plugged, just to "make your mark"

 

Police are called and want you to prove you didn't "invite your guest into your home and willingly offer your car to get there."

 

duh, Now how do I prove I didn't? Cripes I even turned the lights on so they could see properly. :)

 

It's along and winding road.

Well, guess what... All the cars that don't need keys have been hacked. The private keys used in the encryption have been discovered and published. There are now Arduino devices that can unlock almost every car that uses a dongle.

 

Best regards,

Gary Funk

Posted

Well, guess what... All the cars that don't need keys have been hacked. The private keys used in the encryption have been discovered and published. There are now Arduino devices that can unlock almost every car that uses a dongle.

Best regards,

Gary Funk

Yup and there is a group of hackers out there that have hacked running vehicles on the highway and forced them off the road, in a test, 'cause the manufacturers think they can share one CPU between all the cars functions.

 

Keep you radio turned off and avoid cars with WiFi and CPU based smarts in them, Scott...ooops I meant Gary.:)

Posted

In the big picture if more of these stories come out it just make the hardware vendors think long and hard about proper use cases. My fears of the stupid ruining the whole HA aspect is fast approaching in the world. You can mark my word the Government or some random body will step in to regulate the market.

 

This was said about the Internet long ago and yet the inept said *You can't limit or control the internet* really?

 

Obviously these people were wrong and all manner of spying, regulations, and hacking is prevalent.

 

At some point HA will be very common place but the sad reality is many industries not concerned or even knew about HA will start to take their pound of flesh. My *Teken* crystal ball will predict the insurance co's will be one of the first to take heed and abuse this current fad.

 

*You left a voice activated device freely available to open your home?* Well, no insurance coverage stupid!

 

*You crushed some kid / car with your voice controlled Echo, Dot, Tap, Siri, Cortana?* Well, guess what you're going to to jail for being stupid and being charged for malice intent and anything else we can think of.

 

*Your occupant just died because he wasn't actually driving?* Driving is a active process - You thought it was a good idea to let a computer have complete command and control of the vehicle when it ran over a dog, child, old lady?

 

Well guess what stupid - you're going to jail because you're truly too stupid to live . . .

 

These are the examples which may sound on the surface to be silly and unbelievable. But rest assured all of this will come to pass and I wait in the side lines to say - I told you so!

 

Everyday I find it simply incredible that we as a human species spend more money in fine tuning how to kill one another in the most efficient manner. But can't take the time to feed, house, and educate our own people all across the nation. Yet we will be more than happy to send money, aid, take on immigrants from every corner of the world. But not even help our very own countrymen.

 

WTF is wrong with this picture?

 

But some guy named Marcus is so very sad his door was opened because he didn't even take 0.000000000000001 seconds to think!

Posted

Yup and there is a group of hackers out there that have hacked running vehicles on the highway and forced them off the road, in a test, 'cause the manufacturers think they can share one CPU between all the cars functions.

 

Keep you radio turned off and avoid cars with WiFi and CPU based smarts in them, Scott...ooops I meant Gary.:)

But now almost every car with remote unlock can be broken into with no evidence of breaking. Someone in Denver captured video of a group unlocking and stealing from several cars. The police had no clue until someone showed them how easy it was.

 

Best regards,

Gary Funk

Posted

But now almost every car with remote unlock can be broken into with no evidence of breaking. Someone in Denver captured video of a group unlocking and stealing from several cars. The police had no clue until someone showed them how easy it was.

Best regards,

Gary Funk

The one I just love is "rolling code security", except every dongle manufacturer knows the next code on the list, given the last one that was used two seconds ago.
Posted

The very fact so called smart people are all riding the same pathetic band wagon of self driving cars defies not only common sense but logic.

 

When that little old lady, child, dog gets run over by a self driving car I will be ready in the side lines to yell out I told you so. The best thing that could happen is a EMP right now to take out the stupid.

 

 

Because I am a contrarian and like to argue...

 

The question is not whether self-driving cars are absolutely safe.  The question is whether self-driving cars are safer than those being piloted by those same "so-called" smart people.  Tens-of-thousands are killed every year by automobile accident, and most of those are because of operator error.  Yes, at least one has already died while being transported in a tesla on auto-pilot, and that is sad news.  Yes, more will be killed some day by self-driving vehicles.  But, before that happens, how many thousands will be dying each year by human controlled vehicles?

 

My teken crystal ball says that we are not too far away from looking at history and being scared at the thought of a human-operated transport devices (drunk, distracted, tired, or otherwise incompetent). 

 

Interesting topic!

Posted

Because I am a contrarian and like to argue...

 

The question is not whether self-driving cars are absolutely safe.  The question is whether self-driving cars are safer than those being piloted by those same "so-called" smart people.  Tens-of-thousands are killed every year by automobile accident, and most of those are because of operator error.  Yes, at least one has already died while being transported in a tesla on auto-pilot, and that is sad news.  Yes, more will be killed some day by self-driving vehicles.  But, before that happens, how many thousands will be dying each year by human controlled vehicles?

 

My teken crystal ball says that we are not too far away from looking at history and being scared at the thought of a human-operated transport devices (drunk, distracted, tired, or otherwise incompetent). 

 

Interesting topic!

 

I have to concede everything you wrote up above is factually true. There are more deaths based on human error and poor judgement whether that be *Thinking* I am OK and only had a few to drink. To texting, blasting the radio where 15 blocks down the road you can see the windows move.

 

To those still painting their face at 6:30 AM because they figure its OK while going 60 MPH in a fast moving object surrounded by dozens of cars that nothing will happen.

 

What I take issue is the fact people like the Tesla guy was too stupid to be doing what?!?

 

Driving . . .

 

These people are the perfect example of why every hot beverage states *Hot liquids* etc. To the most asinine safety messages placed on plastic bags indicating *This is not a toy and can suffocate*.

 

Really?

 

If I place a bag over my head and succumb to oxygen deprivation that wasn't the expected outcome? Its because of these people there are so many *Nanny States / Provinces* in North America. We literally spend millions to billions a year to protect the stupid in this world when the reality is we should just let them die off.

 

Yes, very harsh - but true none the less . . .

 

In the Tesla case every possible alert notification upon activation was presented to the driver. Yet the (Driver) <-- Let me stress this portion *The Driver* is told in no uncertain terms this is a Alpha / Beta feature and *The Driver* must be fully aware and in control of said moving object.

 

Did this driver follow this simple yet important fact?

 

No . . .

 

Hence physics took over and made him a smear on the road.

 

At this juncture there is no infrastructure to allow dedicated autonomous driving vehicles anywhere in North America. This means no matter how many sensors are placed on a vehicle it can not compensate or take into account the human element or weather related conditions which are always ever changing.

 

If someday they say every AV will have its own dedicated road way and follow proven right of way transit. Yes, I could see this reducing the yearly deaths seen now. But that will never happen because the costs to install and deploy such infrastructure would break the back of any city.

 

My reply should not be mistaken as I am anti technology as many of you know (I / You) wouldn't be here if technology didn't interest me or that I love it. The problem is we have too many people lacking the rarest element in the multi-verse.

 

Common Sense . . .

 

Ultimately we shall see more of these articles and it will more than likely hobble the HA industry by over regulations and offering a lesser product. We see this now with so called *Cloud Power* cloud hosted services where every Tom, Dick, and Harry is too cheap to offer a real product that doesn't require a constant connection or tethered to the Internet because some genius thought it would be OK give you a empty box that literally does nothing!

 

Because all of the smarts are in the *Happy Cloud*!

 

This is right up there with Googles attempt to sell computers that have no operating system mimicking a thin client approach. I don't know how many kinds of stupid you have to be to buy into a computer that has nothing - and relies on a constant connection?

 

The only saving grace is the general market place simply said take a hike! 

Posted

 

At some point HA will be very common place but the sad reality is many industries not concerned or even knew about HA will start to take their pound of flesh. My *Teken* crystal ball will predict the insurance co's will be one of the first to take heed and abuse this current fad.

 

*You left a voice activated device freely available to open your home?* Well, no insurance coverage stupid!

 

*You crushed some kid / car with your voice controlled Echo, Dot, Tap, Siri, Cortana?* Well, guess what you're going to to jail for being stupid and being charged for malice intent and anything else we can think of.

 

*Your occupant just died because he wasn't actually driving?* Driving is a active process - You thought it was a good idea to let a computer have complete command and control of the vehicle when it ran over a dog, child, old lady?

 

 

Bingo.  I think you just nailed the "limiter" on this silliness - insurance companies.

 

A similar thing happened when that newfangled 'lectricy thingy started getting wired into houses.  People got electrocuted.  Houses burned.

 

And then, the insurance companies got together, and decided that they needed a way to ensure that wiring devices and appliances were safe, and thus was born UL (Underwriter's Labs).

 

Later on, other industries adopted similar concepts -- I believe that door locks and hardware are rated in various ways.  Clearly automobiles need to be tested externally as well.

 

So, my crystal ball says that what'll happen shortly after what Mr. Teken describes is that the HA industry will realize that they need to clean up their act and voluntarily create an independent certification agency/lab if they want to stay in business.  That is, unless UL does it first (they're already dabbling with cybersecurity certification for things like medical devices over at UL).

 

That'll solve a lot of problems -- a clear labeling system that tells the consumer in a product independent manner what risks the product brings with it, exactly how it is tested and certified to be used (and disclaimers if you use it otherwise), a clear consumer-useful indicator of how secure or non-secure the device and its protocols are, etc.

Posted

Bingo.  I think you just nailed the "limiter" on this silliness - insurance companies.

 

A similar thing happened when that newfangled 'lectricy thingy started getting wired into houses.  People got electrocuted.  Houses burned.

 

And then, the insurance companies got together, and decided that they needed a way to ensure that wiring devices and appliances were safe, and thus was born UL (Underwriter's Labs).

 

Later on, other industries adopted similar concepts -- I believe that door locks and hardware are rated in various ways.  Clearly automobiles need to be tested externally as well.

 

So, my crystal ball says that what'll happen shortly after what Mr. Teken describes is that the HA industry will realize that they need to clean up their act and voluntarily create an independent certification agency/lab if they want to stay in business.  That is, unless UL does it first (they're already dabbling with cybersecurity certification for things like medical devices over at UL).

 

That'll solve a lot of problems -- a clear labeling system that tells the consumer in a product independent manner what risks the product brings with it, exactly how it is tested and certified to be used (and disclaimers if you use it otherwise), a clear consumer-useful indicator of how secure or non-secure the device and its protocols are, etc.

 

All the writing in the world does not apply to those that don't think. The Tesla and this (Siri) user in the article is a perfect example of such. Everyone knows you shouldn't be under a car simply by using a hydrolic jack. Yet every year there are dozens of cases of people too stupid to follow common safety practices.

 

Jack stands were created for a reason . . .

 

A jack was created to lift a vehicle for said jack stand and even then the most simple and basic test must be applied. That is push on the vehicle at all four corners to ensure the safety lever is properly in place and does not unlatch. Many of us shade tree *Week End Warriors* even go so far as leaving the jack in place with the jack stands.

 

This assures there is a 0% chance of heavy object like a vehicle coming down and crushing you to death.

 

You simply can not protect people from themselves these days - never mind finding anyone who accepts responsibility for their actions. They will of course use their right to sue your aszz until eternity because that is a God given right these days!

Posted

At this juncture there is no infrastructure to allow dedicated autonomous driving vehicles anywhere in North America. This means no matter how many sensors are placed on a vehicle it can not compensate or take into account the human element or weather related conditions which are always every changing.

 

If someday they say every AV will have its own dedicated road way and follow proven right of way transit. Yes, I could see this reducing the yearly deaths seen now. But that will never happen because the costs to install and deploy such infrastructure would break the back of any city.

 

In my mind, there is SOME infrastructure in place.  We have GPS.  We have map and terrain data.  We have weather data.  We have road sensors already.  Cars, to some degree, can already sense road conditions and compensate, and in some cases, already do it better than a human.  I am amazed at how well autonomous vehicles perform with the existing infrastructure and am suddenly less confident that it will take a massive investment in additional infrastructure to make happen, or whether such investments we would be unwilling to make even if necessary. 

 

Perhaps baby steps?  How about autonomous driving on highways, and human-control in cities?  Is there not some place in-between that can work?  I sure hope so.

 

I believe we SHOULD try.  Imagine the same thought process 120 years ago: Cars will never work!  Someone might get struck by one and die!  We will never be willing to invest in roads and bridges to make cars a viable alternative! 

 

We will get there, of that I am confident.  That there is anyone that sees the total path towards that goal I am more doubtful.

Posted

ISY users will have the same issue if they use Alexa.

 

Short and to the point.

Best regards,

Gary Funk

Potentially.

 

Me? No. I have NOT assigned any spoken to any locks - and I have a spoken assigned to a program to secure locks, but no spoken on anything that can unlock locks. There is not a thing you can do to unlock via the Alexa integration in my house.

 

However, it's easy to miss this. I suspect many may be vulnerable to convenience winning the security/convenience compromise.

Posted

Potentially.

 

Me? No. I have NOT assigned any spoken to any locks - and I have a spoken assigned to a program to secure locks, but no spoken on anything that can unlock locks. There is not a thing you can do to unlock via the Alexa integration in my house.

 

However, it's easy to miss this. I suspect many may be vulnerable to convenience winning the security/convenience compromise.

My point is "any spoken word" that runs a scene or program or lock to unlock it is dangerous.

 

Short and to the point.

Best regards,

Gary Funk

Posted

In my mind, there is SOME infrastructure in place.  We have GPS.  We have map and terrain data.  We have weather data.  We have road sensors already.  Cars, to some degree, can already sense road conditions and compensate, and in some cases, already do it better than a human.  I am amazed at how well autonomous vehicles perform with the existing infrastructure and am suddenly less confident that it will take a massive investment in additional infrastructure to make happen, or whether such investments we would be unwilling to make even if necessary. 

 

Perhaps baby steps?  How about autonomous driving on highways, and human-control in cities?  Is there not some place in-between that can work?  I sure hope so.

 

I believe we SHOULD try.  Imagine the same thought process 120 years ago: Cars will never work!  Someone might get struck by one and die!  We will never be willing to invest in roads and bridges to make cars a viable alternative! 

 

We will get there, of that I am confident.  That there is anyone that sees the total path towards that goal I am more doubtful.

 

I preface my reply by saying in all of these years I have really enjoyed your views and counter arguments. I always find them sound in reason and logic and unlike me you try to be more tactful!

 

Ha . . .

 

Now, like you said everything has to start from somewhere and baby steps are key. Again, I have no issues with AV's just the fact like anything it will be abused and ruin it for the rest. I can tell you with 100% certainty Elon Musk was beside himself when he found out that Tesla driver became a smear on the ground.

 

It not only set his company back but open him to needless litigation.

 

As you clearly stated vehicles have added many safety elements to ensure *Human* is safe. But then again all of these increased measures from air bags, anti lock brakes, crumple zones, object detection, GPS, remote assist, haven't protected the millions from dieing either.

 

The first time a truly AV is made and deployed you will quickly find some moron with his GF in the back seat doing what ever. We shall later find out said couple is found dead because instead of *Driving* they were pretending to be passengers. You want to be a passenger call a taxi, limo, uber, what ever.

 

In just a blink of an eye something that all of us have dreamed about will now be hobbled and just a short page of history. The reality is if anyone is so sure about AV technology no matter how forward thinking and safe. Let there be one mother strap in their new born into the back seat and say good bye.

 

The odds of that happening is right up there with Elvis coming back or finding out why the President Kennedy was killed. 

Posted

My *Teken* crystal ball will predict the insurance co's will be one of the first to take heed and abuse this current fad.

 

They already have. Some insurance companies offer a reduced rate if you allow them to install a device in your car that monitors your driving.

Posted

True, but given most vehicles now include a *Black Box* to determine the last XXX minutes / hours of rate of speed during a crash. Most of this isn't required to because the PCM / ECM / BCM record all aspects of the vehicles travel. This of course is only used during a fatal mishap and what you speak of is a active participation in linking into the vehicles OB system with GPS data acquisition.

 

I am sure a few see value in this but - personally I don't want anyone watching over my shoulder. We all have enough of this by Government of the *Five Eyes* and the ever nosy hackers. 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...