IoT devices and applications exist all over the place, and in high volume. Today’s news brought yet another example of how the scale of IoT systems leads to the conclusion that their security is deeply dependent on automation. Security researchers announced a hotel keycard hacking technique called “Unsafelok” which enables over 3 million doors worldwide to be opened by anyone. This hack was specifically for Dormakaba’s Safelok RFID card access systems which are used in over 13,000 properties in 131 countries. Yikes!
Making the exploit possible is that both the application (the software that programs the keycards and maintains connection to the door locks) and the devices (key cards and lock mechanisms) operate in a unique way. Looked at individually, both the application and devices are secure. But as researcher did, if you look at the combined system of application and devices you can then see that path to breaching IoT security and giving a malicious hacker the ability to open any door within that system.
Key to this vulnerability is the combination of both IoT devices and the application that controls and manages them. This is really the core of IoT security; IoT applications control and manage IoT devices in a tightly-coupled manner, and vulnerabilities can exist on both sides of that coupling. In some cases, such as with Unsafelok, the vulnerability can only be exploited through a combination of application and device operations.
This is why in addition to traditional IT security measures there needs to IoT-specific security solutions in order to stop threats such as Unsafelok. Viakoo believes that to address IoT security there needs to be a highly accurate and automated method to establish a “dictionary” of IoT devices, ports, and applications in order to have the context and information to find and remediate such threats quickly. Accuracy is especially important when it comes to defining those tightly-coupled relationships; inaccurate data causes a “garbage-in, garbage-out” problem where the real threats might be ignored while false threats are being chased. The data accuracy needed requires a direct query of the IoT system to gain this information because other methods like network-based discovery are based on inference and guesswork.
Concerned about this latest example of how insecure IoT applications and devices can be? Using deadbolts and in-room safes when staying at a hotel using this access control system can help with the immediate issue presented here. But the bigger issue of IoT security in the enterprise is where you should take action now to reduce your attack surface and organizational risk. A good starting point is taking to one of Viakoo’s IoT security experts; click here to sign up for 30 minute Zoom call. Already have an IoT security strategy in place but not happy with the results? You’re in good company, as our recent survey found that while almost every company has an IoT security plan, more that 65% are not being successful with it (and 50% believe IoT security is the weakest part of their overall security). Download a copy of our recent survey here; it can give you a sense of where your tech stack, governance, or other aspects of security can be improved.