Ok so let's pretend I have a 10 led smartbulbs in my house ( future state, most people have less than 10 ). Let's say their mean time to failure is a six months ( I think this is significantly lowballed ). That means there will be 1 lightbulb in the trash on average every two to three weeks. This number is highly unrealistic but whatever.
So you are going to have to dig through my trash (assuming curbside (it isn't) two to three times to find a blub.
My door lock is easier to compromise. Just walk in and walk out with my server.
Fact of the matter is, if you are the target of someone, there are better ways... and if this is just an opportunistic guy that got some lightbulbs off the back of an e-cycler truck and one of them happens to be mine. He can have whatever he can find on my network.
TL;DR: The lock on your front door is easier to exploit, and the lock on your back door is probably even worse.
If someone gets into your house to steal your lighbulb and cut it open, you probably have bigger problems than your wifi password being stolen.
No house-breaking is necessary. I could just go and buy a super fancy smart bulb and give it to you. You don't need your old insecure smart bulb any more so you put it in the bin. I take it from your bin. Now I have access to your network.
Your tech-savvy neighbour is the threat 99.99% of people should worry about, not a nation-state funded intelligence agency.
It boils down to assessing the threat level and the risk level.
Threat: Hacker owning vendor and selling info on darknet
Threat likelyhood: 1%
Risk: All valuables being stolen.
Risk value: High if you keep a few kilograms of gold in your home. But basically depends on your possessions.
When we were burglared while sleeping a few years back the perp entered through a window. It was the last window not switched to a new one more secure. It took him around 15 seconds to enter. He left with the DSLR, a TV, clothes, a few valuables lying around and my SO's purse. Additionally, because traditionally her car keys were by the door on ground level he could grab them and put everything into her car and leave.
Nowadays our purses and keys never stay downstairs when we go to sleep.
I think the risk profile for traditional break ins is way higher than the risk from a smart lock (not that we have any).
Every time a person gains physical access, the worst-case scenario is that it's someone skilled at such things. The reality is that the number of people with such skills is rather small when compared to the general population. What are the chances that someone with momentary access will be an ultra-skilled black hat?
Do you not lock your house at all because the worst-case scenario is that the burglar is a master lock-picker (and you can't afford the ultra-expensive takes-30-minutes-and-powertools-to-break locks)?
Using the worse-case scenario to guide all of your decisions makes more sense when the threat/attack is coming form the Internet, where the likelihood of the attacker being skilled significantly increases.
"You only need a lock that looks better than your neighbours".
If you take your average thief, they will walk past your house and if it looks like it's worth breaking in they will do this, or go to the next house that looks easier or more promising. They won't even notice your custom smart lock solution and think it might be hackable (unless it's a common brand with a generic explain available, think of scriptkiddy hacking skill requirement). They will go for the easiest thing, like a open window, or break a small window to open the door from the inside.
Now if you have a dedicated thief that wants to rob you specifically, they might want to invest into hacking your lock. But only if the rest of your house is already a fortress, or covertness is really key. But if they really want something they might just take an axe to your door and threaten you to open your vault.
True. It might be because the research has not involved empirical tests of any such practical information, as far as I could tell from the article.
My vague takeaway is that burglars rely on patterns of typical household layouts and homeowner behaviors so that they can do their work, as it were, at a higher level of abstraction than an amateur can. Anything that you can do to frustrate their assumptions of typicality, then, might lower their efficiency or discourage them from attempting a burglary in the first place. Perhaps some clever applications of home automation tech could be employed. Or if you're fortunate enough to keep an inconsistent schedule, that too could help.
> Unless you have a door specifically designed to withstand burglary a crowbar will always be an easier door hack than figuring out a backdoor to your automation.
If your home is targeted specifically, yes. However, if a group hacks a cloud lock provider and then hits several homes using that without having to do something that looks supicious like physically breaking the door then it could be a lot safter and thus profitable for them.
Then you have to worry about alarms [1], dogs, making sure no one is home, and observant neighbors. His proposal has the victim handing you their goods. Is the reduced risk on that end worth the increased trail you might leave setting it up his way? It's an interesting question.
[1] Even non-expensive houses often have monitored alarms now. I'm about to get one, even though I have absolutely no security need for one, because Comcast will lower my net bill by $50/month, with a two year price lock, if I add their home security package.
My house is insecure. There's no alarm, so anyone could just smash a window and steal my TV. But replacing my TV costs a lot less than an alarm system, and the risk of being caught for theft is greater than the TV's value.
My landlord sent a handyman in while I was on vacation once, and the handyman didn't close the front door all the way (or try to lock it). My door was open for 3 days, visible from the street, and I don't live in the nice side of town. No one stole the TV, but my electric bill was high that month.
A MITM attack on a static site is definitely possible, maybe even easy, but I'm not going to worry about it unless I have something important to protect.
But a malicious person in Guatemala would have to first fly to wherever you live, then throw a brick individually through each window they wanted to break. With smart locks, that same individual can throw tens of thousands of bricks through tens of thousands of windows without even leaving their desk.
It entirely depends on the thing. If someone hacks my light switch all they can do is turn the light off and on while revealing to me I have a problem I have to fix. Anyone can call my home phone number and turn on my car plug for 4 hours. All they will do is waste a small amount of electricity. If they want to disable my alarm and open my door, well that will be a lot harder, particularly if they want to try to do it remotely.
If there is anything that can, say, let someone remotely cause a fire then the problem isn't security. The problem is that you have something under software control that can cause a fire. Chances are that regular faults will burn down the house much more often than "hackers" will. Note that such faults can be caused by things like lighting hitting the power lines somewhere in your city. They don't have to be actual bugs.
Of course the "internet of things" is kind of a joke right now. What with the lack of any sort of standardization it is unlikely that the owner will be able to usefully control things much less some remote attacker.
And so they what, rob a few houses which statistically probably won't be yours before their hack gets discovered? Sounds like way more effort than just breaking the door or picking the lock.
Walk into a well stocked military surplus store and you can walk out with all the tools you need to break into a house in short order, and trust me it doesn't take long to learn how to use them well enough.
The point is that once someone is determined enough to get into either your home or network, it doesn't take much to reach a stage where the owner has to go to great lengths to resist a very unlikely occurring, but very likely successful, attack.
No, it's more like that if I leave the front door open, it would still be more secure if the driveway was lighted up so that any inappropriate visitors would be visible.
[Analogies may be terrible, but lack of encryption is an additional factor making attacks even easier, particularly for the purpose of discovering the attack vectors.]
To OP, glaucon makes a good point. The "fight" can be done by informing neighbors of the issues with this dumb solution, e.g. a company tracking your comings and goings, and how secure are their servers, what if an evil bigcorp buys them, etc...
One benefit would be less need to change locks when someone loses a key, but since OP says they already use keyfobs, that's not a new benefit.
Denial of service attack potential is nice as well: pay $x or we won't unlock your door. As long $x is somewhat lower than what it would cost to replace the lock or fix the damage to the door you might have a buyer.
> I can't see it being too long before a device capable of spamming deauth packets becomes a common part of the burglars toolset.
How many break ins are professional thieves with any kind of toolkit vs drug addicts and kids who just smash a window with whatever they find or take advantage of opportunities like an unlocked car or a package left outside? I'm guessing that the vast majority aren't bringing tech, lockpicks or even masks.
Why is a WiFi lock so bad? It opens you up more, but the number of people who can hack even the most insecure example is vastly smaller than the number of people who can kick down a door or break a window. Household locks are almost always just about deterring casual criminals, and internet vulnerabilities don’t move the needle much on that.
Why would anyone possibly care that someone knows what the state of their lights are from far away? We care because of something that happens locally; burglary.
>I'm sure there are subtle and clever ways to abuse these devices that are still unknown.
The security of residences as fairly well understood at this point. The attacks have been occurring for centuries. My point is that we can't treat this as an IT problem. We have to take the old cultural knowledge into account as well.
So you are going to have to dig through my trash (assuming curbside (it isn't) two to three times to find a blub.
My door lock is easier to compromise. Just walk in and walk out with my server.
Fact of the matter is, if you are the target of someone, there are better ways... and if this is just an opportunistic guy that got some lightbulbs off the back of an e-cycler truck and one of them happens to be mine. He can have whatever he can find on my network.
TL;DR: The lock on your front door is easier to exploit, and the lock on your back door is probably even worse.
reply