loader from loading.io

Welcome! Smart Lock and even larger issues with IoT plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - America's Leading Security Coach

Release Date: 09/26/2020

AS HEARD ON: WGAN Mornings News with Matt Gagnon: Elections, Hacking, USB Safety show art AS HEARD ON: WGAN Mornings News with Matt Gagnon: Elections, Hacking, USB Safety

Craig Peterson - America's Leading Security Coach

Good morning everybody! I was on WGAN this morning with Matt Gagnon and started off this morning talking about Iran and the letters sent to some of US Voters. They were purported to be from the Proud Boys but were from Iran.  We also discussed a bit about Election Hacking and then got into, How safe are our USBs? Here we go with Matt. These and more tech tips, news, and updates just visit - CraigPeterson.com --- Automated Machine Generated Transcript: Craig Peterson: [00:00:00] Typically what's been happening is that the polling places go to the Secretary of State's website, enter in the...

info_outline
AS HEARD ON - The Jim Polito Show - WTAG 580 AM: Search Terms, Letters to Voters, Iran,  show art AS HEARD ON - The Jim Polito Show - WTAG 580 AM: Search Terms, Letters to Voters, Iran,

Craig Peterson - America's Leading Security Coach

Welcome! Good morning, everybody. I was on WTAG this morning with Jim Polito.  We got into a lengthy discussion about some letters purported to be to democrats from the proud boys. Then we talked about Hunter Biden and recycling phones. Here we go with Jim. For more tech tips, news, and updates visit - ---  Automated Machine Generated Transcript: Craig Peterson: [00:00:00] In the US, it says you will vote for Trump on election day, or we will come after you. No, this is really scary. It's reached voters and multiple States. Now, obviously, as I said, the Feds are involved. Hello...

info_outline
AS HEARD ON NH Today WGIR-AM 610: Iranian Email and Other threatening Letters, Ransomware in Louisiana  and The National Guard, Election Result Vulnerability  show art AS HEARD ON NH Today WGIR-AM 610: Iranian Email and Other threatening Letters, Ransomware in Louisiana and The National Guard, Election Result Vulnerability

Craig Peterson - America's Leading Security Coach

Welcome, Good Monday morning, everybody. Craig Peterson here. I was on with Scott Spradling on NH Today. We discussed the threatening Email and letters being received by voters and where they came from. We talked about Google search terms. Then we discussed why The National Guard has been called up in Lousiana to deal with Ransomware. We wrapped up today's discussion with election security in the light of revelations by the FBI and DHS about Nation-State Actors accessing our election systems through known vulnerabilities in the Secretary of State Websites. Here we go with Scott.  These...

info_outline
 Hunter Biden and Computer Repair Shops plus more on this Tech Talk with Craig Peterson Podcast show art Hunter Biden and Computer Repair Shops plus more on this Tech Talk with Craig Peterson Podcast

Craig Peterson - America's Leading Security Coach

Craig gets into some detail about why Hunter Biden's laptop that he took to a shop and never picked up is now in the hands of the FBI/DOJ and the things he did wrong when he took it in for service -- and no -- it has nothing to do with Russia. For more tech tips, news, and updates, visit - CraigPeterson.com --- --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] Yeah, I'm sure you heard about Hunter Biden, and what happened with his computer when he took it in for repairs? How about your computer? We'll be getting into that right away, right off the top. And then...

info_outline
 Data Privacy and Computer Repair plus more on this Tech Talk with Craig Peterson Podcast show art Data Privacy and Computer Repair plus more on this Tech Talk with Craig Peterson Podcast

Craig Peterson - America's Leading Security Coach

Craig continues his explanation about computer repairs and what you can and must do to protect your data and privacy. Back up your data! Also, the proper way to destroy old disks. For more tech tips, news, and updates, visit - CraigPeterson.com --- --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] Do you know, what's on your computer? Do you know what they do with it? At some of these repair shops that you take your computer when it gets slow and something breaks? When you're just trying to figure it out? What the heck is happening here, man? We've got an...

info_outline
Continuation of The Considerations Surrounding Privacy and Computer repair plus more on this Tech Talk with Craig Peterson Podcast show art Continuation of The Considerations Surrounding Privacy and Computer repair plus more on this Tech Talk with Craig Peterson Podcast

Craig Peterson - America's Leading Security Coach

Craig continues his explanation of what you need to do if you have to take your computer to a shop to be repaired. This segment covers encryption. For more tech tips, news, and updates, visit - CraigPeterson.com --- --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] We're going to talk right now a little bit more about removing that personal data before you send it in for repair and a couple of other things that you need to know about your rights when it comes to repairs. Hey, you're listening to Craig Peterson. Thanks for joining us today. Next up is probably...

info_outline
DHS and FBI Warning about Election Hacking plus more on this Tech Talk with Craig Peterson Podcast show art DHS and FBI Warning about Election Hacking plus more on this Tech Talk with Craig Peterson Podcast

Craig Peterson - America's Leading Security Coach

Craig explains why DHS and the FBI are warning us about Election Hacking and why it individual State Website Security is the culprit. For more tech tips, news, and updates, visit - CraigPeterson.com --- --- Automated Machine-Generated Transcript: Craig Peterson: [00:00:00] We've talked about the potential here of hackers getting into our election systems and what are they going to be able to do?  No, I've never been really big on this, but now FBI and DHS, well they're both disagreeing with me. Hey everybody. Welcome back. You're listening to Craig Peterson. I've talked about...

info_outline
IRS and Data Aggregators plus more on this Tech Talk with Craig Peterson Podcast show art IRS and Data Aggregators plus more on this Tech Talk with Craig Peterson Podcast

Craig Peterson - America's Leading Security Coach

Craig discusses how the IRS gets around collecting data on US Citizens.  They buy the information from these private Data Aggregators like our friends at Equifax - who by the way collect tons of information on you without your permission (you have no say in what information they collect) and then sell it! For more tech tips, news, and updates, visit - CraigPeterson.com --- --- Automated Machine-Generated Transcript: Craig Peterson (2): [00:00:00] Coming up in this hour, we're going to talk about the IRS. Yes. Investigated for using location data without a warrant. We're going to...

info_outline
Data Aggregators and Biometric Databases plus more on this Tech Talk with Craig Peterson Podcast show art Data Aggregators and Biometric Databases plus more on this Tech Talk with Craig Peterson Podcast

Craig Peterson - America's Leading Security Coach

In this very busy segment, Craig addresses a number of tech issues that are in the news right now. First off BEC scams.  Business Email Compromises are also commonly known as Spear Phishing scams and target executives.  In the past, many came from outside the US but this has changed.  Next, he discusses what happened with Excel and the loss of some Covid data.  Then he explains why the IRS is looking at Cryptocurrency on people's tax returns. So let's get into it! For more tech tips, news, and updates, visit - CraigPeterson.com --- --- Automated Machine-Generated...

info_outline
Dangers of Biometric Databases and CLEAR's new focus plus more on this Tech Talk with Craig Peterson Podcast show art Dangers of Biometric Databases and CLEAR's new focus plus more on this Tech Talk with Craig Peterson Podcast

Craig Peterson - America's Leading Security Coach

Craig discusses CLEAR and why what they are doing now is NOT a good idea. These biometric databases can be hacked just like any other database.  The Danger is - there is no way to guarantee 100% security of your data and if it gets hacked -- You can't change your biometrics! For more tech tips, news, and updates, visit - CraigPeterson.com --- --- Automated Machine-Generated Transcript: Craig Peterson (2): [00:00:00] Hey, who has your biometric information? Is it really a problem? You've got your phone, you unlock with your face or your, maybe your fingerprint, your thumbprint....

info_outline
 
More Episodes

Welcome!

Craig discusses problems with some of the smart lock technology and an even larger issue surrounding IoT devices in general. 

For more tech tips, news, and updates visit - CraigPeterson.com

---

Read More:

Patch Tuesday (September 2020): Microsoft Addresses 129 Vulnerabilities

Ransomware accounted for 41% of all cyber insurance claims in H1 2020

A bevy of new features make iOS 14 the most secure mobile OS ever

Don't Fall for It! Defending Against Deepfakes

Patient dies after a ransomware attack reroutes her to a remote hospital

Lock your doors, people: Verizon breach on unsecured AWS server exposes 14M customer records

Time for CEOs to Stop Enabling China's Blatant IP Theft

Newly Patched Amazon Alexa Flaws -- A Red Flag for Home Workers

 
 
 
 
 
 

---

Automated Machine-Generated Transcript:

Craig Peterson: [00:00:00] Hey, welcome back everybody. If you have smart locks or you think maybe smart locks are the way to go, we've got a little bit of news for you. Some research had just come out about these smart locks in our homes and offices turns out they just smart for their own britches.

Craig Peterson here. Thanks for joining me online. And of course, WGAN where we air every Saturday from one till three, you can always join us there. I'd love for you to tune in. And of course, we're also on, yeah, you guessed it. Tune in as well as any pretty much any other podcast app out there.

Now, let's get a little bit into this whole smart lock thing. We've been talking a fair amount about the whole problem with IoT on the show. If you miss some of the earlier stuff, I think it's important to go back to particularly if you are a business person or you're working from home and VPNing into a business.

I covered quite a bit of that stuff just today, in fact, but you can always find it out on my website@craigpeterson.com for a review. What we're going to talk about right now? Isn't like the Alexa or the Google home. Although in both cases they do have smart locks and tie into them. Oh, it's just so convenient to tell Alexa to turn on the chicken coop lights or turn them off or open the front door, et cetera.

There are also other types of locks that I think are really cool where it's a proximity lock. It uses your Bluetooth phone ID. That ID is typically something that is merely a, are basically like a Mac address there on your Bluetooth device.

There are other ones that are being built into cars, including Teslas and now BMWs that use an app on your phone in order to unlock the door, cool all the way around.

But behind all of these is some technology that is not only unproven but according to grand view research, this is still a bit of a problem. We're looking at a global, smart lock market valued at $1.2 billion. Last year over 7 million devices sold last year and they are expecting this market to grow pretty dramatically over the next five to 10 years. But there are two recently published reports about smart lock vulnerabilities that are very concerning.

This is another article out of dark reading our friends over there. First of all the UTEC ultra lock. Now they have hit the news before this is a smart lock project. It began as an Indiegogo campaign. If you're not familiar with them, it's where people get to you, invest in a project. If the project comes to fruition they go ahead and they get one of the products. That's usually how those types of things work. It's a way for people to invest a couple of bucks on something that they really believe in.

So this guy came up with this ultra lock and the idea and the group put it together and they put it up on IndieGoGo to try and raise some money to build these new types of smart locks that they had.

Tripwire, which is a security research company among other things said that they came across this flaw late last year, the researcher's name is Craig Young. And he was looking into this, the protocol that's being used by a lot of these smart devices, It's called MQTT, which is message queuing, telemetry transport.

You can think of it as an SNMP if you are a little bit more techie. Which is the simple network management protocol, but lighter weight because the internet of things, devices just don't have enough memory and CPU and everything else to run big operating systems. Now I have a problem with that.

The manufacturers saying, we've got to go with this lightweight protocol, man. We're just a door lock. how can you expect us to do anything more? It turns out that a lot of these companies are not using authentication that's verifiable. They are not using encryption and they're not using any sort of real authorization scheme.

So what's happened here is he has proven that pretty much any unauthorized user, that can see one of these messages in transit port and get access that broker can easily guess the names of that are used the topic names. Now in SNMP, you have the MIPS. There are security parameters that you can use, but in this case, all you have to do if you can get access to that, the broker is use the pound sign and the topic name, and now all of a sudden you're obtaining all of the data that's going through that data broker.

This is a very. Big problem. So he looked at several pages of these protocols, topic names, and he kept finding references to LOC and free email providers. Like g-mail dot com that some of these companies are using, if you can believe that.

So he said, I query the server myself with Linux command, align tools, and I was instantly inundated with personally identifiable information, apparently from all over the world. He said that it included email addresses, IP addresses associated with the logs, timestamp records of when and where they opened and closed all of it.

Now there is thinking out there that really this protocol can be perfectly safe. But the problem again is these companies that are making them are not hiring professional programmers that understand the risks because it could have been secured. They should be using access controls. They should be using authentication. They should be using encryption.  In this case with UTEC, it used none of those things. None of them. so again, don't just blame it on China, although they certainly take shortcuts. Most of these companies here in the US are taking shortcuts too. 

We don't have any real programmers coming out of schools now it's all drag and drop. Yeah. Yeah. You just drag this visual basic, visual C-sharp thing, whatever it might be. There's this Java module and magic happens. Without them knowing what's really going on behind the scene. There's another one too, about the August smart lock.  This is out of Bitdefender now a bit defender has software that I recommend a lot of people use.

It is not a panacea. It is not the ultimate. But bit defender, particularly their paid version usually does help with your security. So a little tip there for those of us on either a Mac or a windows computer. Check out Bitdefender, you might want to use it, not as good again as the commercial stuff, the real stuff for real businesses.

But they said, yes, they documented in detail, a vulnerability. The bit defender had found with the August smart lock also late last year and the Bitdefender guys were working with PC mag and they were evaluating smart device security. So Bitdefender is saying that their team does discover that while this August smart lock.

It could communicate with the smartphone in over an encrypted channel. The encryption key itself is hardcoded into the app. So it allows an attacker within range to use, drop an intercept, the wifi password it's really that simple. So there you go. There's an example. Of a smartphone using wifi to talk to the lock and yeah. Yeah. We're encrypted.

So again, it goes back to pencil whipping forms is your smart lock encrypted? Oh yeah, we are encrypted. And then that's where the conversation ends in the audit check purchasing manager just checks it there on the form. it's almost completely useless when it's programmed this way. Almost completely useless. So again, this is. Obviously specific to this device and when the device is being set up a real vulnerability, but you know what you could, if you want them to install another one of those devices, all you have to do is install a little monitor, hide it there in the bushes or something, and burn out the lock that's there or smasher or whatever you want to do so that it has to be replaced and when the guy replaces it. TaDa you have access to it. It's obviously not that difficult.

Now, someone overseas isn't going to be able to get at it. But someone that is really determined to get into your house could get into it pretty easily. It reminds me of a lot of these door lock systems that are still used in cars today that can be replicated.

You just sit there in the parking lot at a shopping mall and you have a receiver that's listening for that little. Click on the remote control right in the car goes, beep yeah, I'm locked.

Many of those, in fact, almost all of the older ones, can then be duplicated so that all the guy has to do is okay, great, he just locked up that old or BMW. It's only worth $30,000 today, but you know what the heck? And he can replicate it and get that car to unlock itself.

So we have to be a lot more careful with this stuff. Absolutely, a lot more careful. I am very upset with the vendors that do this sort of thing. They are fooling people. They are scamming people by again, pencil whipping forms that poor guy/ gal who's working in purchasing who bought it, who had no idea that, the checkbox was checked, is now in trouble because that device was hacked.

That's just an example of two obvious problems with smart locks. It's a really sad fact of life. That many companies don't have real security people who can look into this and look into a little bit more.

All right. When we come back, we got more, we're going to talk about facial recognition and what the cops are doing right now with not just protesters, obviously, but rioters and how they're using it to arrest people.

You're listening to Craig Peterson here on WGAN and of course, I am on every Wednesday morning at seven 30 with Matt, Gagnon.

 Stick around. We'll be right back.

---

More stories and tech updates at:

www.craigpeterson.com

Don't miss an episode from Craig. Subscribe and give us a rating:

www.craigpeterson.com/itunes

Follow me on Twitter for the latest in tech at:

www.twitter.com/craigpeterson

For questions, call or text:

855-385-5553