Smart locks promise the security of a traditional lock without the need to carry around a key. Most can be unlocked with a mobile app or an RFID-equipped card you can store in your wallet. Unfortunately, they’re also pretty easy to hack open. The office of New York’s attorney general, Eric T. Schneiderman, announced a settlement today with one such smart lock manufacturer. Utah-based Safetech Products has agreed to encrypt all of its smart lock passwords, electronic keys and other credentials within its locks, prompt users to change the default password upon initial setup and establish a more comprehensive security program. Safetech makes both padlocks and door locks, each available on Amazon. According to the New York AG’s office, independent security researchers found that the company’s locks did not secure passwords or other security information in its locks, which left customers open to hacking and theft. “Companies employing new technologies must implement and promote good security practices and ensure that their products are secure, including through the use of encryption, ” Schneiderman said in a statement. “Together, with the help of companies like Safetech, we can safeguard against breaches and illegal intrusions on our private data.” While this may be the first time an attorney general has taken legal action against a smart lock company like this, it won’t likely be the last. Kwikset was sued recently for its Smart key lock’s alleged culpability in the rape and murder of a young woman in Florida by the building security guard. While not a true smart lock, the lock in question has a programmable cylinder that can be made to work with any key, which can be used to give temporary access to anyone. It’s also easily broken into with a screwdriver and a paper clip. As we all turn to smart devices and the Internet of Things in our lives, it becomes even more important to make sure we’re being protected from both hackers and ourselves. The settlement with Safetech could be the first big step towards companies building better security into their smart devices. The devices in our homes are increasingly connected to the internet—posing new privacy & security risks to consumers. We’re taking action. — Eric Schneiderman (@AGSchneiderman) May 23, 2017 Source: New York Attorney General’s office
Link:
New York forces smart lock maker to improve its security
An anonymous reader writes: Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. Named EternalRocks, the worm seems to be in a phase where it is infecting victims and building its botnet, but not delivering any malware payload. EternalRocks is far more complex than WannaCry’s SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received. Last but not least, the worm does not have a killswitch domain, which means the worm can’t be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm’s owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo. Ars Technica quotes security researchers who say “there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April… These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch.” Read more of this story at Slashdot. 