The McAfee Advanced Threat Research (ATR) team recently uncovered a security flaw in a popular connected garage door opener and a security design issue in an NFC (meaning near field communication, which is a technology that allows devices to communicate with each other) smart ring used to unlock doors. As we head into CES 2020, the global stage where innovators showcase the next generation of consumer technologies, let’s take a look at these new security flaws and discover how users can connect securely and with confidence.
Review Chamberlain IoT device
The McAfee ATR team recently investigated the Chamberlain MyQ Hub, a “universal” garage door automation platform. The Hub acts as a new garage door opener, similar to the one that you would have in your car. However, the McAfee ATR team discovered an inherent flaw in the way the MyQ Hub communicates over radio frequency signals. It turns out that hackers can “jam” the radio frequency signals while the garage is being remotely closed. How? By jamming or blocking the code signal from ever making it to the Hub receiver, the remote sensor will never respond with the closed signal. This delivers an error message to the user, prompting them to attempt to close the door again through the app, which actually causes the garage door to open.
How can the Chamberlain IoT device be hacked?
Let’s break it down:
- Many users enjoy using the MyQ Hub for the convenience of package delivery, ensuring that their packages are safe from porch pirates and placed directly in the garage by the carrier=.
- However, an attacker could wait for a package delivery using the connected garage door opener. The hacker could then jam the MyQ signal once the carrier opens the door and prompt an error message for the user. If and when the user attempts to close the door, the door will open and grant the attacker access to the home.
- An attacker could also wait and see when a homeowner physically leaves the premises to jam the MyQ signal and prompt the error message. This would potentially allow further access into the home.
Review McLear NFC Ring IoT device
The McAfee ATR team also discovered an insecure design with the McLear NFC Ring, a household access control device that can be used to interact with NFC-enabled door locks. Once the NFC Ring has been paired with an NFC-enabled door lock, the user can access their house by simply placing the NFC Ring within the NFC range of the door lock instead of using a traditional house key. However, due to an insecure design, hackers could easily clone the ring and gain access to a user’s home.
How can the McLear NFC Ring be hacked?
- First, the attacker can do some basic research on the victim, such as finding a social media post about how excited they are to use their new McLear NFC Ring.
- Now, say the attacker locates the victim in a public setting and asks them to take a picture of them on the attacker’s phone. The attacker’s phone, equipped with an app to read NFC tags, can record the relevant information without giving any signs of foul play.
- The McLear NFC Ring is now compromised, and the information can be programmed on a standard writable card, which can be used to unlock smart home locks that partner with the product.
How to keep your IoT devices safe from hacking
In the era of IoT devices, the balance between cybersecurity and convenience is an important factor to get right. According to Steve Povolny, head of McAfee Advanced Threat Research, “the numerous benefits technology enhancements bring us are exciting and often highly valuable; but many people are unaware of the lengths hackers will go and the many ways new features can impact the security of a system.” To help safeguard your security while still enjoying the benefits of your connected devices, check out the following tips:
- Practice proper online security habits. Fortunately, users have many tools at their disposal, even when cybersecurity concerns do manifest. Implement a strong password policy, put IoT devices on their own, separate network, utilize dual-factor authentication when possible, minimize redundant systems, and patch quickly when issues are found.
- Do your research. Before purchasing a new IoT device, take the time to look into its security features. Users should ensure they are aware of the security risks associated with IoT products available on the market.