The Internet of Things (IoT) has become infamous for providing us, in a worrying number of cases, with three outcomes:
- Connected products that we didn’t know we needed.
- Connected products that we purchased anyway.
- Connected products that ended up disconnected in a cupboard.
To be fair, not all IoT products fall into all, some or even any of these categories, but there are many that have made it into at least one.
There was the home video camera with a “unique identifier” that wasn’t unique, leaving one couple from Australia who thought they both had access to view their own living room, but suddenly found that each of them was inadvertently spying on a different third party.
There was the surveillance system that showed an unwitting homeowner in England the outside of an unknown pub, which he eventually tracked down with the help of search engines and visited to enjoy a fortifying pint of ale.
At the pub, he took a selfie on his own phone of himself enjoying his drink… using the pub’s camera. (He showed the pic to the landlord, who shared both his amusement and his concern.)
And there was the $99 smart bike padlock – no more combinations to remember! no more fussing with keys in cold hands! – that allowed you to open your own lock with the official app (or with your fingerprint) in 0.8 seconds, or to open anyone’s lock with an unofficial app in just 2 seconds.
No hacksaw required
The padlock hackers (no literal hacking or hacksaws required) in the why-did-they-even-bother-to-call-it-a-lock story above were from well-known UK penetration testing outfit PTP, short for Pen Test Partners.
And when researchers at PTP come across a connected product that they didn’t know they needed…
…they immediately know they need it!
Why drag your carry-on luggage behind you when you can simply strap on a Bluetooth wristband and let the luggage follow you through the airport, steering its way around obstacles (and, one hopes, other passengers, with or without their own self-driving luggage), thus saving you the hassle of dragging round all the extra weight that the suitcase needs, in the form of batteries and motors, to drag itself around for you?
Well, PTP quickly found out one reason why they might not trust the SR5 in a busy airport, namely that it wasn’t very accurate.
While it made vaguely confident progress, it didn’t hold its course very well, weaving off line and bumping into things in the fashion of a traveller who has spent far too long at the airside bar.
But it was a design flaw that worried PTP the most, namely that the SR5 allows itself to be paired with two different devices at the same time – an unusual and actually pretty cool Bluetooth achievement, as the researchers admitted – with inadequate security controls over the pairing process.
Once you’ve paired your SR5 with its supplied wristband so it will follow you around autonomously, you don’t really need (and might never bother) to use its other feature: letting you drive it around the airport concourse like an RC car, in a worryingly zippy fashion, using an app on your phone.
But if you don’t get around to installing the app and pairing it with your own suitcase…
….then anyone else can pair with it instead, even if you’ve instructed it to follow behind you.
By following your suitcase as it follows you, a suitacasejacker could pair their phone with your luggage and simply drive it off, without ever laying a hand on it, thanks to a hardwired pairing code.
See if you can guess the “secret” PIN.
Did you figure it out?
Yes, that’s right, it’s:
(We guessed at
78482273, on the grounds that it spells
1 on a phone keypad doesn’t correspond to any letters at all.)
PTP also discovered that the suitcase firmware doesn’t seem to be digitally signed, which could allow rogue firmware updates (tracking beacons, anyone?), and that the company hasn’t yet managed to get its app into Google’s Play Store, forcing you to sideload it instead.
What to do?
- If you can’t resist this self-driving suitcase, make sure you pair it with your own phone as well as with your wristband, so that fellow airport travellers can’t trivially hijack it. (You can assume, at least for now, that chaperoning a vaguely autonomous digital suitase round a modern airport is certain to draw attention to the suitcase, it not to you.)
- If you’re a programmer, don’t use hardwired passwords. In fact, don’t enable remote pairing by default, either, to prevent unauthorised surprises. As PTP points out, picking a random password and putting a printout inside the suitcase before delivery would be a simple place to start. Home router vendors do this with their wireless access points these days, and it has largely eliminated the problem of default Wi-Fi credentials.
- If you’re relying on an official Android app, do your best to get it into the Play Store first. Google Play is far from perfect at keeping malware out, but being unable to make the grade in the first place is not a good look for your product, and won’t encourage your customers to install it. Ironically, in this case (see what we did there?), you can’t secure your luggage against rogue pairing attempts without installing the unvetted app first.
We couldn’t resist emedding the PTP video, showing the self-driving, remotely commandeerable suitcase in its surprisingly brisk drive-me-around mode: